Data Protection Weekly 18/2024

May 22, 2024


APEP: Spain’s largest privacy conference to celebrate milestones on 27-28 May 2024

In 2024, the Asociación Profesional Española de Privacidad (APEP) will celebrate two significant milestones: the 10th edition of its International Congress and the 15th anniversary of its founding. Since its inception in 2009, APEP, a member of the Confederation of European Data Protection Organisations (CEDPO), has played a pivotal role in advancing the position of privacy professionals in Spain. It has established itself as a key association in the realm of privacy and data protection. Over the past fifteen years, APEP has contributed to the development and implementation of crucial policies and regulations, with its members promoting a safer and more ethical digital environment. The 10th International Congress, to be held on 27-28 May, aims to celebrate these achievements and continue driving progress in the field. Multiple CEDPO representatives, including Nadia Arnaboldi from ASSO DPO, Pascale Gelly from AFCDP, Paul Jordan from CEDPO, and Jared Browne from ADPO, will be present to celebrate these milestones and participate in a panel titled “New Perspectives for Privacy Professionals.” You can find more information about the event here (in Spanish).

 European Union

Council of the EU: Approval of Artificial Intelligence act

The Council of the EU has approved the Artificial Intelligence (AI) act, marking the first global legislation to regulate AI based on a ‘risk-based’ approach. The law aims to harmonise AI rules across the EU, fostering safe and trustworthy AI while ensuring fundamental rights and encouraging innovation. High-risk AI systems will face strict requirements, whereas systems with minimal risk will have lighter obligations. Certain AI practices, such as cognitive behavioural manipulation and social scoring, will be banned. The law establishes governance bodies, including an AI Office and an AI Board, to ensure proper enforcement. Penalties for non-compliance are set as a percentage of global annual turnover. The act also mandates transparency and the protection of fundamental rights, requiring assessments before deploying high-risk AI systems. The legislation will be published in the EU’s Official Journal and come into force twenty days later, with application starting two years after. You can read the press release here.

Council of Europe: Adoption of first international AI treaty

The Council of Europe has adopted the first international legally binding treaty aimed at ensuring human rights, democracy, and the rule of law in the use of artificial intelligence (AI) systems. Open to non-European countries, this treaty sets a legal framework for the entire AI lifecycle, promoting responsible innovation while addressing potential risks. It employs a risk-based approach to AI design, development, use, and decommissioning. Adopted in Strasbourg during the annual ministerial meeting, the treaty is the result of two years of work by the Committee on Artificial Intelligence (CAI), involving 46 Council of Europe member states, the EU, and 11 non-member states. It mandates transparency, oversight, accountability, and remedies for human rights violations related to AI. The treaty excludes national security and defence activities but requires compliance with international law and democratic principles. The convention also requires each party to establish an independent mechanism to oversee compliance. The treaty will be opened for signature on 5 September in Vilnius. You can read the full article here.

European Commission: Microsoft compelled to provide information on generative AI risks on Bing under DSA

The European Commission has issued a legally binding request for information to Microsoft, compelling the company to provide internal documents and data on the generative AI features of Bing, specifically “Copilot in Bing” and “Image Creator by Designer”. This follows Microsoft’s failure to respond to a previous request on 14 March. The Commission suspects Bing may have breached the Digital Services Act (DSA) by not adequately assessing and mitigating risks such as AI ‘hallucinations’, deepfakes, and automated voter manipulation. As a designated Very Large Online Search Engine, Bing must comply with the DSA’s comprehensive provisions. Failure to respond by the 27 May deadline could result in significant fines. The Commission’s request is an investigatory act under Article 67(3) of the DSA, which does not predetermine any subsequent actions. The Commission will decide on potential formal proceedings based on Microsoft’s response. You can read the press release here.

