Data Protection Weekly 19/2023

May 12, 2023


APEP: AEPD in collaboration with APEP issues guidance on data encryption

The Spanish data protection authority (AEPD), in collaboration with the Spanish Association for the promotion of information security (ISMS Forum) and the CEDPO member, Spanish professional association of privacy (APEP), has published guidelines for the supervision of cryptographic systems as a security measure in data protection. The guidance comes in response to an increasing number of personal data breaches due to data exfiltration, device loss, or inadequately encrypted personal data communications. The document emphasizes the importance of encryption in maintaining data security and highlights the need for its proper implementation to prevent a false sense of security. It also suggests controls to help data protection officers in selecting those that may be most suitable for their task of overseeing the validation of the encryption system within a specific processing context. You can read the press release here and the guidelines here (both in Spanish).

  European Union

European Commission: Public consultation on independent audits under DSA

The European Commission has initiated a public consultation on draft regulations regarding independent audits under the Digital Services Act (DSA) for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). This consultation, open until June 2, 2023, aims to gather public input before the rules are adopted by the end of the year. The draft outlines the main principles for selecting audit methodologies and procedures and further elaborates on auditing VLOPs’ and VLOSEs’ compliance with risk management and crisis response obligations. It also provides templates for public audit reports. Independent audits are crucial for assessing compliance with the DSA and are considered an important accountability tool. The first audit reports are due one year after the DSA obligations come into effect for designated VLOPs and VLOSEs. You can read the press release here.

EDPS: Opinions stress the need for strong data protection in International Agreements to fight crime

The European Data Protection Supervisor (EDPS) has issued five opinions on the European Commission’s recommendations to negotiate International Agreements for personal data exchange between Europol and the competent authorities of Ecuador, Brazil, Peru, Bolivia, and Mexico to combat serious crime and terrorism. The EDPS advises further development of data protection safeguards in these agreements, ensuring personal data protection meets EU standards. Wojciech Wiewiórowski, EDPS, emphasizes the need to consider each foreign jurisdiction’s particular circumstances, including the existence of an independent data protection authority or the accession to Convention 108 of the Council of Europe. The EDPS recommends listing specific criminal offenses and purposes for data exchange, implementing periodic reviews of data storage duration, and additional safeguards for special data categories. The EDPS also suggests excluding data obtained in violation of human rights and emphasizes the importance of control by independent authorities for protecting individuals’ data rights. You can read the press release here.

European Parliament: New step towards the first rules on Artificial Intelligence

European Members of Parliament (MEPs) are a step closer to endorsing the EU’s first rules on Artificial Intelligence (AI). The Internal Market Committee and the Civil Liberties Committee recently adopted a draft mandate on AI rules, with a focus on human oversight, safety, transparency, non-discrimination, and environmental friendliness. The proposed rules follow a risk-based approach, banning AI systems posing an unacceptable level of risk to human safety, including manipulative techniques, social scoring, and intrusive uses of AI. MEPs also expanded high-risk AI classifications and outlined transparency measures for general-purpose AI, like GPT. To promote AI innovation, exemptions for research activities and open-source AI components were added. The final endorsement of the mandate by the whole Parliament is expected during the 12-15 June session. You can read the press release here and the full compromise text here.

European Parliament: Call for a vote on EU-US Data Privacy Framework

Juan Fernando López Aguilar, Chair of the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs, has summoned a full parliamentary vote slated for May 11th. The vote concerns the nonbinding opinion on the proposed EU-US Data Privacy Framework and the subsequent decision on its adequacy. The Members of the European Parliament (MEPs) have been consistent in their stance since February 15th, when they drafted an opinion rejecting the new data transfer mechanism between the EU and US. Their recommendations, although nonbinding, along with those from the European Data Protection Board, will be pivotal in guiding the European Commission’s final decision on the matter. This decision holds substantial weight for the future of transatlantic data exchange and the preservation of data protection standards. The full text of the parliamentary resolution can be read here.

National Authorities

Dutch: AP raises concerns over Amsterdam’s internal privacy supervision

The Dutch data protection authority (AP) has asked councilors Van Buren (P&O) and Scholtes (ICT) to provide explanations regarding the position of their internal privacy supervisor on behalf of the College of Mayor and Aldermen of the municipality of Amsterdam. The AP is concerned about the independence of internal supervision within the municipality. By law, organizations are required to employ an internal privacy supervisor (the Data Protection Officer, DPO) who independently oversees the organization and provides advice. The AP received a signal from the Ombudsman Metropool Amsterdam that the municipality has also appointed the DPO as a so-called “privacy officer.” The person responsible for shaping the privacy policy in Amsterdam would thus also be the same person supervising its implementation independently. Combining these two roles could lead to a conflict of interest, posing potential risks to citizens’ privacy. After discussing with the councilors, the AP will decide on the necessary next steps. You can read the press release here.

Spain: 16 data protection authorities launch coordinated actions regarding ChatGPT

The Ibero-American Data Protection Network (RIPD), composed of 16 data protection authorities across 12 countries, will coordinate actions regarding the ChatGPT service by OpenAI. This unprecedented collaborative effort aims to ensure the service’s compliance with data protection standards. Concerns include the legal basis for data processing, information provided to users, exercise of data rights, third-party data transfers, age control measures, and data security. This action complements the European Data Protection Board’s (EDPB) initiatives, which includes the Spanish data protection authority (AEPD). AEPD, which has already announced preliminary investigations into OpenAI for potential regulation breaches and is a member of both RIPD and EDPB, will act as a liaison between the two bodies. Read AEPD’s press release (in Spanish) here  and the RIPD’s press release here ( both in Spanish).

