Data Protection Weekly 16/2024

Apr 30, 2024

CEDPO

CEDPO Survey 2024: Attention DPOs & teams across the EU/EEA

CEDPO launched its DPO survey on 29 April 2024, designed by “DPOs for DPOs”. Your insights are invaluable, and it’s time to make your voice heard! Speak freely with anonymised participation, just 30 minutes of your time can contribute to a significant impact on our profession. Your participation not only contributes to a detailed snapshot of our current landscape but will help elevate the profession and ensure that our concerns and ideas resonate at the highest level. Help shape the future of European data protection and answer this survey through this link here.

 European Union

EDPB: Publication of 2023 annual report

The European Data Protection Board (EDPB) has released its 2023 Annual Report, highlighting significant advancements in data protection. The report covers the election of Anu Talus as EDPB Chair and the adoption of three crucial binding decisions that will influence the interpretation of data protection laws. It also introduces the EDPB’s inaugural Data Protection Guide for small businesses, aimed at broadening GDPR understanding. The year 2023 is described as transformative, with the EDPB enhancing guidelines, developing new collaborative methods among Data Protection Authorities (DPAs), and promoting GDPR awareness globally to ensure individuals and businesses are well-informed of their rights and obligations. You can read the press release here and download the full report here.

CJEU: Opinion of the Advocate General on data processing for targeted advertising

Advocate General (AG) Rantos has issued his opinion on the data protection concerns raised by activist Maximilian Schrems in case C-446/21 involving Meta Platforms Ireland. Schrems, who disclosed his sexual orientation during a panel discussion but not on his Facebook profile, challenged Meta’s use of his personal data for targeted advertising. The Advocate General suggested that the GDPR prohibits the indefinite processing of personal data for advertising purposes, and emphasised the need for proportionality in data retention and processing volumes. He also noted that public statements, such as Schrems’, may make such data ‘manifestly public’ and therefore not subject to the GDPR’s usual processing restrictions, but this does not automatically allow its use in personalised advertising. You can read the press release here and the full Opinion here.

European Parliament: EU Health Data Space approved by MEPs

The European Parliament has approved the creation of a European Health Data Space aimed at enhancing access to personal health data across EU member states and facilitating secure data sharing for medical purposes. The new legislation will allow patients to access their electronic health records, which include detailed medical information like prescriptions and laboratory results, even from abroad. Additionally, the Health Data Space will enable the anonymised sharing of data for public interest research, with strict prohibitions on its use for commercial purposes such as advertising or insurance assessments. Robust privacy safeguards will ensure that patients can control the use of their data, requiring their consent for data access and providing options to opt out of data sharing for research. The law awaits formal approval by the Council and is set to be implemented progressively over the next two to six years, depending on the category of data use. You can read the press release here.

National Authorities

France: CNIL publishes its annual report for 2023

The French data protection authority (CNIL) released its 2023 annual report, detailing substantial activity and increased enforcement under the GDPR. This year, the CNIL handled a record 16,433 complaints, marking a 35% rise from 2022, alongside processing 20,810 requests for indirect access rights to sensitive files. The report highlights a major escalation in regulatory measures, with 340 investigations leading to 42 sanctions, which is double the number from the previous year. These sanctions included 36 fines totalling €89,179,500, reflecting stricter enforcement. Additionally, the CNIL focused on educational initiatives, reaching thousands through workshops and conferences, and expanded its support for AI, emphasising the importance of the development of privacy-friendly AI. The report underscores a year of vigorous activity and adaptive strategies in data protection and compliance oversight. You can read the press release here and the full report here (in French).

France: CNIL enforces data minimisation in recruitment practices

The French data protection authority (CNIL) acted on a complaint against a company for excessive collection of personal data during recruitment processes, including candidates’ birthplaces, nationalities, marital statuses, and past salaries. This practice was found in breach of the data minimisation principle, mandated by GDPR, which requires that only data essential for the specific purpose of evaluating a candidate’s professional suitability should be collected. The CNIL reminded the company that only minimal, job-related information should be requested at the initial application stage. Personal details such as family members or previous salaries do not typically inform a candidate’s ability to perform job duties and are not necessary until a job offer is extended. Following CNIL’s guidelines, the company adjusted its data collection practices accordingly, leading to the closure of the enforcement procedure by the CNIL. You can read the full article here (in French).

