Data Protection Weekly 15/2024

Apr 23, 2024

CEDPO

CEDPO Survey 2024: Attention DPOs & teams across the EU/EEA!

CEDPO is launching its DPO survey next Monday, a survey designed by “DPOs for DPOs”. Your insights are invaluable, and it’s time to make your voice heard! Speak freely with anonymised participation, just 30 minutes of your time can contribute to a significant impact on our profession. Your participation not only contributes to a detailed snapshot of the current landscape but will help elevate the profession and ensure that our concerns and ideas resonate at the highest level. Mark your calendar for 29 April 2024 and help shape the future of European data protection!

AI Working group: Micro-insights series inaugural paper

The CEDPO AI and Data Working Group has launched its “Micro-Insights” series, aimed at equipping data protection practitioners with short, accessible papers on the intersection of data and artificial intelligence. The first release, “What’s a FLOP? How General-Purpose AI Models are Regulated under the AI Act” by Jared Browne and Dr Maria Moloney, explores the regulatory frameworks set by the AI Act for general purpose AI systems. This initiative seeks to provide clear, impactful insights into significant topics, preparing practitioners for the evolving regulatory landscape. You can download the paper here.

 European Union

EDPB: Strategic priorities for 2024-2027 and new DPF redress mechanisms detailed

The European Data Protection Board (EDPB) issued an Opinion criticising ‘consent or pay’ models used by large online platforms for behavioural advertising. This stance came after a joint request from Dutch, Norwegian, and Hamburg Data Protection Authorities under Art. 64(2) GDPR. The EDPB argued that these models often do not offer genuine choice, as users must either agree to extensive data processing or pay to access services. This setup, they noted, likely fails to meet the GDPR’s strict requirements for free and informed consent. The EDPB urged that alternatives not requiring payment or minimal data processing should be developed to ensure compliance. They emphasised that the mere act of obtaining consent does not free controllers from their obligations under GDPR principles, including data minimisation and fairness. The EDPB plans to further develop guidelines and engage with stakeholders on this issue. You can read the press release here and download the full Opinion here.

EDPB: Strategic priorities for 2024-2027 and new DPF redress mechanisms detailed

The European Data Protection Board (EDPB) has unveiled its strategic framework for 2024-2027, centered on four pillars: enhancing harmonisation and promoting compliance, reinforcing a common enforcement culture, safeguarding data protection in the digital and cross-regulatory landscape, and contributing to the global data protection dialogue. The strategy also addresses challenges posed by new digital regulations like the Digital Markets Act (DMA) and Digital Services Act (DSA), aiming to integrate data protection within these frameworks. Additionally, the EDPB has introduced measures to facilitate the implementation of the EU-US Data Privacy Framework’s (DPF) redress mechanisms, involving a public information note and template complaint forms to handle complaints by EU individuals regarding data transferred for national security or commercial purposes since 10 July 2023. You can read the press release here and download the full Strategy here.

ENISA: 2nd EU cybersecurity policy conference highlights future strategies

On 17 April, the European Union Agency for Cybersecurity (ENISA), the European Commission, and the Belgian presidency of the Council of the European Union organised the 2nd EU Cybersecurity Policy Conference. The gathering served as a platform for EU policymakers and cybersecurity stakeholders to discuss the implementation and future of EU cybersecurity policy. Mathieu Michel, Belgian State Secretary for Digitalisation, emphasised the critical role of cybersecurity in safeguarding Europe’s digital and economic development. The discussions focused on the implementation of recent EU cybersecurity policies, the deployment of Active Cyber Protection measures, and the certification of digital products and services. The conference also addressed the integration of the NIS2 Directive into critical infrastructure and the need for greater synergy between defence and civilian cybersecurity sectors. You can read the full article here.

National Authorities

Germany: Louisa Specht-Riemenschneider to be the new Federal commissioner

Louisa Specht-Riemenschneider, currently a professor at the University of Bonn specialising in civil law, information, and data law, has been appointed as the new Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Germany. This decision was endorsed by the “traffic light” coalition of SPD, FDP, and Greens, as confirmed by the FDP parliamentary group. Specht-Riemenschneider, who is not affiliated with any political party, will replace Ulrich Kelber in July, who has been in office since 2019. FDP spokesperson Maximilian Funke-Kaiser commended her as a renowned expert in data protection and legal IT, poised to infuse innovative approaches in data protection and usage. You can read the full article here (in German).

