Data Protection Weekly 18/2023

May 4, 2023


GDPR and Cross-Border Inquiries: An Interview with the Irish Data Protection Commission

The Confederation of European Data Protection Organisations (CEDPO), in collaboration with the Association of Data Protection Officers, Ireland, is hosting a webinar on May 23, 4:00-5:30 PM CET, discussing the challenges of conducting large-scale cross-border investigations under the GDPR. Featuring speakers from the Irish Data Protection Commission and data protection experts, the webinar will provide insights into the legal, regulatory, and institutional aspects of these inquiries. For more information and to join the webinar, visit here.

  European Union

EDPB: Publication of a data protection guide for SME

The European Data Protection Board (EDPB) has launched a Data Protection Guide to help small business owners become more GDPR compliant. The guide provides practical information in an accessible format. It covers data protection basics, data subject rights, data breaches, and more, offering videos, infographics, and interactive flowcharts to aid SMEs in implementing data protection practices. Andrea Jelinek, EDPB Chair, highlighted the guide’s usefulness, which includes concrete examples from their five years of experience with GDPR. The guide also contains an overview of resources developed for SMEs by national Data Protection Authorities. Initially available in English, the guide will be translated into other EU languages over time. You can read the press release here and consult the complete guide here.

EDPS: Opinions on Road Safety package

The European Data Protection Supervisor (EDPS) has released three opinions on the European Commission’s “Road Safety package,” which includes proposals on cross-border information exchange for road safety-related traffic offenses, driving licenses, and a new directive on EU-wide effect of certain driving disqualifications. EDPS Wojciech Wiewiórowski emphasized that handling personal information in these contexts must comply with EU data protection law. The EDPS recommends limiting data storage duration, exchanging only necessary personal data between EU Member States, and clarifying access and usage conditions for national databases and the CBE portal. For the driving license proposal, the EDPS suggests limiting the use of the RESPER network and ensuring that only necessary information is processed for mobile driving licenses. The EDPS also recommends that the EU Digital ID Wallet for mobile licenses should be optional. Concerning the Proposal for a Directive on EU-wide effect of certain driving disqualifications concerning major offenses related to road safety  the EDPS reminds he should be consulted on future implementing or delegated acts based on the directive. You can read the press release here and download the full opinions here.

EDPS: Publication of 2022 Annual Report

The European Data Protection Supervisor (EDPS) presented the EDPS Annual Report 2022, showcasing significant activities and achievements in data protection. The report highlights the EDPS’s supervisory actions, policy and legislative advice, technology monitoring, and efforts to advance GDPR enforcement. The EDPS has focused on protecting individuals’ rights to privacy and data protection, especially for the most vulnerable, and advising EU legislators on topics such as health, artificial intelligence, and crime-fighting initiatives. International data transfers and ensuring compliance with EU data protection laws were also priorities. The EDPS launched two social media platforms, EU Voice and EU Video, and the collaborative cloud NextCloud to promote the use of alternative services based in the EU/EEA. The organization continues to monitor and foster digital innovation to encourage privacy-compliant development. You can read the press release here and download the full report here.

CJEU: Clarification of the scope of GDPR right to obtain a copy of personal data

The EU Court of Justice clarified the scope of the GDPR’s right to obtain a copy of personal data in Case C-487/21. The court ruled that the data subject must be provided with a faithful and intelligible reproduction of all their personal data undergoing processing. This right includes obtaining copies of extracts from documents or entire documents, as well as extracts from databases containing the data, if essential for the data subject to effectively exercise their GDPR rights. The court also stated that the concept of ‘information’ referred to in Article 15(3) of the GDPR relates exclusively to personal data that the controller must provide a copy of. You can read the full decision here.

CJEU: Mere infringement of the GDPR does not give rise to a right to compensation

In a recent judgment, Case C-300/21, the Court of Justice of the European Union ruled that mere infringement of the General Data Protection Regulation (GDPR) does not automatically give rise to a right to compensation. The court stated that the right to compensation under the GDPR requires three cumulative conditions: GDPR infringement, material or non-material damage resulting from the infringement, and a causal link between the damage and the infringement. Moreover, the court held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any rules governing the assessment of damages therefore it is up to each Member State’s legal system to prescribe detailed rules for such actions, as long as the principles of equivalence and effectiveness are complied with. You can read the full decision here.

CJEU: Clarification of when pseudonymized data is considered personal data

The EU General Court determined in Case T-557/20 that pseudonymized data is not inherently considered personal data, challenging the European Data Protection Supervisor (EDPS) stance. The court emphasized the importance of the data recipient’s perspective and capabilities when deciding if pseudonymized data is personal or not. In the case, the Court ruled that due to the data recipient’s inability and lack of legal grounds to re-identify data subjects, the pseudonymized data could be treated as anonymized data. The Court also stated that the data transmitter’s ability to identify data subjects is irrelevant for determining if the transfer is based on personal data. The Court’s decision suggests that data controllers must assess whether a specific recipient can re-identify pseudonymized datasets, adding complexity to the process. You can read the full decision here.