Poland: UODO expresses concerns regarding the public officials registry bill

The Polish data protection authority (UODO), has raised significant concerns regarding the proposed National Registry of Public Officials bill, highlighting its non-compliance with the GDPR. UODO criticised the bill’s lack of a preliminary impact assessment on data protection, which is essential to justify the processing of specific data and the need for another public registry. The registry would process extensive personal information, including names, addresses, and national identification numbers of public officials and their immediate family, along with electronic copies of their asset declarations. UODO’s critique extends to the unclear definition of ‘public official’, inconsistent terminologies, potential privacy risks for both the officials and their relatives, and the bill’s vague provisions on data management and security. UODO stressed the need for clearer guidelines on data access, responsibility for data processing, and the security measures for the registry. You can read the press release here (in Polish).

Global

Digital Rights NGOs issue urgent call for ePrivacy reform in the EU

EDRi, alongside 13 other organisations, has issued a call for the upcoming European Commission to undertake significant reforms of the EU’s ePrivacy legislation, intended to complement the GDPR. According to the open letter, efforts to pass the ePrivacy Regulation since its 2017 proposal have been thwarted by EU member states and corporate interests, despite strong advocacy from civil society for enhanced online privacy and security. The organisations advocate for the enforcement of privacy by design in technology, banning tracking walls that commodify basic rights, safeguarding encryption, ending surveillance advertising, and instituting stronger legal safeguards against intrusive surveillance, aiming to protect fundamental rights and ensure a functional Digital Single Market. You can read the press release here and the full letter here.

US: Biden signs two-year extension of FISA warrantless surveillance program

President Joe Biden has reauthorised the Foreign Intelligence Surveillance Act (FISA), permitting warrantless surveillance of non-U.S. persons outside the United States for another two years. This legislative move, known as the Reforming Intelligence and Securing America Act, was passed by the Senate with a vote of 60-34 just before the existing authorisation expired. The reauthorisation introduces modifications aimed at enhancing protections for U.S. citizens, addressing past criticisms related to privacy invasions. National Security Advisor Jake Sullivan highlighted that these changes provide robust reforms to protect civil liberties while maintaining critical intelligence capabilities to counter threats. The act continues to face mixed opinions, balancing national security needs against individual privacy rights. You can read the press release here and Statement from National Security Advisor here.

Fines

UK: ICO fines two companies a total of £340,000 for making aggressive and unwanted marketing calls

The UK data protection authority (ICO) has imposed fines totalling £340,000 on Outsource Strategies Ltd and Dr Telemarketing Ltd for making nearly 1.43 million unsolicited calls to individuals registered on the UK’s Telephone Preference Service. These calls, made between February 2021 and March 2022, targeted vulnerable populations, including the elderly, using aggressive marketing tactics. This practice led to 76 complaints. The ICO’s investigation revealed that both companies failed to respect the legal protections afforded by the “do not call” register, prompting financial penalties of £240,000 and £100,000 respectively. These actions underscore the ICO’s commitment to enforcing compliance with direct marketing laws and protecting public privacy against unsolicited communications. You can read the press release here.

Croatia: AZOP issues nine new administrative fines totalling €51,000 for GDPR violations

The Croatian data protection authority (AZOP) has issued nine new administrative fines totalling €51,000 for breaches of the GDPR and the law implementing the GDPR. Two significant fines, amounting to €15,000 and €20,000, were imposed on gambling and betting data controllers for illegally processing personal data via cookies without proper consent from users. Additionally, seven fines totalling €16,000 were issued to hotels, catering establishments, and shops for inadequately marked surveillance areas, violating information requirements for GDPR compliance. You can read the press release here (in Croatian).