Data Protection Weekly 2/2024

Jan 15, 2024


CEDPO’s upcoming webinar on the global approaches to AI regulation

The Confederation of European Data Protection Organisations (CEDPO) is hosting an online webinar titled “One Technology, Many Perspectives: Global Approaches to AI Regulation”. Scheduled for 18 January 2024, this event will explore the varying global perspectives on AI regulation, focusing particularly on the impact to data protection. Experts from the US, the UK, and the EU, including Chris Eastham, John Ghose, and Dr. Maria Moloney, will discuss the diverse legal frameworks governing AI. They aim to address the vital question: what constitutes optimal AI regulation? With a format accessible via Zoom, this webinar promises to offer invaluable insights into the complex world of AI regulation and its impact on data protection. The webinar will be recorded for those unable to attend live. You can read more about it here and register here.

 European Union

European Commission: Call for evidence on GDPR application

The European Commission is preparing a report on the General Data Protection Regulation (GDPR), six years after its implementation. This initiative, a follow-up to the 2020 report, aims to assess the application of GDPR. Currently, the Commission is seeking public feedback until 8 February 2024, encouraging contributions to refine this initiative. The feedback will be publicly available. This call for evidence represents an important step in evaluating and potentially enhancing data protection standards in the EU. You can read more about it here.

European Commission: European Data Act comes into force

On 11 January 2024, the European Data Act, a landmark legislation defining rights for accessing and using data generated within the EU, has officially come into force. This act aims to establish fairness in the digital environment, particularly concerning data creation and usage. It is set to unlock industrial data, fostering a competitive and innovative data market. The act empowers users to control data from their connected devices and ensures the protection of trade secrets and privacy rights. It enables access to device-generated data, promoting consumer control and aftermarket services innovation, while protecting manufacturers’ investments and trade secrets. Additionally, it allows public sector data access for emergencies and legal mandates, protects European businesses against unfair data sharing contracts, and facilitates cloud provider switching. The act also includes measures against unlawful third-country data requests and promotes interoperability standards for data-sharing. It will become applicable on 11 September 2025, following its alignment with the EU’s 2030 Digital Decade objectives and complementing the Data Governance Act. You can read the press release here.

EDPS: Publication of opinion on EU-Japan economic partnership on data free flow

The European Data Protection Supervisor (EDPS) issued an opinion on the protocol amending the EU-Japan Economic Partnership Agreement, specifically regarding the free flow of data. The EDPS acknowledges Japan’s previous adequacy finding by the Commission, allowing personal data transfer without further authorisation. The opinion highlights concerns about the necessity of further negotiations on data flows despite this adequacy decision. The EDPS welcomes the protocol’s commitment to personal data protection in electronic commerce, yet notes the protocol’s deviation from the EU’s horizontal provisions for cross-border data flows and personal data protection. This deviation could create legal uncertainty and potential conflicts with EU data protection law. The EDPS suggests amendments to align the protocol with the horizontal provisions, ensuring the protection of personal data and privacy, including rules for cross-border data transfer. The EDPS’s recommendations aim to maintain the balance between public and private interests and uphold the high level of data protection guaranteed by EU law. You can read the full opinion here.

National Authorities

France: CNIL launches public consultation on draft guide for Transfer Impact Assessments

The French data protection authority (CNIL), is conducting a public consultation on a draft guide for Transfer Impact Assessments (TIA) until February 12th, 2024. This initiative follows the “Schrems II” ruling by the Court of Justice of the European Union, emphasising the responsibility of data exporters in EEA to ensure the same level of data protection as the GDPR when transferring personal data to third countries. The guide aims to assist organisations in conducting TIAs, which are mandatory for data transfers based on Article 46 transfer tools. The draft guide, aligning with European Data Protection Board recommendations, includes a six-step methodology for evaluating data protection levels in the destination country and identifying necessary supplementary measures. The CNIL encourages participation from a wide range of stakeholders in this consultation to refine the guide, which will be published on their website later in 2024. The consultation welcomes responses from individuals, public and private entities, and can be collective through federations or associations. You can read the article here.