National Authorities

France: CNIL addresses drone usage by law enforcement in recent opinion

The French Data Protection Authority (CNIL) issued an opinion on the decree regarding aerial cameras used by law enforcement. While the use of drones by law enforcement is now permitted, it must adhere to specific conditions. The CNIL has previously called for strict regulation of drone usage due to potential risks to public freedoms and individual privacy. The law provides guarantees to limit infringements on individual liberties, including quotas on the number of drones per department, written authorization for drone use, prohibition of sound recording and automated facial recognition, limited image storage duration, and protection of private residences. The CNIL also provided recommendations regarding the implementation of aerial cameras and public information. It suggests developing an “employment doctrine” for law enforcement and informing the public about drone usage during specific interventions, unless it is prohibited by urgency, objectives, or operation conditions. You can read the full article (in French) here.

France: CNIL provides details on data protection audits as part of EDPB’s coordinated enforcement framework

The French Data Protection Authority (CNIL) has shared more information about the audits it has initiated as part of the European Data Protection Board’s coordinated enforcement action. CNIL has sent a dozen questionnaires to public institutions, local authorities, and private companies, specifically in the luxury and transportation sectors. These questionnaires aim to assess if organizations are providing their Data Protection Officers with adequate resources, as required by GDPR. Responses will be analyzed in coordination with CNIL’s European counterparts, and on-site inspections may be conducted based on the initial findings. CNIL may independently decide on corrective measures, such as injunctions or sanctions, and the European Data Protection Board will publish a report on the campaign’s results once the actions are complete. You can read the full article (in French) here.

Ireland: DPC releases guidance for employers on data protection in the workplace

The Irish Data Protection Commission recently released guidance for employers on processing personal data of employees, former employees, and prospective employees. Employers, as data controllers, handle various types of personal data, including basic information, occupational health details, sick leave, performance reviews, and disciplinary actions. The guidance aims to assist employers in fulfilling their responsibilities, obligations, and duties under the GDPR and the Data Protection Act 2018. You can find the full guidance here.

Spain: AEPD publishes blog post on Federated Learning and privacy

The Spanish Data Protection Authority (AEPD) has published a new blog post discussing the importance of Federated Learning in enhancing privacy. Federated Learning is a technique that allows machine learning systems to develop without sharing personal data between participants, thus protecting privacy. The blog post explores how this technology has evolved, including Horizontal and Vertical Federated Learning approaches. The AEPD emphasizes the importance of these methods in preserving data protection and fostering trust between different entities. You can read the complete blog post here.


ICCL files complaint against European Commission for data deficit in GDPR monitoring

The Irish Council for Civil Liberties (ICCL) has filed a complaint with the EU Ombudsman against the European Commission for a 56-month data deficit in GDPR monitoring. Despite committing to regular monitoring of large-scale cross-border investigations, the Commission has not collected information for the entire GDPR application period. The ICCL warns that this failure puts the fundamental rights and freedoms of EU citizens at risk. The Commission has stated that it will act against any Member State for systemic failures by its independent authorities, but the data deficit prevents them from identifying such failures. The Commission is currently drafting new regulations to streamline cooperation between GDPR supervisory authorities, but the ICCL argues that it cannot properly consider necessary measures without complete information. You can read the press release here.

OECD publishes a report regarding business views on data free flow with trust

The OECD’s Working Party on Data Governance and Privacy (WPDGP) released a report examining private-sector perspectives on privacy and data protection rules for cross-border data flows. Part of the OECD Digital Economy Papers series, the report aims to contribute to the policy agenda of ‘data free flow with trust’. Businesses expressed the need for coherent, transparent, and predictable principles and rules that balance certainty and flexibility, aligning with real-world business practices. The report highlights the importance of international regulatory cooperation and leveraging diverse solutions to maintain global trust in privacy and data protection. It was based on a survey exploring businesses’ perspectives on cross-border data flows, trust, and compliance challenges, as global regulations evolve. You can read the full report here.

Apple and Google unveil industry specification to tackle unwanted Bluetooth tracking

On May 2, 2023, Apple and Google announced a joint initiative for an industry specification aimed at addressing unwanted Bluetooth location-tracking. The proposed specification would enable location-tracking devices to be compatible with unauthorized tracking detection and alerts on iOS and Android platforms. This initiative has gained support from Samsung, Tile, Chipolo, eufy Security, and Pebblebee. The specification includes best practices and guidelines for manufacturers who choose to integrate these features into their products. The goal is to combat unwanted tracking while ensuring user privacy and security. The Internet Engineering Task Force (IETF) has received the draft specification, and a three-month review and comment period has begun. Apple and Google plan to address feedback and release a production implementation for unwanted tracking alerts by the end of 2023. You can read the press release here.

ChatGPT reinstated in Italy with enhanced transparency and user rights

OpenAI has reinstated its ChatGPT service in Italy after implementing measures to comply with the Italian Data Protection Authority’s (Garante) order from April 11. These improvements include increased transparency and the right to opt-out for European users and non-users, as well as other changes to privacy policies and user access. The Garante acknowledges OpenAI’s efforts to align with European data protection legislation and will continue monitoring the company under an ad-hoc task force set up by the European Data Protection Board. The press release can be found here.