Data Protection Weekly 17/2023

Apr 27, 2023

 European Union

EDPB: Chair and Deputy Chair candidates announced

The European Data Protection Board (EDPB) held a plenary on April 26, 2023, during which candidates for the positions of EDPB Chair and Deputy Chair presented their candidacies. According to the GDPR, the Board elects one Chair and two Deputy Chairs from its members for a five-year term, renewable once. The Chair serves as the official representative of the Board. With the terms of Chair Andrea Jelinek and Deputy Chair Ventsislav Karadjov ending on May 25, 2023, candidates for both positions introduced themselves to other Board members ahead of the elections. Deputy Chair Aleid Wolfsen’s position is not up for re-election, as his term will end on May 15, 2024. The candidates for EDPB Chair are Ventsislav Karadjov (Bulgarian DPA), Anu Talus (Finnish DPA), and Aleid Wolfsen (Dutch DPA). Candidates for Deputy Chair include Irene Loizidou Nikolaidou (Cypriot DPA), Jekaterina Macuka (Latvian DPA), and Zdravko Vukić (Croatian DPA). The elections will take place during the EDPB plenary meeting on May 25, 2023, through a secret ballot. You can read the press release here.

CJEU: AG opinion on liability for unlawful data access by third parties

Advocate General Giovanni Pitruzzella shared his opinion on Case C-340/21, which relates to the unlawful access of personal data by third parties. The case stems from a 2019 hacking attack on Bulgaria’s National Revenue Agency (NAP), which resulted in tax and social security information of millions of people being published online. Pitruzzella stated that a controller is responsible for implementing appropriate technical and organizational measures to ensure data protection. However, the occurrence of a personal data breach alone is not sufficient to conclude that the measures implemented were inappropriate. The controller must take into account several factors, including the state of the art and implementation costs, and their decision is subject to possible judicial review of compliance. Moreover, it’s important to note that the controller’s liability is not automatically exempted even if the infringement was committed by a third party, To be exempt from liability, the controller must demonstrate, to a high standard of proof, that they are not responsible for the event causing the damage. To be exempt from liability, the controller must demonstrate that they are not responsible for the event causing the damage. The Advocate General also stands that fear of possible misuse of data in the future can constitute non-material damage eligible for compensation only if it is actual and certain emotional damage, not simply trouble or inconvenience. You can read the press release here.

European Parliament: MEPs endorsed the first rules to trace crypto-asset transfers

The European Parliament has approved the first EU legislation for tracing transfers of crypto-assets, such as bitcoins and electronic money tokens, with 529 votes in favor, 29 against, and 14 abstentions. This legislation aims to ensure that crypto transfers can be traced and suspicious transactions blocked, similarly to traditional financial operations. The “travel rule” will now cover crypto asset transfers, requiring information on the source of the asset and its beneficiary to accompany the transaction and be stored on both sides of the transfer. The law also covers transactions above €1,000 from self-hosted wallets when interacting with hosted wallets managed by crypto-assets service providers. It does not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. With this legislation, the European Parliament aims to set safeguards and standards for the use of blockchain technology, enhance consumer protection, and introduce measures against market manipulation and financial crime. You can read the full press release here.

European Commission: Adoption of first designation decisions under Digital Services Act (DSA)

The European Commission has adopted the first designation decisions under the Digital Services Act (DSA), identifying 17 Very Large Online Platforms (VLOPs) and 2 Very Large Online Search Engines (VLOSEs) with at least 45 million monthly active users. These platforms were designated based on user data they published by February 17, 2023. The designated companies now have four months to comply with new obligations under the DSA, which aim to empower and protect users online, including minors. These obligations include assessing and mitigating systemic risk, providing and implementing diligent content moderation, and increasing transparency and accountability. Designated platforms and search engines will also need to adapt their systems, resources, and processes for compliance and report to the Commission their first annual risk assessment within four months of notification. You can read the complete press release here.

