Data Protection Weekly 20/2023

May 19, 2023

 European Union

EDPB: Adoption of final guidelines on facial recognition technology for law enforcement

The European Data Protection Board (EDPB) has adopted its final version of the Guidelines on facial recognition technology in law enforcement. The guidelines aim to provide direction to EU and national lawmakers, as well as law enforcement authorities, on the implementation and use of facial recognition systems. These guidelines stress that such technology should strictly comply with the Law Enforcement Directive (LED), only being used if necessary and proportionate, as per the Charter of Fundamental Rights. The EDPB reiterates its call for a ban on facial recognition technology in certain cases, echoing its joint opinion with the European Data Protection Supervisor on the proposal for an Artificial Intelligence Act. The guidelines were updated following a public consultation, with further clarifications added. You can read the press release here and download the full guidelines here.

Council of the EU: Adoption of Anti-Money Laundering rules on crypto asset transfers

In an effort to curb criminal misuse of cryptocurrencies, the Council of the European Union has adopted new rules, making crypto asset transfers traceable. These updated regulations mandate crypto asset service providers to gather and provide data on the sender and recipient of all transactions, irrespective of the transaction volume. This move extends the scope of anti-money laundering rules to encompass crypto transactions and aims to enhance financial transparency on crypto exchanges. Additionally, this decision is part of a broader legislative package intended to fortify the EU’s anti-money laundering and counter-terrorism financing measures. As Sweden’s Minister of Finance, Elisabeth Svantesson, remarked, the new rules significantly undermine the utility of crypto-assets for illegal activities within the EU. You can read the press release here and the full regulation here.

Council of the EU: Adoption of new rules on markets in crypto-assets (MiCA)

The Council of the European Union formally adopted a regulatory framework for crypto-assets, issuers, and service providers known as Markets in Crypto-Assets (MiCA). The new rules enhance transparency and provide comprehensive oversight over issuers and service providers, including those involved with utility tokens, asset-referenced tokens, ‘stablecoins’, trading venues, and digital wallets. Sweden’s Finance Minister, Elisabeth Svantesson, says MiCA aims to protect investors, ensure financial stability, promote innovation, and increase the appeal of the crypto sector. Moreover, it establishes a harmonized regulatory structure across the EU, a significant advancement given the global nature of crypto markets. MiCA forms part of a larger digital finance package intended to foster technological development and secure financial stability and consumer protection. You can read the press release here and the full regulation here.

National Authorities

France: CNIL publishes an action plan on Artificial Intelligence

In response to recent developments in artificial intelligence (AI), particularly generative AIs like ChatGPT, the French data protection authority CNIL has published an action plan aimed at the deployment of AI systems that respect individual privacy. The organization, which has been working to anticipate and address the challenges posed by AI for several years, plans to extend its efforts to augmented cameras in 2023 and expand its focus to include large language models and their applications, such as chatbots. The action plan revolves around four main areas: understanding the operation and impacts of AI systems, enabling and regulating the development of privacy-respecting AIs, fostering and supporting innovative players in the AI ecosystem in France and Europe, and auditing and controlling AI systems to protect individuals. These efforts will also facilitate the implementation of the proposed European AI regulation, currently under discussion. You can read the full article here.

Germany: Effect of CJEU ruling in Case C-34/21 on employee data protection law in Germany

On 30 March 2023, the European Court of Justice (ECJ) ruled in case C-34/21 on the requirements for an implementation of employee data protection law in Hesse that complies with European law. In its judgment, the ECJ formulates high requirements for national regulations adopted based on the enabling clause of Article 88 of Regulation (EU) 2016/679 (GDPR). The reasons for the decision suggest that the provision of Section 23(1) sentence 1 of the Hessian Data Protection and Freedom of Information Act and Section 86(4) of the Hessian Civil Service Act do not meet these requirements. The ECJ’s decision is of great importance nationwide because, based on the ECJ’s findings, legislators must, if they have not already done so, examine whether existing regulations on employee data protection in Germany comply with the requirements of Article 88 of the GDPR. Read the DSK resolution of 11 May here.

Dutch: AP requests clarification from five municipalities over fraud detection algorithm           

The Dutch data protection authority (AP) has requested clarification from five municipalities regarding their use of the “fraud scorecard” algorithm. This algorithm evaluates potential fraud risks among individuals receiving social assistance. It provides a risk score based on personal characteristics such as profession, neighborhood, and education level. Despite a previous court ruling and a request from the Association of Dutch Municipalities to stop using this system, it appears these municipalities continued to use the algorithm until critical media reports emerged. The municipalities have been given two months to report their practices to the AP, including the advice they received from their independent internal data protection officer and whether citizens have suffered financial damage. This scrutiny comes as part of the AP’s mandate to monitor algorithms, counteract discrimination, and promote transparency. You can read the press release (in Dutch) here.

France: CNIL assesses the impact of its action plan on cookies

According to a report, CNIL’s action plan on cookies (2020-2022) aimed at facilitating compliance with new rules, ensuring the rules are well understood by internet users. Surveys carried out between December 2019 to June 2022 showed a strong impact of this plan with increased knowledge about cookie regulations among the French population. However, a majority still believes information on advertising ecosystem companies is insufficient or non-existent. Notably, the rate of cookie rejection rose over the period, with 39% of the surveyed population refusing cookies in June 2022 compared to less in November 2020. The analysis also highlighted the practices of the top 1,000 websites in France, where the rate of websites placing more than six third-party cookies fell from 24% to 12% between January 2021 and August 2022. Alongside these efforts to ensure compliance, the CNIL has demonstrated its commitment to enforcing the rules, issuing significant fines to major tech companies, including Google, Facebook, and Amazon, for violations of cookie rules. You can read the article here and the full report here (both in French).