Spain: AEPD releases a guide on managing children’s first mobile phone

The Spanish data protection authority (AEPD) has released a guide titled ‘La Guía que no viene con el móvil’, aimed at parents preparing their children for their first mobile phone. Developed in collaboration with UNICEF, this guide presents a decalogue of essential advice focusing on dialogue, ongoing support, and imparting valuable knowledge and values for responsible technology use. The guide underscores the importance of planning for a child’s first mobile, assessing their maturity, and possibly using a family contract to set mutual commitments. It highlights the challenges of supervising and limiting smartphone use to prevent it from interfering with other activities like homework and physical interaction. The AEPD stresses the significance of guiding children through the internet and social networks, educating them about potential dangers, and managing their digital social interactions. Attention to the physical and mental well-being of children, especially regarding their emotional responses after intensive use of social networks, is also emphasised as crucial. You can read the article here and the full guide here (both in Spanish).

Spain: AEPD publishes new guide on audience measurement cookies

The Spanish data protection authority (AEPD) has issued a new guide, detailing the use of cookies for audience measurement tools. This guide outlines the conditions under which consent for cookies can be exempted. Specifically, cookies used for obtaining traffic or performance statistics may be exempt from consent if their purpose is strictly limited to measuring the audience of a site or app, without cross-referencing or transmitting data to third parties. The AEPD specifies that only certain measurements, such as page-by-page audience measurement and statistics on user actions, are strictly necessary for a website’s operation. Furthermore, the guide provides minimum guarantees for using exempt cookies, including user information about their use and limiting their lifespan to 13 months. For editors using third-party audience measurement services, additional safeguards are required, including contractual commitments with providers to restrict data usage and comply with GDPR, especially for data transfers outside the European Union. This comprehensive guide aims to align cookie usage with data protection regulations while respecting user privacy. You can read the full guide here (in Spanish).

Luxembourg: CNPD launches external whistleblowing channel

The Luxembourg’s data protection authority (CNPD) has established an external whistleblowing channel, as part of its role as one of 22 designated authorities under the whistleblowing legislation. This tool enables individuals, whether employees or not, to confidentially report serious concerns about potential violations of personal data protection laws. The CNPD emphasises the confidentiality of the reporting process, assuring that information is shared only on a need-to-know basis and allowing for anonymous reporting. Furthermore, organisations are expected to respond responsibly to data security concerns, with the CNPD collaborating with other competent authorities to investigate and ensure appropriate remedial actions. This initiative aims to strengthen data privacy and security compliance, encouraging individuals to report any witnessed or experienced data privacy or security violations. You can read the press release here (in French).

Norway: Datatilsynet publishes a new three-year strategy for 2024-2026

Norway’s data protection authority (Datatilsynet), has launched a new three-year strategy, extending until 2026, under the vision “Together for human dignity and trust in digital Norway”. This strategy emerges amidst Norway’s digital transformation, aiming to ensure the protection of citizen’s privacy during this change. The strategy comprises four key areas focusing on the best possible personal data protection for society, businesses, and individuals. Emphasising the importance of dialogue and communication, and efficient case handling and supervision, the strategy was developed with inputs from over 160 public and private entities, reflecting on the challenges and opportunities in data protection. Additionally, it draws from over 5,000 annual inquiries to their guidance service and individual complaint cases, providing insight into public concerns and areas where privacy is most at risk. The strategy also includes Datatilsynet’s roles and values and an analysis of the external environment, placing the strategy in a current societal context. You can read the press release here and the full strategy here (both in Norwegian).

Denmark: Datatilsynet highlights 10 common data breaches and prevention strategies

The Danish data protection authority (Datatilsynet) has highlighted 10 typical data breaches, providing specific recommendations to prevent such incidents. The Datatilsynet receives hundreds of data breach notifications weekly, many involving accidental exposure or sharing of personal data with unauthorised parties. These breaches often follow similar patterns and could likely be avoided with appropriate security measures. The Datatilsynet emphasises the importance of continuously assessing and updating security measures, both technical and organisational, to protect personal data effectively. Examples of common breaches include sending emails to the wrong recipient due to similar names or unintentional exposure of protected addresses due to system flaws. The guidance targets employees who can influence organisational policies, training, awareness activities, and IT setups. However, anyone regularly handling digital personal data can benefit from understanding these scenarios, as they represent a significant portion of the weekly breaches reported to the Datatilsynet. You can read the press release here and the full recommendations here (both in Danish).