EDPS: Proposition of measures to improve GDPR enforcement cooperation

The European Data Protection Supervisor (EDPS) supports the European Commission’s initiative to enhance collaboration between national Data Protection Authorities (DPAs) and the EDPS in enforcing the GDPR. The EDPS proposes two specific measures: 1) incorporating a provision in the forthcoming initiative confirming that all DPAs, including the EDPS, must actively cooperate to ensure effective supervision and consistent enforcement, and 2) amending the Annex of the IMI Regulation by adding a reference to the EUDPR. The EDPS believes that these measures will foster more effective and efficient cooperation in GDPR enforcement, benefiting not only cross-border cases but also data flows between Union institutions, public bodies, and private entities within the European Economic Area. Read the full contribution here.

National Authorities

Italy: Garante publishes an information page on Dark Patterns

The Italian Data Protection Authority (Garante) has released a new information page focused on Dark Patterns, or “deceptive design models.” These interfaces and navigation paths are designed to influence online behavior, which can also hinder effective personal data protection. The initiative aims to educate users about this increasingly widespread phenomenon, which remains largely unknown to many digital service users. The page, which also refers to recent EDPB Guidelines, is part of a broader project aimed at raising awareness and educating users on data protection, digital education, and security for more informed use of the internet and new technologies. You can read the full page (in Italian) here.

Spain: AEPD releases list of non-compliant public administrations

The Spanish Data Protection Authority (AEPD) has published, for the first time, a list of public administrations that have not complied with data protection requirements and corrective measures. The list includes administrations that have not responded to the AEPD’s information requests, as well as those that have not adapted their data processing practices and have not demonstrated compliance with the imposed corrective measures. Among the non-compliant administrations, several local entities with over 20,000 inhabitants have failed to appoint a Data Protection Officer (DPO), as required by the General Data Protection Regulation (GDPR). The AEPD has initiated sanction procedures against these administrations for not attending to the AEPD’s requirements. You can read the press release (in Spanish) here and find the full list here. 

Spain: AEPD published its 2022 annual report

The Spanish Data Protection Authority (AEPD) published its 2022 annual report revealing that it received a record 15,128 complaints in 2022, a 9% increase from 2021 and 47% from 2020. Most complaints were related to internet services, video surveillance and unsolicited advertising. The areas with the highest fines imposed were internet services, advertising, labor issues, personal data breaches, fraudulent contracting, and telecommunications, accounting for 87% of total sanctions. Data Protection Officer designations also increased, with 100,350 reported in 2022 compared to 82,249 in 2021. Additionally, the AEPD and UNICEF Spain launched the “More Than a Mobile” campaign, promoting responsible mobile phone usage and digital rights among children, becoming the most successful AEPD campaign with nearly 300 million impacts. You can read the press release (in Spanish) here and the dull annual report (in Spanish) here.

France: CNIL launches compliance club on connected vehicles and mobility

The French Data Protection Authority (CNIL) has announced its 2023 work program for the “compliance club” dedicated to connected vehicle and mobility stakeholders. The club’s initial work will focus on developing recommendations for the use of geolocation data in the management of commercial fleets and the use of personal vehicles. The compliance club aims to facilitate the application of the GDPR and the French Data Protection Act by professionals whose activities involve the use of geolocation data, resulting in better personal data protection and increased trust from individuals whose data is collected and used. Thematic workshops, led by the CNIL, will be held between April and October 2023 to discuss the application of data protection regulations to geolocation data. The CNIL’s regulation method is inclusive, with recommendations being subject to public consultation before final adoption. You can read the full announcement here.

Netherland: AP raises concerns regarding the use of google products in Dutch education

On April 20, 2023, the Dutch Ministry of Education informed the House of Representatives about progress in addressing privacy risks with Google products in education, following the Dutch Data Protection Authority (AP)’s advice. Despite improvements, the AP expresses concerns over additional findings. Efforts have been made to minimize privacy risks, but the AP expects clarity on the impact of these findings on student privacy before the new school year. In 2021, the AP advised against using Google Workspace if risks couldn’t be mitigated. The implementation of agreements made with Google remains uncertain. You can read the press release (in Dutch) here..


