Data Protection Weekly 17/2024

May 7, 2024


CEDPO Survey 2024: Attention DPOs & teams across the EU/EEA!

CEDPO launched its DPO survey on 29 April 2024, designed by “DPOs for DPOs”. Your insights are invaluable, and it’s time to make your voice heard! Speak freely with anonymised participation, just 30 minutes of your time can contribute to a significant impact on our profession. Your participation not only contributes to a detailed snapshot of our current landscape but will help elevate the profession and ensure that our concerns and ideas resonate at the highest level. Help shape the future of European data protection and answer this survey through this link here.

 European Union

CJEU: Ruling on access to telephone records

The Court of Justice of the European Union (CJEU) has ruled in case C-178/22 that national courts must be entitled to refuse or restrict access to telephone records in investigations unless the offence qualifies as serious. This judgment arose from an Italian case regarding a prosecutor’s request for telephone data linked to a minor theft, potentially infringing on privacy rights. The CJEU clarified that while member states have the discretion to define what constitutes a serious offence, this definition must be balanced against the fundamental rights to privacy and personal data protection. The court emphasised that such access should only be granted if the implicated offence is severe enough to justify the serious interference with these rights. This decision reinforces the need for a careful assessment of the proportionality between investigative goals and the rights infringed upon. You can read the press release here and the full decision here.

CJEU: Ruling on IP address retention

The Court of Justice of the European Union (CJEU) has provided guidance in Case C-470/21 regarding the conditions under which Member States may mandate the general and indiscriminate retention of IP addresses for combating crime. This clarification follows a French decree leveraging IP data to tackle online copyright infringements. The Court stipulated that such retention must prevent detailed insights into personal lives by ensuring a strict separation of IP addresses from other personal data. Furthermore, access to civil identity data associated with these IP addresses by national authorities is permitted, provided this information is stored in a genuinely watertight manner that prevents any precise conclusions about personal lives. This ensures that data access is strictly targeted at identifying suspects of criminal activities without broader privacy infringements. The CJEU emphasises that only in cases where such access might significantly impact privacy should a prior review by a judicial or independent administrative body be necessary. You can read the press release here and the full decision here.

European Commission: Formal proceedings opened against Facebook and Instagram under the DSA

The European Commission has formally initiated proceedings against Meta, the parent company of Facebook and Instagram, under the Digital Services Act (DSA), due to potential breaches involving practices relating to deceptive advertising and political content on its services. The proceedings also scrutinise Meta’s failure to provide an effective alternative to its CrowdTangle tool, a real-time civic discourse and election-monitoring platform, particularly significant in the lead-up to the upcoming European Parliament elections. This action reflects the Commission’s commitment to safeguarding European democratic processes from manipulation and ensuring major digital platforms adhere to stringent regulatory standards. The Commission will continue to collect evidence and conduct further investigations to determine Meta’s compliance with the DSA. You can read the press release here.

Council of the EU: Approval of a protocol to facilitate free flow of data between EU and Japan

The Council of the EU has approved a new protocol to enhance the flow of data between the EU and Japan by eliminating unnecessary data localisation requirements. This development is part of the broader EU-Japan Economic Partnership Agreement and aims to facilitate efficient data handling and storage by companies without the need for duplicative infrastructure across borders. This move is expected to reduce operational costs and complexities for businesses, enhancing their global competitiveness while ensuring compliance with strict data protection and privacy standards upheld by both regions. The protocol also reinforces legal certainty about cross-border data transfers, promoting a more robust digital economy built on mutual trust and security standards. The agreement awaits ratification and mutual notifications to come into effect. You can read the press release here.

ECA: Evaluation of EU’s AI strategy

The European Court of Auditors (ECA) has reviewed the European Commission’s execution of its ambitious artificial intelligence (AI) strategy, initially launched in 2018 and updated in 2021. This strategy aimed to establish the EU as a leader in the global AI arena, encouraging significant investment and the creation of a legal environment conducive to AI development. The auditors assessed the effectiveness of the Commission’s actions in promoting AI innovation and integration across the EU, examining EU-funded AI research and innovation projects as well as initiatives to enhance the deployment and scalability of AI technologies. The audit’s findings are intended to inform future adjustments to the strategy and broader EU AI policies, ensuring the EU competes effectively on the international stage. The detailed report will be released next month and is expected to provide critical insights for stakeholders. You can read the press release here.

