Data Protection Weekly 19/2024

May 28, 2024

 European Union

CJEU: European Parliament must give access, to information relating to a MEP who has been convicted in a court of law

The Court of Justice of the European Union (CJEU) rules in Case T-375/22 that the European Parliament must disclose documents relating to travel reimbursements and subsistence allowances for Ioannis Lagos, a Member of the European Parliament (MEP) convicted of serious crimes. Lagos, who was sentenced to 13 years and 8 months in prison, continued to receive parliamentary allowances despite his conviction and imprisonment. Three citizens requested access to documents on these allowances to determine whether public funds were used unlawfully. The Parliament refused, citing privacy regulations, but the Court ruled that public interest in transparency prevails. The ruling emphasises the public’s right to scrutinise the use of funds allocated to Lagos and his assistants. However, the Court upheld the refusal to disclose documents containing personal salary information, as this data is already publicly accessible. You can read the press release here and the full decision here.

EDPB: Publication of interim report on ChatGPT investigations

The European Data Protection Board (EDPB) has released an interim report detailing the ongoing investigations into OpenAI’s ChatGPT service, carried out by a dedicated taskforce established in April 2023. The report addresses key issues regarding the compliance of ChatGPT with the GDPR. Initial findings indicate that OpenAI’s collection of training data, including the use of web scraping, raises significant concerns about the protection of personal data. The EDPB highlights the need for OpenAI to ensure lawfulness, fairness, and transparency in its processing activities, emphasising the importance of informing users about the use of their inputs for training purposes. The report also stresses the necessity of implementing measures to ensure data accuracy and the proper exercise of data subject rights. Ongoing investigations will continue to assess these aspects, with the final results yet to be determined. The full report is available here​​.

EDPB: Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports

The European Data Protection Board (EDPB) has issued an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports. The Opinion, requested by the French data protection authority, highlights the sensitive nature of biometric data and the potential risks, such as false negatives, bias, and identity fraud. The EDPB underscores that individuals should have maximum control over their biometric data and recommends less intrusive methods when possible. It assesses the compatibility of various storage solutions with GDPR principles, finding that only those storing data either solely in the hands of individuals or in a central database with encryption keys controlled by individuals meet integrity and confidentiality standards. Centralised storage without individual encryption keys does not comply with GDPR requirements. Only passengers who consent should have their biometric data processed. You can read the press release here and download full Opinion here.

EDPS: Plan for Artificial Intelligence in the EU institutions unveiled

The European Data Protection Supervisor (EDPS) has unveiled its plan to supervise the implementation of the EU’s Artificial Intelligence Act, which will soon come into effect. The EDPS will focus on governance, risk management, and supervision to ensure the responsible use of AI within EU institutions. The AI Act aims to balance innovation with safeguards, addressing risks such as exploitation of vulnerable groups. The EDPS will facilitate collaboration among EU institutions, fostering a multilateral approach to AI governance. Internal mechanisms like AI boards and task forces are being established to guide AI development. Risk management will involve identifying, assessing, and categorising AI-related risks, with common checklists and guidelines proposed. Accountability will be ensured through complaint procedures, data protection rights processes, and mechanisms to supervise and sanction misuse of AI. Additional resources are deemed necessary to support these efforts, positioning the EU as a global standard-setter for ethical AI use. You can read the full article here.

EDPB: Launch of French and German versions of data protection guide for small business

The European Data Protection Board (EDPB) has released French and German versions of its Data Protection Guide for small businesses (SME). This guide offers practical information on GDPR compliance and its benefits, presented in a clear and accessible manner. Aimed at providing non-expert audiences with essential data protection knowledge, the guide is a strategic initiative by the EDPB to enhance accessibility and understanding. It covers a wide range of GDPR-related topics, including data protection basics, data subject rights, and measures to secure personal data. The guide is enriched with videos, infographics, interactive flowcharts, and other practical materials to support SMEs in achieving GDPR compliance. The EDPB plans to expand the guide’s availability to 15 more European languages in the near future. You can read the press release here and access the guide here.