Denmark: Datatilsynet clarifies parents‘ right to access child’s data

The Danish data protection authority (Datatilsynet) has issued a clarification concerning parents’ right to access their child’s data in connection with a child joint custody. Following an investigation into how Gribskov Municipality handled such requests, the authority emphasized that the right to access data is a personal one, even when the subject is a minor. This means children are independent holders of their own rights. However, parents can support their child in exercising this right by making requests on their behalf. Generally, a single parent can make such a request without the need for consent from the other parent. Datatilsynet stated that a requirement for both parents to normally give consent could complicate the child’s exercise of their right to access data. The ruling underscores the balance between data protection and parental oversight in the digital age. Datatilsynet notes that the European Data Protection Board is currently working on guidelines for the processing of children’s personal data and their exercise of rights under the GDPR. You can read the press release here and the full letter here (both in Danish).

Malta: IDPC launches online form for FOI complaints

The Maltese data protection authority (IDPC) has introduced an online form to simplify the process of filing a Freedom of Information Act (FOI) complaint against the decision of a public authority. This streamlined process will allow applicants to conveniently lodge complaints when their requests for access to information, as per the Freedom of Information Act, are denied. In addition, the IDPC has created a dedicated page on their website to publish full Freedom of Information decisions made by the Commissioner. Initially, this page will feature decision notices issued during the current year, but the intention is to gradually include notices from previous years as well. You can read the press release here, access the online form  here, and view decision notices here.


Spain: Modifications to the Spanish Data Protection Act

The Spanish State Gazette (BOE) has announced changes to the Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (LOPDGDD). After the implementation of the General Data Protection Regulation (GDPR) and the LOPDGDD, experience has shown the need for modifications in some procedures of the Spanish data protection authority (AEPD) and its Statute. These changes are primarily due to the correction of GDPR errors, requiring the LOPDGDD to configure the warning as a non-punitive corrective measure. The increased complexity of cases handled by  AEPD in sanctioning procedures also necessitates extending some resolution deadlines. Key amendments include creating a specific warning procedure, conducting investigations via digital systems, and establishing mandatory complaint submission models. These changes aim to streamline responses to citizen complaints, facilitate remote investigations, and simplify the complaint submission process. You can read the press release here and the modifications here (both in Spanish).

Israel: Publication of the Protection of Privacy Regulations on transfers from EEA

On May 7, 2023, the Protection of Privacy Regulations (Provisions Regarding Data Transferred to Israel from the European Economic Area) were officially published. These regulations were implemented to maintain Israel’s adequacy status with the European Union, a status signifying equal data protection standards between the EEA and Israel. Phased implementation will occur over the coming months and years, with the final stage scheduled for January 1, 2025. You can read the publication (in Hebrew) here.


France: CNIL imposes an overdue penalty payment on Clearview AI

On April 13, 2023, the French data protection authority (CNIL), decided to impose an overdue penalty payment of €5,200,000 on Clearview AI for failing to comply with the order issued in the sanction decision of October 2022. Clearview AI collects photographs from various websites, including social networks, and sells access to its image database through a search engine that uses facial recognition technology to find individuals based on their photographs. This service is offered to law enforcement authorities. On October 17, 2022, CNIL’s restricted committee imposed a €20 million fine on Clearview AI and ordered the company to stop collecting and processing data on individuals in France without a legal basis, and to delete their data after addressing access requests. The order included a penalty of €100,000 per day overdue if the company failed to comply within two months. As Clearview AI provided no proof of compliance, CNIL enforced the overdue penalty payment on April 13, 2023. You can read the press release here and the full decision (in French) here.

Poland: UODO imposes a fine on a housing association for lack of personal data breach notification

The Polish data protection authority (UODO) has imposed an administrative fine of nearly PLN 52,000 (equivalent to ≈ €11,500) on a housing association for failing to notify the supervisory authority of a personal data breach and for not communicating the breach to the data subject. The housing association has been ordered to inform the data subject about the breach. The breach occurred during a press conference when the housing association provided an unauthorized person with information about a dispute between the association and one of its members, including a photocopy of a notice of suspected crime with personal data such as name, surname, personal identification number (PESEL), and address. Every controller is obligated to notify the supervisory authority of a personal data breach within 72 hours, unless the breach is unlikely to pose a risk to the rights or freedoms of individuals. In this case, UODO determined that the risk was significant. You can read the press release here and the full decision (in Polish) here.

Croatia: AZOP imposes a fine on the Debt Collection Agency for multiples GDPR violations.

The Croatian data protection authority (AZOP) has imposed an administrative fine of €2.26 million on the Debt Collection Agency B2 Kapital d.o.o. for multiple GDPR violations, including failure to inform data subjects about personal data processing through a privacy policy (Article 13, paragraph 1), not concluding a personal data processing contract with a data processor for the service of monitoring simple consumer bankruptcy (Article 28, paragraph 3), and not applying appropriate technical and organizational protection measures (Article 32, paragraph 1 points b) and d) and paragraph 2). These violations endangered the security of at least 132,652 data subjects’ personal data, including financial information. The investigation began in December 2022 after an anonymous complaint about unauthorized data processing was received, with an attached USB stick containing personal data of 77,317 natural persons with outstanding debts and which were purchased by the Debt Collection Agency based on the cession agreement.. AZOP found deficiencies in the data controller’s security system, leading to insecure processing of personal data on a large scale, and a lack of cooperation from the data controller during the investigation. You can read the press release here.