Supervisory Authorities

France: CNIL launches new “enhanced accompaniment” call for projects

On 15 May 2024, the French data protection authority (CNIL) announced the second edition of its “enhanced accompaniment” call for projects, targeting innovative companies with significant economic growth potential. The application period is open until 23 June 2024. This initiative aims to support companies handling large-scale or sensitive data by providing tailored assistance over six months, focusing on legal and technical guidance, compliance reviews, and data protection awareness. Selected companies must demonstrate strong commitment and operational capacity to benefit from this enhanced support. Confidentiality is guaranteed, but participation does not grant immunity from compliance obligations under GDPR. Selection criteria include the impact on individuals, innovation, company size and sustainability, and GDPR compliance commitment. Companies can apply by emailing their applications to accompagnement[@] The programme will commence in September and last for six months, providing practical and legal security for data-related activities. You can read the press release here (in French).

UK: ICO reaffirms commitment to regulating AI and emerging tech

In a recent speech at the New Scientist Emerging Technologies summit, UK Information Commissioner John Edwards highlighted the ICO’s ongoing role in regulating AI and emerging technologies. Edwards emphasised that data protection laws, which have been in place since the ICO’s inception in 1984, apply to all technologies involving personal information. He refuted the notion of a “regulatory wild west” in the tech sector, asserting that data protection principles are technology-neutral and enforced robustly. Edwards also underscored the importance of transparency, accuracy, and user rights in handling personal data. The ICO’s initiatives, including its Innovation Advice service and regulatory Sandbox, were presented as resources to help organisations ensure compliance without stifling innovation. The speech concluded with a call for collaboration with the ICO to maintain public trust in AI and emerging technologies. You can read the full speech here.

Spain: Data protection authorities publish guidelines for Wi-Fi tracking technologies

On 7 May 2024, Spanish data protection authorities, including the AEPD and regional counterparts from Catalonia, the Basque Country, and Andalusia, released guidelines for the use of Wi-Fi tracking technologies. These technologies can identify and track mobile devices via emitted Wi-Fi signals, detecting device presence and movement patterns within specific areas. While they have practical applications in locations like shopping centres, museums, workplaces, and public events for estimating crowds and analysing foot traffic, they pose significant privacy risks. The guidelines analyse these implications, identify key risks, and recommend measures to ensure responsible use compliant with data protection regulations. The authorities emphasise that Wi-Fi tracking often constitutes personal data processing, requiring adherence to GDPR principles and possibly necessitating Data Protection Impact Assessments (DPIAs). They also recommend transparency measures and stringent security protocols to mitigate privacy risks. You can read the press release here (in Spanish).

Denmark: Datatilsynet investigates data security in 48 municipalities

The Danish data protection authority (Datatilsynet) has initiated written reviews of 48 municipalities to examine and support their work on basic data security. This effort continues similar reviews from the past three years, focusing on the municipalities’ maturity in handling data security, especially since they manage sensitive citizen information that cannot be opted out of. The inspections include 77 questions covering 15 topics, and municipalities have six weeks to respond. Based on the answers, Datatilsynet may request documentation, ask further questions, and conduct random checks. Upon completion, individual reports with recommendations will be prepared to aid municipalities in their ongoing security efforts. This inspection activity is part of Datatilsynet’s strategy for a data- and risk-based approach to guidance and control. You can read the press release here (in Danish).

Sweden: IMY participates in AI regulatory sandbox pilot project

The Swedish data protection authority (IMY) announced its participation in a collaborative initiative aimed at preparing the public sector for the forthcoming EU AI Regulation. The regulation mandates the creation of AI regulatory sandboxes in each member state, allowing entities to test and evaluate AI systems before their deployment. This initiative, conducted via the eSam collaborative programme alongside the Swedish Companies Registration Office, the Swedish Tax Agency, and the Swedish Public Employment Service, seeks to enhance understanding of the regulation’s requirements. David Magård, a strategist at the Swedish Companies Registration Office, emphasised the importance of this preparation for providing support to businesses, particularly SMEs. Carin Sundhage, acting chief of staff at IMY, highlighted the agency’s enthusiasm and experience with regulatory sandboxes in data protection, expressing confidence in their collaborative approach to foster innovation and sustainable digitalisation in Sweden and the EU. You can read the press release here (in Swedish).