Supervisory Authorities

France: CNIL releases self-assessment tool for BCRs

The French data protection authority (CNIL) has introduced a self-assessment tool designed to assist multinational companies in implementing Binding Corporate Rules (BCR), which facilitate the secure transfer of personal data outside the European Union. This tool enables companies to assess the maturity of their BCR projects in accordance with the standards set by the European Data Protection Board. It features a questionnaire that can be completed by data protection officers or other project leaders to obtain a compliance score and an action plan. This initiative aims to prepare projects for CNIL approval and, if mature enough, for the broader European review process, ensuring any deficiencies are addressed prior to formal submission. You can read the press release here and access the tool here (in French).

Germany: The DSK has published guidance for companies and authorities how to use artificial intelligence in compliance with data protection.

The Conference of Independent Data Protection Supervisory Authorities of the Federal Government and the Federal States (DSK) has published a guideline with data protection criteria for the selection and use of AI applications in a data protection compliant manner. The guidance document “Artificial intelligence and data protection” is aimed at companies, authorities and other organisations. Presented in the form of a checklist, the paper serves as a guide, particularly for those responsible under data protection law, for selecting, implementing and using AI applications. The guidance addresses practical questions that data controllers need to ask and answer when designing the deployment, selection, implementation and use of AI applications. The guidance document discusses important criteria in line with the requirements of the GDPR – also using examples – and provides guidelines for appropriate decisions. The document can be read here (in German).

Netherlands: AP declares scraping almost always illegal

The Dutch data protection authority (AP) has issued new guidelines declaring that web scraping by private entities and individuals is nearly always illegal. The process of scraping involves the automated collection of data from the internet, which frequently includes personal data and poses serious privacy risks. According to the AP, this practice almost invariably breaches the General Data Protection Regulation (GDPR). Specific prohibited activities include scraping to create and sell personal profiles, harvesting data from protected social media or private forums, and using public profile information for insurance assessments. Exceptions exist, such as ‘domestic use’ where data collected for personal projects does not fall under GDPR. Overall, legal scraping is permitted only under stringent conditions focused on legitimate interest, rarely met by most scraping operations. You can read the press release here (in Dutch).


Noyb files a complaint against OpenAI for inaccuracies in ChatGPT

The European consumer rights group noyb has filed a complaint with the Austrian Data Protection Authority against OpenAI, alleging that ChatGPT does not comply with GDPR requirements for data accuracy. OpenAI acknowledges that its generative AI may produce inaccurate or fabricated responses, but argues that ensuring factual correctness remains a complex challenge in AI development. This issue is critical when personal information is involved, as GDPR mandates data accuracy and grants individuals rights to access, rectify, or delete their data. noyb’s complaint highlights that OpenAI’s inability to provide data source transparency or correct inaccurate data contravenes these legal standards. The case, potentially involving EU-wide regulatory cooperation, seeks to enforce GDPR compliance by OpenAI, urging rectification of the complainant’s data and greater transparency in data processing. You can read the press release here.


UK: ICO imposes fines and calls for better data protection for HIV status information

The UK data protection authority (ICO) has imposed a £7,500 fine on the Central Young Men’s Christian Association (Central YMCA) in London following a data breach. The breach occurred when emails intended for individuals in a HIV support programme were mistakenly sent using ‘CC’ instead of ‘BCC’, revealing the recipients’ email addresses to one another and potentially identifying 166 individuals. Originally, the fine was set at £300,000 but was reduced in accordance with the ICO’s new approach to public sector penalties, which aims to balance enforcement with the conservation of public funds. The ICO is emphasising the need for better training and procedures to prevent such breaches in the future. You can read the press release here.

Switzerland: FDPIC investigation results on Xplain and federal offices

The Swiss data protection authority (FDPIC) has completed its investigations into Xplain, the Federal Office of Police (fedpol), and the Federal Office for Customs and Border Security (FOCBS) following a ransomware attack in May 2023 that led to a leak of sensitive data on the darknet. The FDPIC found that both federal offices and Xplain had improperly managed personal data, failing to establish clear data protection protocols during their collaboration. This resulted in unauthorised data transfers and inadequate data security on Xplain’s servers. The FDPIC has issued recommendations aimed at rectifying these data protection breaches and has given the parties thirty days to respond. You can read the press release here.