Council of the EU: Adoption of conclusions for a more cyber secure and resilient Union

The Council of the EU has approved conclusions outlining the future direction for cybersecurity within the Union, emphasising the need for a robust and resilient digital landscape. Highlighting the increasing complexity and scale of cyber threats, the conclusions stress the necessity for proactive measures and international cooperation. Key priorities include implementing harmonised standards, enhancing supply chain security, supporting SMEs, and ensuring adequate funding. The Council also calls for improved coordination, clearer roles in the cyber domain, and a revised cyber crisis management framework. A multistakeholder approach, involving private sector and academic collaboration, is encouraged to bridge the skills gap and attract private capital. Additionally, the importance of an active international policy, particularly with transatlantic partners, is underscored. The Council invites the European Commission and the High Representative to present a revised cybersecurity strategy in response to the evolving threat landscape. You can read the press release here.

Council of the EU: Adoption of conclusions on the future of EU digital policy

The Council of the EU has approved conclusions on the future of EU digital policy, outlining key priorities for the upcoming legislative cycle. These priorities emphasise the need for a secure, inclusive and people-centred digital transformation that drives innovation, economic growth and sustainability, while respecting democracy and human rights. The conclusions underline the importance of a common European approach to digital technologies, balancing innovation, regulatory burden and economic security. Efficient implementation of existing legislation with minimum administrative burden is a key priority. The Council also underlines the need for a trustworthy online environment, to align digital transformation with the green transition, and to bridge the digital skills gap, especially for women. Strengthening secure digital infrastructure is also highlighted. The document emphasises a proactive EU role in global digital governance and welcomes the strengthening of international digital partnerships and trade agreements. You can read the press release here and the full conclusions here.

European Commission: EU urged to reinforce cybersecurity skills

A recent Eurobarometer survey reveals a growing cybersecurity skills shortage in the EU, aligning with findings from the ENISA foresight report. The survey highlights significant challenges, with 74% of companies not providing cybersecurity training and 68% believing no further training is necessary. The lack of qualified candidates, awareness, and budget constraints are major hurdles in hiring cybersecurity professionals. In response, the European Commission launched the Cybersecurity Skills Academy to enhance training and certification efforts across the EU. The Academy aims to bridge the skills gap through collaboration between public and private sectors. The Commission has allocated substantial funding, including 10 million EUR in 2024, to support training programmes, with more funding opportunities expected in autumn. You can read the press release here and the full survey here.

European Commission: Call on 18 Member States to comply with the EU Data Governance Act

The European Commission has initiated infringement procedures against 18 Member States for not designating the responsible authorities to implement the Data Governance Act or failing to empower them adequately. The countries involved include Belgium, Czechia, Germany, Estonia, Greece, France, Italy, Cyprus, Latvia, Luxembourg, Malta, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, and Sweden. The Data Governance Act, effective since 24 September 2023, aims to enhance data sharing across sectors and countries, ensuring trust through strict rules for data intermediaries and promoting data altruism. Authorities are tasked with registering data altruism organisations and monitoring compliance. The Commission’s letter gives the Member States two months to address the issues; otherwise, a reasoned opinion may follow. You can read the press release here.

European Commission: High-Level Group for the Digital Markets Act aligns AI development with DMA objectives

On 22 May 2024, the High-Level Group for the Digital Markets Act (DMA) met in Brussels, agreeing to coordinate efforts to align AI development with DMA objectives. They adopted a public statement on AI and established a sub-group to focus on AI discussions. This sub-group will monitor policy developments, explore the DMA’s interactions with other regulations, share enforcement experiences, and ensure consistent regulatory approaches. The DMA aims to maintain fair digital markets, particularly targeting large platforms acting as gatekeepers. The High-Level Group, including representatives from bodies like BEREC, EDPB, EDPS, ECN, CPC Network, and ERGA, advises the Commission to ensure cohesive implementation of the DMA and other regulations, and offers expertise on market investigations. You can read the press release here and the full statement here.

Supervisory Authorities

Luxembourg: CNPD launches AI sandbox

The Luxembourg data protection authority (CNPD) has launched a regulatory sandbox called “Sandkëscht” focused on artificial intelligence (AI), addressing privacy and data protection concerns due to AI’s rapid advancement. This controlled digital environment allows innovators in Luxembourg to test AI systems temporarily before market release, ensuring compliance with the GDPR and protecting personal data. The initiative promotes responsible technology development and provides a deeper understanding of the legal implications. Interested parties must meet specific criteria and can apply from 14 June 2024. More information about the “Sandkëscht” programme can be found here (in French).