Italy: Garante launches an investigation regarding facial recognition in Rome

The Italian data protection authority (Garante) has initiated an investigation by requesting information from the city of Rome regarding a proposed video surveillance project in metro stations. This initiative, planned in anticipation of the upcoming Jubilee, involves installing facial recognition cameras to monitor and identify individuals engaged in disruptive behaviour on trains and platforms. The city of Rome has 15 days to respond, providing technical details of the facial recognition capabilities, the purpose and legal basis for processing biometric data, and a copy of the data protection impact assessment. The Garante emphasises that a moratorium is in effect until the end of 2025, prohibiting the installation of facial recognition systems in public areas, except for judicial authorities or public bodies for crime prevention, subject to the Garante’s approval. You can read the press release here (in Italian).


Scarlett Johansson alleges OpenAI used her voice without consent

Scarlett Johansson has accused OpenAI of using her voice for ChatGPT without her permission after she declined to provide it. Johansson claims OpenAI’s new voice, unveiled last week, closely mimicked her performance in the film “Her.” Following her lawyers’ demands for clarification, OpenAI disabled the voice over the weekend. Johansson stated that OpenAI’s CEO, Sam Altman, requested her collaboration last September, which she refused. Despite this, she was shocked to hear a new ChatGPT voice sounding remarkably like hers, prompting her to seek legal advice. OpenAI subsequently paused the use of the voice, named Sky, clarifying it was produced by a different actress. Altman apologised for the lack of communication and stressed Sky’s voice was not intended to mimic Johansson’s. In March, OpenAI said it had developed technology to clone voices from 15-second clips but chose not to release it due to misuse concerns. This incident adds to OpenAI’s legal challenges over alleged misuse of copyrighted material. You can read the full article here.


Poland: UODO fines Res-Gastro for data breach after employee loses unencrypted USB drive

Res-Gastro, a catering company based in Kolbuszowa, Poland, has been fined nearly PLN 240,000 (equivalent to €56,500) by the Polish Supervisory Authority (UODO) after an employee lost a USB drive containing personal data. The investigation revealed that the company’s data processing methods were non-compliant with GDPR regulations, primarily due to an inadequate risk assessment that failed to account for the possibility of data loss through misplacement. The USB drive, containing unencrypted personal data such as names, addresses, and financial details, highlighted the company’s insufficient organisational and technical measures for data security. While Res-Gastro cooperated with the UODO, which mitigated the penalty, the fine was still substantial, reflecting the company’s high turnover. The incident underscores the necessity for comprehensive encryption and regular testing of data security protocols. You can read the press release here and the full decision here (both in Polish).

Finland: The Finnish SA fines online retailer €856,000 for data retention failures

The Finnish Supervisory Authority (SA) fined online retailer €856,000 for failing to define storage period of customer account data. Following a customer’s complaint, the SA’s investigation revealed that the retailer stored customer account data indefinitely, contravening GDPR principles. Customers were required to create accounts to make purchases, and their data were retained without a specified period, with the retailer asserting that customers could delete their data by closing their accounts. However, this led to data being stored for excessively long periods. The SA concluded that mandatory account creation for purchases violated data protection laws, as it should not be a prerequisite for online shopping. Besides the fine, the retailer received a compliance order to define a specific data retention period and modify its registration practices, along with a reprimand for breaching data protection regulations. You can read the press release here.

Greece: Hellenic SA fines postal service for security failures

The Hellenic Supervisory Authority (SA) fined Hellenic Post Services S.A. (ELTA S.A.) 1% of its last annual turnover for failing to implement adequate technical and organisational measures, leading to unauthorised third-party access. The case involved two breaches: a ransomware attack and the leakage of personal data, which was subsequently published on the dark web. The investigation revealed significant shortcomings in ELTA’s security practices, including inadequate vulnerability scanning, unauthorised access, and disabling of security software. Despite mitigating factors such as enhanced security measures post-incident, cooperation with a specialised investigation company, data recovery, and the company’s financial difficulties, the fine was imposed due to the wide-ranging impact and severity of the breaches. The decision highlights the importance of robust security policies to protect against data breaches. You can read the press release here.