Noyb launches complaint against Meta over consent withdrawal process

The digital rights organisation noyb has initiated a complaint against Meta, focusing on the difficulties users face when trying to withdraw consent for tracking on Instagram and Facebook. Highlighting a significant GDPR compliance issue, noyb points out that while consenting to tracking is a simple, free process, withdrawing consent involves subscribing to a costly service, up to €251.88 per year. This practice seems to contravene the GDPR, which mandates that withdrawing consent should be as straightforward as giving it. The complaint follows a recent ruling by the European Court of Justice, which found Meta’s handling of user data illegal, and a prior noyb complaint about the consent phase of Meta’s “pay or okay” system. Noyb’s action, filed with the Austrian data protection authority, underscores ongoing concerns about big tech’s adherence to European data protection laws and the enforcement of users’ rights under GDPR. You can read the press release here.


UK: ICO fines HelloFresh £140,000 for unsolicited marketing

The UK data protection authority (ICO) has imposed a £140,000 fine on HelloFresh for sending 79 million spam emails and 1 million spam texts over seven months. The investigation, initiated in March 2022 following public complaints, revealed that HelloFresh’s opt-in statements were misleading. The email consent was ambiguously bundled with an age confirmation, while SMS marketing was not mentioned at all. Additionally, customers were unaware that their data would be used for marketing up to 24 months post-subscription cancellation. This breach of the Privacy and Electronic Communications Regulations 2003 led to the fine. Andy Curry, ICO’s Head of Investigations, emphasised the significance of protecting customer data rights and the importance of clear consent. This case highlights the ICO’s commitment to enforcing data protection laws and its responsiveness to public complaints. You can read the press release here.

France: CNIL fines NS CARDS FRANCE €105,000 for GDPR and cookies breaches

On 29 December 2023, the French data protection authority (CNIL) imposed a €105,000 fine on NS CARDS FRANCE, citing violations related to cookies, tracers, and multiple breaches of the GDPR. These infringements included improper data retention periods, inadequate user information, and subpar data security. NS CARDS FRANCE, known for its website and “Neosurf” app, faced scrutiny after CNIL’s 2021 inspections revealed concerns over extended data retention, insufficient privacy policy details, weak password protocols, and unencrypted password storage. Additionally, the use of Google Analytics cookies and the reCAPTCHA mechanism, without users’ consent, affected several hundred thousand people, and constituted significant violations. The fine reflects the nature of the breaches, the negligence shown by the company, the categories of personal data (including bank details), the number of people concerned and the company’s financial situation. You can read the press release here and the full decision here (in French).

Romania: ANSPDCP fines Alio Bank for unlawful data processing

The Romanian data protection authority (ANSPDCP) concluded an investigation into Alior Bank SA’s Romanian branch, Alior Bank SA Warsaw – Bucharest Branch, uncovering GDPR violations specifically in Article 5(1)(a) and (b) and Article 6. The bank was penalised with a fine of LEI 84,491.7 (approximately €17,000). This investigation was initiated following a complaint by a former client who received unsolicited emails and texts after requesting deletion of their personal data. The investigation, conducted with input from the Polish data protection authority, revealed that post-contract termination, Alior Bank SA continued monitoring client activities and sending messages, processing personal data like email addresses and phone numbers for purposes incompatible with the original data collection, in breach of GDPR provisions. Consequently, the Romanian branch was fined and ordered to regularly monitor compliance with GDPR principles to prevent unlawful data processing. Any necessary system or application reconfigurations must be communicated to Alior Bank SA in Poland for proper implementation of GDPR principles. You can read the press release here (in Romanian).