Data Protection Weekly 20/2024

Jun 7, 2024

CEDPO

ASCPD launches new guide for children, parents and teachers during GDPR conference

The Association of Privacy and Data Protection Specialists (ASCPD), Romanian member of CEDPO, recently held a conference titled “Six years of GDPR application – CHALLENGES AND SOLUTIONS” on May 27, 2024. The event, conducted online, addressed various challenges and solutions encountered during the six years of the GDPR implementation. During this conference, the ASCPD launched its new guide, “How do I protect my personal data and defend myself from dangers in the online environment? This awareness guide, authored by Daniela-Irina Cireașă, Daniela Simionovici, Alexandra Vese, and Andrei Cononov, highlights the importance of personal data protection and cyber security for children, parents, and teachers. The guide provides practical advice and strategies to navigate the online environment safely. You can watch the recording of the conference here and read the full guide here (both in Romanian).

  European Union

EDPB: Statement on financial data access and payments package

On 23 May 2024, the European Data Protection Board (EDPB) released a statement addressing the European Commission’s proposals from June 2023 concerning payments services and financial data access. The legislative package includes the Financial Data Access (FIDA) framework, a Payment Service Regulation (PSR), and a Payment Service Directive (PSD3), aimed at improving consumer protection, enhancing competition in electronic payments, and enable consumers to share data for accessing diverse financial products. While the European Parliament has incorporated several recommendations from the European Data Protection Supervisor (EDPS), the EDPB highlights areas needing further improvement, especially regarding data protection in transaction monitoring and fraud prevention. The EDPB calls for additional safeguards to ensure robust data protection, highlighting the importance of clear rules for retention and disclosure personal data and the need to carefully define the scope of data sharing to protect individual privacy. The full statement is available here​​.

EDPS: Guidelines on generative Artificial Intelligence and personal data for EU institutions

The European Data Protection Supervisor (EDPS) has released guidelines on generative Artificial Intelligence (AI) and personal data for EU institutions, bodies, offices, and agencies (EUIs). These guidelines aim to assist EUIs in adhering to data protection obligations under Regulation (EU) 2018/1725 when using or developing generative AI tools. EDPS Wojciech Wiewiórowski highlighted the guidelines as a preliminary step towards broader recommendations, providing comprehensive advice to address various scenarios involving generative AI. The guidelines emphasise core data protection principles and include practical examples to help EUIs anticipate risks, challenges, and opportunities. Key topics covered include determining whether generative AI use involves personal data processing and when to conduct data protection impact assessments. The EDPS issued these guidelines to ensure compliance with EU data protection laws, distinct from its role as AI Supervisor under the forthcoming EU Artificial Intelligence Act. You can read the press release here and download the guidelines here.

ECHR: Polish secret-surveillance laws violate European Convention on Human Rights

In the case of Pietrzak and Bychawska-Siniarska and Others v. Poland, the European Court of Human Rights (ECHR) found that Polish legislation authorising a secret-surveillance regime violated Article 8 of the European Convention on Human Rights. The complaint, brought by five Polish nationals, challenged the lack of legal remedies for those suspecting they were under surveillance, and the lawfulness of the measures themselves. The ECHR unanimously identified three violations concerning the operational-control regime, retention of communications data, and the Anti-Terrorism Act’s secret-surveillance provisions. The court highlighted the legislation’s secretive nature and the absence of effective judicial review, deeming the legislation itself an interference with the applicants’ rights. The national operational-control regime and data retention practices were found insufficient in providing safeguards against undue interference. Additionally, the Anti-Terrorism Act’s secret-surveillance lacked independent oversight, failing Article 8’s requirements. You can read Polish DPA’s press release here (in Polish) and the full judgment is available here.

CJEU: Opinion of the Advocate General on the right to erasure of personal data

Advocate General Medina has delivered an Opinion in case C-200/23, focusing on the relationship between the GDPR and Directive 2017/1132 on the publication of company documents containing personal data in the commercial register. The case arose from a dispute between OL and the Agentsia po vpisvaniyata (Registration Agency, Bulgaria), which refused to delete certain personal data from a publicly available company document. Advocate General Medina concluded that, under the GDPR, the Registration Agency acts as a ‘controller’ of the personal data contained in the company documents it registers. The Opinion highlights the need to strike a balance between transparency and data protection, stating that non-essential personal data should be removed before publication, unless required by law. The Advocate General also stated that data subjects have the right to request the deletion of their personal data, unless their retention is legally justified. This interpretation aims to ensure that the protection of personal data does not undermine the transparency and legal certainty provided by the commercial register. You can read the full Opinion here.

European Commission: Establishment of AI Office to strengthen EU leadership in AI

The European Commission has launched the AI Office, a pivotal entity aimed at fostering the safe and innovative development of Artificial Intelligence (AI) across the EU. The AI Office will be instrumental in implementing the AI Act, particularly for general-purpose AI models. Key units include Regulation and Compliance, AI Safety, Excellence in AI and Robotics, AI for Societal Good, and AI Innovation and Policy Coordination. This structure supports regulation, risk assessment, research, societal applications, and policy execution. Employing over 140 specialists, the AI Office will ensure consistent AI Act enforcement, collaborate with Member States, and engage with stakeholders. It will promote an EU-wide ecosystem for trustworthy AI, support research initiatives like GenAI4EU, and function as a global AI reference point. The AI Act, provisionally agreed upon in December 2023, is set to take effect in July 2024. Organisational changes will begin on 16 June, with initial board meetings by the end of June. You can read the full press release here.