Netherlands: AP highlights privacy risks in the workplace and social security

The Dutch data protection authority (AP) has outlined emerging privacy risks within the labour market and social security sectors, particularly involving the use of algorithms and artificial intelligence (AI). The AP’s recent report, “Sectorbeeld Arbeid en Sociale Zekerheid,” indicates a widespread increase in the monitoring of employees by employers using these technologies, including surveillance through cameras, sensors, and substance testing. Government agencies are also increasingly deploying algorithms and AI to detect benefits fraud. The AP advises organisations to ensure robust roles for data protection officers, as mandated by privacy law AVG, and highlights the critical regulatory role of works councils in decisions about personal data processing. The report also notes that while such monitoring aims to create safer workplaces or prevent benefit errors, it must not compromise individual privacy. You can read the press release here (in Dutch).

Spain: AEPD shares tips on creating strong passwords

In a recent blogpost, the Spanish data protection authority (AEPD) recently reminded users of the importance of strong passwords to protect their privacy and security. Despite the repetitive nature of creating passwords, dedicating time to this task is crucial given the risks of unauthorised access. Common and overly simple passwords continue to be a significant issue, as evidenced by frequent use of weak passwords like “123456” or “password”. The AEPD recommends using a mix of upper and lower case letters, numbers, and special characters, and advises against the use of personal information that could be easily guessed. Additional tips include avoiding common patterns, not reusing passwords across different sites, and updating passwords periodically to enhance security. For ease, the National Institute of Cybersecurity (INCIBE) provides a useful formula for password creation available on their website. You can read the blogpost here (in Spanish).

Netherlands: AP expresses concerns over tracking traffic lights

The Dutch data protection authority (AP) has expressed concerns about traffic lights that interact with mobile phones to track and collect extensive personal data from road users. These ‘tracking traffic lights’ are used to measure traffic flow similarly to induction loops in roads, but unlike these loops, they collect personal data, raising significant privacy concerns. The AP has repeatedly urged the Ministry of Infrastructure and Water Management (IenW) to ensure that the design and use of these lights comply with the General Data Protection Regulation (GDPR). They have requested a thorough investigation into the privacy risks associated with these lights, particularly as they enable road managers to monitor road users’ complete journeys without their knowledge. The AP’s warnings, reiterated since 2021, emphasise the need for clear data-sharing practices and accountability before data collection begins. You can read the press release here (in Dutch).

Netherlands: AP advises against government use of Facebook

The Dutch data protection authority (AP) has recommended that government agencies refrain from using Facebook if there is uncertainty about how the personal data of page visitors is handled. This advice, directed to the Ministry of the Interior and Kingdom Relations (BZK), follows a 2021 ministry review which failed to clarify Facebook’s use of such data. Concerns were raised by the State Secretary for Digital Affairs about compliance with privacy laws, particularly given the sensitivity of data involving children and youth who are considered vulnerable online. The AP’s guidance highlights the importance of transparency in data handling by government bodies to maintain public trust. You can read the press release here (in Dutch).

UK: ICO publishes guidance to improve transparency in health and social care

The UK data protection authority (ICO) has released new guidance targeting health and social care sectors to improve transparency about the use of personal data. This guidance aims to clarify how these organisations should inform individuals about the handling of their sensitive health information, ensuring compliance with data protection laws. It highlights the necessity for clarity to foster public trust and facilitate the integration of new technologies in health services. The ICO’s initiative is intended to supplement existing guidance on transparency and the right to information. You can read the press release here and the full guidance here.

Sanctions

Czechia: UOOU fines Avast CZK 351 million for GDPR violations

The Czech data protection authority (UOOU) has imposed a fine of CZK 351 million (equivalent to €13,887,000) on Avast Software s.r.o. for the unauthorised processing of personal data of users of its antivirus software and related browser extensions. This breach occurred during parts of 2019 when Avast passed on data of approximately 100 million users to Jumpshot, INC. This data, mainly pseudonymised internet browsing history linked to unique identifiers, was purportedly used for consumer behaviour analysis by marketers. However, it was demonstrated that the data were not truly anonymised and could lead to re-identification of the individuals. Avast’s claim of employing robust anonymisation techniques was thus proven inaccurate, and the processing purposes extended beyond mere statistical analysis. The fine reflects the seriousness of the privacy violations by a company known for its cybersecurity expertise. You can read the press release here (in Czech).

Greece: HDPA issues administrative fine and GDPR compliance order to Ministry of Migration and Asylum

The Greek Ministry of Migration and Asylum has been fined €175,000 by the Hellenic data protection authority (HDPA) for failing to carry out adequate data protection impact assessments and for poor cooperation with the authority regarding the “Centaur” and “Hyperion” programmes. These systems, used for managing security in facilities housing third-country nationals, were scrutinised following alerts from the European Parliament and civil society requests. The investigation revealed that the ministry’s efforts fell short of GDPR standards, particularly in the handling of biometric data. Consequently, the HDPA has also issued a three-month compliance order to rectify these deficiencies. This case highlights the critical need for comprehensive impact assessments and cooperation with supervisory bodies in the deployment of surveillance technologies. You can read the press release here.