Data Protection Weekly 16/2023

Apr 20, 2023

 European Union

EDPB: Presentation of 2022 annual activity report

On April 17, 2023, the European Data Protection Board (EDPB) presented its 2022 Annual Activity Report. The report summarizes the EDPB’s work in the past year, including results of a guidance review among stakeholders, and for the first time, a thematic digest featuring examples of final One-Stop-Shop decisions. Andrea Jelinek, Chair of the EDPB, highlighted the EDPB’s evolving role since 2018, stating it has become an influential player in the European Economic Area (EEA) digital economy, helping shape Europe’s digital future and ensuring consistent application of data protection laws across the EEA. You can read the press release here and the full report here.

EDPB: Task Force releases report on noyb data transfer complaints

The EEA Data Protection Authorities (DPAs) have published a report detailing the outcomes of the task force established to investigate the 101 complaints filed by NGO noyb following the CJEU Schrems II judgment. The task force, created in September 2020, aimed to promote a consistent approach in handling these complaints related to the deployment of “Google Analytics” and “Facebook Business Tools” on websites and the subsequent processing of personal data transfers to the U.S. Several DPAs have ordered website operators to comply with Chapter V of the GDPR, and if necessary, to stop the transfer in question. The positions expressed in the report do not represent the EDPB’s position, and they do not prejudge the analysis that each DPA will conduct for each complaint and tool concerned. The full report is available here.

EDPB: Adoption of final version of Guidelines on data subject rights – right of access

The European Data Protection Board (EDPB) has adopted the final version of the Guidelines on data subject rights – right of access, following a public consultation. The Guidelines provide more precise guidance on implementing the right of access in different situations, addressing aspects such as the scope, the information controllers must provide to data subjects, the format of access requests, modalities for providing access, and the concept of manifestly unfounded or excessive requests. After the public consultation, the Guidelines were updated to include further clarifications on various aspects and minor editorial adjustments for consistency. You can read the full guidelines here.

EDPB: Adoption of updated Guidelines on lead supervisory authority and data breach notification

The European Data Protection Board (EDPB) has adopted the final versions of the updates for Guidelines on identifying a controller or processor’s lead supervisory authority and Guidelines on data breach notification. Both updates concern the Art. 29 Working Party Guidelines on the same subjects, with public consultation focusing on the updated paragraphs. Following the public consultation, some feedback was incorporated into the updated data breach notification guidelines. The new version clarifies that the controller is responsible for notification, and the EDPB addresses concerns about operational issues when notifying multiple data protection authorities (DPAs). While the GDPR does not provide a one-stop-shop for controllers not established within the EEA, the EDPB will publish a contact list for data breach notification with relevant links and accepted languages for all EEA DPAs on its website to facilitate the process. Guidelines are available here and here.

European Commission: Inauguration of the European Centre for Algorithmic Transparency

The European Centre for Algorithmic Transparency (ECAT) was inaugurated by the Commission’s Joint Research Centre on April 18, in Seville, Spain. The event brought together representatives from EU institutions, academia, civil society, and industry to discuss the challenges and societal importance of oversight of algorithmic system. The ECAT will provide the Commission with in-house technical and scientific expertise to ensure that algorithmic systems used by very large online platforms and search engines comply with the risk management, mitigation, and transparency requirements of the Digital Services Act. The interdisciplinary team, including data scientists, AI experts, social scientists, and legal experts, will assess the functioning of these systems and propose best practices to mitigate their impact. You can read the press release here.

European Commission: Adoption of the proposed EU Cyber Solidarity Act by the Commission

On April 18, 2023, the European Commission proposed the EU Cyber Solidarity Act to enhance cybersecurity capacities. The Cyber Solidarity Act will help ensure a safe digital landscape for citizens and businesses, protect critical entities and essential services, and strengthen existing cooperation mechanisms. The Commission also presented the Cybersecurity Skills Academy as part of the 2023 European Year of Skills. The academy will consolidate existing initiatives promoting cybersecurity skills through an online platform, increasing their visibility and the number of skilled professionals in the EU. Additionally, the Commission proposed a targeted amendment to the Cybersecurity Act, enabling future adoption of European certification schemes for managed security services. Commissioner Thierry Breton stated the Cyber Solidarity Act marks a critical milestone towards a European cyber shield. You can read the press release here.

National Authorities

UK: ICO issues reprimands against Surrey and Sussex police for recording phone calls without consent

The Information Commissioner’s Office (ICO) has issued a reprimand to both Surrey Police and Sussex Police for using an app that recorded over 200,000 phone conversations without the knowledge of the participants. The ICO found that the app unlawfully captured personal data and that the processing of some data was unfair and unlawful. Initially intended for a small number of specific officers in 2016, the app was made available to all staff, and 1,015 staff members downloaded it. The ICO applied its revised public sector approach, issuing a formal reprimand to each police force instead of a £1 million fine. This approach aims to minimize the impact on public services while encouraging greater data protection compliance. You can read the full article here.

