Data Protection Weekly 2/2023

Jan 13, 2023

European Union

Court of Justice of the European Union: Anonymised references for preliminary rulings lodged from 1 January 2023 to be allocated a fictional name

This measure seeks to facilitate the designation and identification of cases that have been anonymised for reasons relating to the protection of personal data.

From 1 January 2023, all new anonymised cases involving proceedings between natural persons […] or proceedings between natural persons and legal persons that do not have a distinctive name, are to be allocated a fictional name suggested by a computerised automatic name generator. Read press release here.

Court of Justice of the European Union: Every person has the right to know to whom his or her personal data have been disclosed

The Court has replied that “where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients. It is only where it is not (yet) possible to identify those recipients that the controller may indicate only the categories of recipient in question. That is also the case where the controller demonstrates that the request is manifestly unfounded or excessive.” Read press release here.

European Data Protection Board: Facebook and Instagram decisions: “Important impact on use of personal data for behavioural advertising”

You can now checkout the Binding Decisions concerning Facebook and Instagram at the EDPB website. These decisions have a crucial impact on the use of personal data for behavioural advertising. See overview on EDPB website here.

AI Act: MEPs want fundamental rights assessments, obligations for high-risk users

The European Parliament’s co-rapporteurs circulated new compromise amendments to the Artificial Intelligence (AI) Act proposing how to carry out fundamental rights impact assessments and other obligations for users of high-risk systems. The new compromise was circulated on Monday (9 January) to be discussed at a technical meeting this week. It is one of the last batches to complete the first review of the AI Act. The full story can be read here.

National Authorities

Germany: Celle Higher Regional Court interprets rights to information and copying broadly

In a recent ruling dated 15.12.2022 (Case No. 8 U 165/22), the Higher Regional Court (OLG) Celle adopts a broad interpretation of the rights to information and copying under Article 15 of the GDPR. In the opinion of the OLG Celle, the access request neither needs to be justified by the individual, nor is it bound to a specific purpose. Other purposes can also be pursued that are alien to data protection. In addition, the OLG Celle also adopts an extensive interpretation of the right to a copy under Article 15 (3) of the GDPR. In principle, the data controller should provide the data subject with all personal data related to him. Since the GDPR obliges the controller to provide a copy of the personal data, the access request also includes a copy of the insurance policy and supplements in favour of the plaintiff. Read judgment (in German) Read judgment (in German) here.

Germany: Deletion or archiving?

The Bavarian State Commissioner for Data Protection and the Directorate General of the Bavarian State Archives publish joint working paper.

The paper is focused on controllers in the public sector and explains the relationship between the obligation to delete data under data protection law and the obligation to provide data under archiving law. It characterises archiving as a surrogate for deletion and – considering the respective perspectives of data protection and archiving law and addresses the question of the retention period. Read press release (in German) here.

Spain: AEPD announces registration of over 100,000 DPOs in its public registry

The Spanish Agency for Data Protection (AEPD) has exceeded 100,000 data protection officers (DPOs) registered in its public DPO registry across both the private and public organisations. Of these, 91,221 correspond to the private sector and 9,129 to the public sector (182 from the General State Administration, 433 from Autonomous Communities, 4,537 from Local Entities and 3,977 from other Legal-Public bodies). The full AEPD press release (in Spanish) can be found here. The public DPO registry is open, accessible, and searchable by citizens and can be found here.

Global

Microsoft will add AI to Office applications – they help with writing texts

[…] Last week, reports surfaced online that Microsoft could use OpenAI’s AI bot ChatGPT to provide Bing search results in natural language instead of a list of links. According to both former and current employees, the company’s plans could include integrating the same tools into the Microsoft 365 office suite to improve its productivity. A source told The Information that the company has been developing personalized tools for creating emails and documents and developing machine learning methods based on customer data for more than a year.

[…] The necessary data protection must also be guaranteed so that AI can be configured securely for individual customers without the risk of unauthorized access to their data. Microsoft is working on privacy protection methods for OpenAI GPT-3 (Generative Pre-trained Transformer 3) and GPT-4 natural language processing algorithms, the source said. Read full article here.