OpenAI introduces “incognito mode” for ChatGPT

OpenAI has announced an “incognito mode” for its popular chatbot, ChatGPT, which will not save users’ conversation history or use it to improve the AI, according to a statement made by the company on April 25. The San Francisco-based startup is also planning to launch a “ChatGPT Business” subscription with additional data controls. The move follows increased scrutiny over how ChatGPT and other chatbots manage users’ data, with Italy banning ChatGPT last month over potential privacy violations. OpenAI’s CTO, Mira Murati, stated that the new features are a result of a months-long effort to prioritize user privacy and were not a direct response to Italy’s ban. The updated product now allows users to disable “Chat History & Training” in their settings and export their data. OpenAI’s business subscription, set to launch in the coming months, will not use conversations for AI model training by default. You can read the full article (Reuters) here and OpenAI’s statement here.


Romania: Romanian political party fined for GDPR violations

Romania’s Supervisory Authority  (ANSPDCP) has fined the Save Romania Union Party (USR) 14,776.50 lei (equivalent to €3,000) for violating Articles 5(1)(a) and (b), along with Article 6 of the General Data Protection Regulation (GDPR). The fine was issued following complaints, redirected by the Ombudsman Institution, that the party’s website posted personal data of individuals with varying degrees of disability. The investigation found that the USR collected personal data, including names, identification numbers, addresses, and disability details from official documents on public authorities’ and institutions’ websites, and published them on the party’s website as part of a project, violating processing principles and lacking legal basis for processing. As a corrective measure, the ANSPDCP ordered the USR to ensure GDPR compliance by reevaluating the documentation published on its website and anonymizing personal data in local public authorities’ resolutions, dispositions, and minutes. You can read the press release (in Romanian) here.

Spain: AEPD fines KFC Spain €25,000 for failing to appoint DPO and for data protection issues

KFC Spain has been fined for not having a Data Protection Officer (DPO) and for insufficient information in the “Privacy Policy” section on its website. The fast-food chain received a €20,000 penalty for the first violation and €5,000 for the second. A consumer filed a complaint with the Spanish Data Protection Authority (AEPD) in May 2021, highlighting the difficulty of accessing the privacy policy and the requirement to receive special offers and promotions upon registration. The AEPD found that KFC had not designated a DPO, violating Article 37 of the GDPR. KFC argued that its primary activity was not user data processing but restaurant services. The AEPD disagreed, citing hospitals and private security companies as examples of organizations where data processing is inseparable from their main activities. The AEPD has ordered KFC to appoint a DPO and implement corrective measures to their “Privacy Policy”. The penalty is not final and can be appealed to the National Court. You can read the full decision (in Spanish) here.

France: CNIL orders French Ministry of Economy to rectify non-compliant customs database

The French data protection authority (CNIL) has ordered the Ministry of Economy to rectify the SIRENE database, used by the customs department, within six months. This database contains personal information on individuals controlled at sea or on land and is non-compliant with several provisions of the French Data Protection Act. The CNIL’s investigation, initiated after a report on the SIRENE database, revealed that its creation and use lack any legal basis. Additionally, the CNIL was not consulted regarding the database’s implementation, and no data protection impact assessment was submitted. The database also fails to distinguish between different categories of individuals and does not inform them of its existence. If the Ministry does not comply, the CNIL may impose sanctions. You can read the full article (in French) here and the full decision (in French) here.

Czech republic: UOOU fined Ministry of the Interior CZK 975,000 for collection of health data

The Czech Ministry of Interior has been fined 975,000 CZK (equivalent to €41,447) for the unlawful processing of personal data related to approximately 2 million people who were in isolation due to COVID-19 between April 1, 2021, and March 8, 2022. The decision was confirmed by the chairman of the Office for Personal Data Protection (UOOU), Jiří Kaucký. According to the UOOU, the police had collected sensitive personal health data without following the proper legal framework and without providing adequate information to the affected individuals. Furthermore, the police failed to perform a mandatory impact assessment on data protection and consult with the UOOU before launching the large-scale data collection process. The chairman emphasized that there was enough time to perform these preparatory steps since the data collection began more than a year after the pandemic outbreak. You can read the press release here.