Global

ICCL report: EU Big Tech enforcement reaches crisis point ahead of GDPR’s 5-year anniversary

The General Data Protection Regulation (GDPR) is failing to enforce against Big Tech, nearly five years since its implementation, as per a report from the Irish Council for Civil Liberties (ICCL). The Irish Data Protection Commission (DPC) has concluded only eight major investigation cases since the GDPR’s implementation in 2018, repeatedly being overruled by the European Data Protection Board (EDPB), which has called for stricter sanctions in 75% of the DPC’s decisions. Despite the significant enforcement powers of the GDPR, only 49 compliance orders and 28 fines were issued by the end of 2022. The report’s author, ICCL Senior Fellow Dr Johnny Ryan, emphasised the urgent need for the European Commissioner for Justice, Didier Reynders, to take action against this enforcement failure. You can read the press release here and download the full report here.

Google’s Bard AI excluded from European Union

Google’s generative AI chatbot, Bard, is currently unavailable to the 450 million residents of the European Union, despite its widespread availability in 180 other countries and territories. The exact reason for this omission remains unclear but is suggested to be a signal of Google’s dissatisfaction with the EU’s privacy and online safety laws. Current EU laws, including GDPR and the forthcoming AI Act, are suspected of hindering the deployment of generative AI systems such as Bard. Furthermore, Google has strangely released Bard in select territories of European countries, including the Norwegian dependency of Bouvet Island and the Åland Islands. These regions are generally subject to Europe’s data rules, further confounding the selective rollout. Google has refrained from commenting on this situation. You can read the full article here.

Fines

France: CNIL fines DOCTISSIMO €380,000 for several GDPR and cookie violations

France’s data protection authority, CNIL, has imposed a fine of €380,000 on DOCTISSIMO, a health and well-being website, for multiple violations of the General Data Protection Regulation (GDPR) and non-compliance with rules concerning the use of cookies. The infringements, which include improper data storage duration, illicit health data collection via online tests, insufficient data security, and inappropriate cookie usage, were revealed following four investigations triggered by a complaint from PRIVACY INTERNATIONAL. The fines consist of €280,000 for GDPR infringements and €100,000 for cookie-related non-compliance. In determining the fine amount, CNIL considered the nature and severity of the breaches, the categories of personal data involved (health data), the number of individuals affected, and the financial situation of the company. DOCTISSIMO has since taken steps to rectify all violations, leading to the closure of the procedure by CNIL. The press release is available here and the full decision (in French) here.

Austria: DSB issued a decision against the facial recognition company Clearview AI

On May 10, 2023, the Austrian data protection authority (DSB) has ruled against facial recognition company Clearview AI for infringements of various GDPR provisions. The company was found to have breached Article 5(1)(a) by processing the complainant’s personal data without lawfulness, fairness, and transparency. In addition, Clearview AI violated Article 5(1)(b) as the processing served a different purpose from the original publication of the data. Article 5(1)(c) was also infringed due to the permanent storage of personal data, violating the data minimisation principle. Clearview AI’s scanning and extraction of facial features violated Article 9(1), which prohibits processing of special categories of personal data. Furthermore, the processing was deemed unlawful under Article 6(1) due to an imbalance of interests. Despite these violations, no fines were issued. Clearview AI was ordered to erase the complainant’s data and appoint a European Union representative. You can read the full decision (in Dutch) here and the press release (in English) here.

UK: ICO fines two companies £180,000 for unlawful marketing calls

The Information Commissioners’ Office (ICO) has imposed fines amounting to £180,000 on two companies – Ice Telecommunications Ltd and UK Direct Business Solutions Limited, for making over 480,000 illegal marketing calls to businesses enrolled in the UK’s “Do not call” register. Despite warnings from the Telephone Preference Service (TPS), the companies continued to make persistent calls, some of which were reportedly rude and argumentative. ICO has also launched a collection of short video resources to assist small businesses and sole traders in ensuring their marketing complies with regulations. This move is part of ICO’s ongoing efforts to protect UK businesses and the public from unwanted marketing communications. You can read the press release here.

Romania: ANSPDCP fines National Post Company €5000 for unauthorized use of employees’ personal data

The Romanian data protection authority, ANSPDCP, concluded an investigation into the National Post Company in April 2023, finding violations of Article 5(1)(a) and (2), connected to Article 6(1) of the EU Regulation 2016/679 (GDPR). The company was consequently fined RON 24,719.50 (equivalent to €5000). This penalty came in response to the unauthorized use of employees’ personal data to fill out Form 230, with the aim of redirecting 3.5% of their annual income tax to a company-owned foundation. The investigation found that in January 2023, the company partially completed the form using employees’ personal data, without legal obligation or any proof of compliance with other conditions stipulated in Article 6(1) of GDPR, such as employee consent. ANSPDCP recommended the company ensure future data processing complies with GDPR principles and legal basis. The company has since paid the full fine. You can read the press release (in Romanian) here.