Poland: UODO invites feedback on data protection guides

The Polish data protection authority (UODO) is seeking public feedback on two of its data protection guides to ensure they remain relevant and effective. The consultation marks six years since the implementation of GDPR and aims to update the guides in response to current challenges. Stakeholders, including businesses, institutions, and the public, are encouraged to submit their comments by 21 June 2024. The guides under review are “Data Protection in the Workplace: A Guide for Employers” from 2018 and “How to Handle Data Protection Breaches” from 2019. UODO will analyse all feedback and incorporate relevant suggestions into revised guides. Feedback will be published on UODO’s website, attributing authorship where permission is given. You can read the press release here (in Polish).

Cyprus: Cypriot DPA release data on six years of GDPR enforcement

The Cypriot Data Protection Authority (DPA) has released comprehensive data reflecting six years of GDPR enforcement. Since the GDPR’s implementation on 25 May 2018, aimed at harmonising data protection laws across the European Economic Area, the Cypriot DPA has managed 2585 complaints, including 746 concerning unsolicited advertising messages, 494 data breach notifications, and 112 impact assessments. The DPA conducted 506 investigations, issued 299 decisions, and imposed fines totalling €1,561,100. It reviewed 261 legislative proposals related to personal data processing and responded to 2002 citizen and organisational inquiries. The announcement also marks the first anniversary of the Cypriot DPA’s vice-presidency in the European Data Protection Board (EDPB). This position has enhanced active participation in key decision-making processes and cross-border case coordination. You can read the press release here (in Greek).

Fines

UK: PSNI faces £750k fine after spreadsheet error exposes workforce data

The Police Service of Northern Ireland (PSNI) is facing a £750,000 fine for a data breach that exposed personal information of its entire workforce. The breach occurred when a spreadsheet published online in response to a freedom of information request included a hidden tab containing details of 9,483 PSNI officers and staff, such as surnames, initials, ranks, and roles. The UK data protection authority (ICO) investigation found PSNI’s internal procedures and sign-off protocols for data disclosure inadequate. John Edwards, the Information Commissioner, highlighted the severe impact of this error, noting many affected individuals experienced significant distress, including having to relocate or sever ties with family. The ICO emphasised that proper policies could have prevented this incident. Despite the fine being reduced to £750,000 to avoid diverting public funds from essential services, PSNI must still improve its data security practices. Had the public sector approach not been applied, this provisional fine would have been set at £5.6 million. You can read the press release here.

UK: ICO concludes Snap ‘My AI’ chatbot investigation

The UK Supervisory Authority (ICO) has completed its investigation into Snap Inc.’s ‘My AI’ chatbot, launched for Snapchat+ subscribers in February 2023 and made available to all users in April 2023. The inquiry, initiated in June 2023, centred on concerns that Snap had not adequately assessed data protection risks. Following a Preliminary Enforcement Notice issued in October 2023, Snap undertook significant steps to improve its risk assessment processes, satisfying the ICO’s requirements. The ICO’s Executive Director of Regulatory Risk, Stephen Almond, emphasised the importance of addressing data protection proactively when developing generative AI technologies. He warned that the ICO would continue to monitor risk assessments and utilise its enforcement powers to protect public privacy rights. The ICO also announced ongoing consultations to refine the application of data protection laws to generative AI. The final decision on this case will be published soon. You can read the press release here.

Denmark: Datatilsynet closes Netcompany investigation

The Danish data protection authority (Datatilsynet) has decided not to pursue further investigation into the possible leak of source code from Netcompany. Following media reports in February, Datatilsynet posed several questions to Netcompany to determine if the incident fell under GDPR and other data protection regulations. After reviewing Netcompany’s responses, Datatilsynet concluded that there is currently no basis for further action. This decision is based solely on aspects within Datatilsynet’s mandate, primarily concerning the processing of personal data. Additionally, Datatilsynet has been in contact with the Danish Business Authority and the Development and Simplification Agency, both of which reported data security breaches related to this case. However, these aspects will also remain on hold. Datatilsynet has received multiple requests for access to Netcompany’s responses, but is largely prevented from disclosing information due to an ongoing criminal case with the Copenhagen Police. You can read the press release here (in Danish).