Spain: AEPD publishes guidelines to help public administrations for DPIAs in regulatory projects

The Spanish Data Protection Agency (AEPD) has published guidelines to help public administrations consider the need for Data Protection Impact Assessments (DPIAs) from the design phase of regulatory development. The guidelines are aimed at public administration that promote regulatory projects involving the processing of personal data. The document analyses the preliminary requirements to determine whether a DPIA is needed, how it should be carried out, and what aspects should be taken into account to assess its quality. The AEPD emphasises that the existence of risks to individuals’ rights does not mean that a measure cannot be proposed, but that it must be designed in such a way that it passes the DPIA, i.e. the risks have been adequately mitigated, and the analysis of necessity and proportionality has been passed. Additionally, initiatives involving artificial intelligence, automated decisions, biometrics, mass surveillance, large-scale centralization, massive data processing, and data on minors or vulnerable people may pose additional risks that should be considered in the DPIA. You can find the full guidelines (in Spanish) here. 

Ireland: DPC publishes guides on children’s data protection rights

The Data Protection Commission (DPC) has released four short guides for parents on children’s data protection rights under the GDPR. These guides aim to help parents understand their children’s rights and address questions that may arise in situations where these rights apply. These guides are part of a broader effort to promote the protection of children’s personal data, which is a significant priority for the DPC. As part of this initiative, the DPC has also published their ‘Fundamentals’ guidance, which provides advice to organisations on how to appropriately protect children’s personal data when processing it. These resources align with the DPC’s broader regulatory strategy for 2022-2027, which emphasizes the importance of safeguarding children’s personal data. The guides cover the following topics:

  • My child’s data protection rights – the basics
  • Children’s data and parental consent
  • Protecting my child’s data
  • Are there any limits on my child’s data protection rights?

The DPC hopes these guides will be useful for parents, guardians, educators, and anyone interested in children’s online safety and wellbeing. The guides are available here.


UK: Parliament debates new data protection bill

The UK Parliament has debated the Data Protection and Digital Information Bill, which aims to address everyday problems for the public by reducing cookie pop-ups, cracking down on nuisance calls with increased fines, and improving trust in data handling. The bill is expected to contribute £4.7 billion to the UK economy over ten years. It seeks to maintain high data protection standards while providing organisations with greater flexibility to protect personal data. Fines for nuisance calls and texts will increase from £500,000 to either £17.5 million or up to four percent of global turnover, depending on which is greater. The bill also aims to modernise the Information Commissioner’s Office and ensure data adequacy with the European Union’s General Data Protection Regulation (GDPR). You can read the full press release here.


Italy: Garante fines digital marketing company for misuse of personal data

Garante has fined a digital marketing company €300,000 for illegally processing personal data for marketing purposes. The company sent promotional messages via SMS, email, and automated calls to users in its database on behalf of its clients. The database consisted of data collected directly from the company’s online portals and personal information purchased from data brokers. The authority found that the company used “dark patterns” on some of its portals, employing potentially deceptive interfaces and techniques to encourage users to consent to data processing for marketing purposes and for sharing data with third parties. The company was unable to demonstrate user consent for promotional messages in some cases and was found to have violated other rules. Considering the corrective measures taken, the authority issued a warning to the company and prohibited some data processing activities, along with imposing the fine. The company settled the dispute by paying half the fine amount. You can read the press release (in Italian) here.

UK: ICO fines recruitment firm £130,000 for sending 107 million spam emails

The Information Commissioner’s Office (ICO) has fined Join The Triboo Limited £130,000 for sending 107 million spam emails to 437,324 jobseekers between August 2019 and August 2020. On average, each individual received 244 unsolicited emails during that year, violating the Privacy and Electronic Communications Regulations 2003, which prohibits direct marketing without consent. Join The Triboo Limited, which operates job search websites, sourced data for its spam email campaign from four of its job advertisement websites. You can read the press release here and the full decision here.

Netherland: The Dutch Data Protection Authority fines the Social Insurance Bank €150,000 for insufficient identity verification

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) fined the Social Insurance Bank (Sociale Verzekeringsbank, SVB) €150,000 for insufficient identity verification at its telephone helpdesk. This put clients receiving state pensions at risk of unauthorized disclosure of sensitive information. The AP’s investigation followed a 2019 incident where an SVB client’s data was accessed by an unauthorized individual through the telephone helpdesk. The identity verification system was found inadequate, with control questions often easily discoverable by outsiders. The violations lasted from May 2018 to May 2022. SVB has since improved its telephone services, implementing clearer instructions for verifying caller identities and committing to evaluating its policy every two years. The AP emphasized the importance of privacy protection in telephone helpdesk services. You can read the press release (in Dutch) here and the full decision (in Dutch) here.