EU leaders warn TikTok over privacy issues

“European Commission officials on Tuesday warned TikTok’s CEO to respect EU laws and work on “regaining [the] trust of European regulators,” as the Chinese-owned firm faces growing criticism over privacy.

“I count on TikTok to fully execute its commitments to go the extra mile in respecting EU law and regaining [the] trust of European regulator,” said European Commission Vice President Věra Jourová in a statement after meeting with TikTok chief Shou Zi Chew in Brussels.

Jourová said there could not be “any doubt that data of users in Europe are safe and not exposed to illegal access from third-country authorities.” Read full story on Politico here.

European carriers file to create joint venture for opt-in ad targeting of mobile users

European telcos are moving ahead with a plan to create a joint venture to offer opt-in “personalized” ad targeting of regional mobile network users following trials last year in Germany. Although it remains to be seen whether European Union regulators will sign off on their plan.

[…] The telco ad-targeting proposal quickly landed on the radar of a privacy watcher, who raised concerns about the legal basis for processing mobile users’ data for ads.

[…] The project also faced some early attention from data protection authorities in Germany and Spain. Read full article here.

Google users not given sufficient choice over its data processing, says German antitrust watchdog

The Bundeskartellamt, or Federal Cartel Office (FCO), has been investigating Google’s T&Cs for processing user data since May 2021. The FCO has reached the preliminary conclusion that, based on the current terms, users are not given sufficient choice as to whether and to what extent they agree to this far-reaching processing of their data across services. The choices offered so far, if any, are, in particular, not sufficiently transparent and too general. In a press release the FCO stated that users need to be able to limit the processing of data to specific services used, and differentiate between the purposes for which the data are processed. Additionally, user choices offered must be explicit and designed to offer users clear and genuine consent options.

The full story can be read here and the FCO press release (in German) here.

Severe API security flaws affect millions of vehicles from 16 car manufacturers, including BMW, Mercedes and Toyota

“Hackers could remotely control, track, and transfer vehicles and leak personal information from over a dozen car manufacturers, including Mercedes-Benz, Ferrari, Porsche and Toyota, by leveraging new API security flaws.

According to security researcher Sam Curry and his friends, an attacker could remotely honk, flash, remotely track, lock or unlock, and start or stop vehicles after discovering the API vulnerabilities affecting the vehicle telematics service. Additionally, they could compromise millions of car manufacturers’ and dealers’ accounts, gain administrative access to internal systems, take over fleets, and access customer and employee information.” Read full article here.

Meta alleges surveillance firm collected data on 600,000 users via fake accounts

“Meta has sued to block a surveillance company from using Facebook and Instagram, alleging the firm, which has partnered with law enforcement, created tens of thousands of fake accounts to collect user data.

A complaint filed on Thursday asks a judge to permanently ban Voyager Labs from accessing Meta’s sites and comes after a Guardian investigation revealed the company had partnered with the Los Angeles police department (LAPD) in 2019 and claimed that it could use social media information to predict who may commit a future crime.” Read Guardian article here.

Fines

Finland: Finish SA imposes administrative fine on Viking Line for unlawful processing of employees’ health data

An administrative fine of EUR 230,000 was imposed on Viking Line for several violations of data protection legislation. The company was also reprimanded. The Finnish SA ordered the company to correct its practices and inform its employees of the processing of their personal data as required by the GDPR. Read article at EDPB here.

France: Cookies-the CNIL fines TIKTOK 5 million euros

On 29 December 2022, the CNIL sanctioned the social network TIKTOK for a total amount of 5 million euros for two reasons: users of “tiktok.com” could not refuse cookies as easily as they accept them. Also, they were not informed in a sufficiently precise manner of the purposes of the different cookies. […] The CNIL body responsible for issuing sanctions – considered that TIKTOK […] had failed to comply with the obligations set out in Article 82 of the French Data Protection Act.

Read the full article on CNIL website here.