Supervisory Authorities

Ireland: DPC publishes 2023 annual report

The Irish data protection authority (DPC) has published its 2023 Annual Report, detailing significant enforcement actions and case resolutions. Key highlights include the issuance of 19 decisions resulting in €1.55 billion in fines. Notable cases include a €1.2 billion fine against Meta Platforms Ireland concerning Data Transfers from the EU to the USA and a €345 million fine against TikTok for mishandling children’s data. Other significant fines were imposed on Bank of Ireland (€750,000) and Centric Health (€460,000). The DPC received 11,200 new cases in 2023, a 20% increase from 2022, and concluded 11,147 cases. Additionally, 3,218 complaints were resolved through formal processes, and 156 cross-border complaints were addressed. The report also highlighted legislative consultations and the DPC’s role in postponing or revising four internet platform projects due to privacy concerns. The DPC continued its involvement in the Digital Regulator’s Group to support EU digital legislative implementations. You can read the press release here and the full report here.

Italy: Garante issues guidance to protect personal data from web scraping

The Italian data protection authority (Garante) has issued guidance to help data controllers protect personal data published online from web scraping, a practice where third parties indiscriminately collect data from the internet for purposes such as training generative AI models. This guidance stems from a fact-finding investigation approved last December and pending decisions on the legality of web scraping, including an investigation against OpenAI. The Garante advises measures such as creating reserved areas accessible only upon registration, including anti-scraping clauses in website terms of service, monitoring web traffic for abnormal data flows, and implementing anti-bot technologies. These measures are not mandatory, and data controllers must decide whether to adopt them based on accountability principles, technological advancements, and implementation costs, particularly for SMEs. You can read the press release here and download the full guidance here (in Italian).

Italy: Garante requests information on Puglia’s anti-papilloma vaccination requirement

The Italian data protection authority (Garante) has requested information from the Puglia Region regarding a bill mandating middle school, high school, and university students to present certification of HPV vaccination for enrolment. The Garante highlights that GDPR generally prohibits processing health data unless specific exemptions apply. Additionally, the Garante notes that certification of vaccination can only be requested by school staff in cases of compulsory vaccinations. Given the sensitivity of the issue, particularly involving minors, the Garante has asked the Puglia Region to provide relevant information within 30 days to evaluate the case. This request underscores the need for careful consideration of privacy and data protection regulations in public health initiatives. You can read the press release here (in Italian).

France: French law SREN expands CNIL’s digital protection duties

The French law on the security and regulation of the digital space (SREN) has given the French data protection authority (CNIL) new responsibilities. Implementing European regulations, the SREN focuses on protecting internet users and facilitating better data flows, thereby extending the CNIL’s mandate. The law incorporates the Digital Governance Act (DGA), which promotes data altruism, enabling voluntary data sharing for public interest. CNIL will oversee the registration and regulation of data altruist organisations and manage related complaints. In addition, the law designates the CNIL as the authority responsible for enforcing certain obligations under the Digital Services Act (DSA), including transparency in targeted advertising and restrictions on the profiling of minors and on the basis of sensitive data. CNIL will work closely with other digital regulators to ensure compliance. SREN also enforces age verification on pornographic sites and introduces an anti-scam cybersecurity filter, with CNIL overseeing the fairness of these measures. The CNIL is preparing to fulfil these new roles for a safer internet. You can read the press release here (in French).

Luxembourg: CNPD issues opinion on bill no. 8148 concerning personal data retention

The Luxembourg data protection authority (CNPD) issued an opinion on bill no. 8148 regarding the retention of personal data. This bill proposes amendments to the Code of Criminal Procedure, the 2005 law on electronic communications privacy, and the 2016 law on the reorganisation of the State Intelligence Service. The bill aims to align Luxembourg’s data retention framework with European Court of Justice (ECJ) jurisprudence. It addresses the retention of traffic and location data by electronic communication operators and their use by authorities. The CNPD reviewed the bill to ensure it meets ECJ standards, particularly focusing on the duration of data retention, the safeguarding of personal data, and the CNPD’s supervisory powers. The CNPD provided a detailed assessment, identifying necessary adjustments to comply with privacy protection standards. You can read the press release here and the full opinion here (both in French).

Belgium: APD implements amended organic law and adopts new rules of procedure

As of 1st June 2024, the amended organic law affecting the Belgian data protection authority (APD) and its new rules of procedure (RoP) have come into effect, introducing various organisational and procedural changes. The modernisation of certain procedures aims to enhance the APD’s efficiency. The First-Line Service can now proactively engage in mediations, allowing it to handle simple cases independently. The procedure before the Dispute Chamber has been updated to ensure better legal security and smoother case processing. The new RoP includes additional procedural rules for both new and existing tasks, such as granting authorisations and managing data breach notifications. Furthermore, the Management Committee now has an enhanced coordination role. From May 2025, the APD will be able to use a permanent, multidisciplinary list of external experts. The updated organic law and new RoP only apply to cases submitted from 1st June 2024 onwards. You can read the press release here (in French).

Netherlands: AP says new credit registration rules are inadequate

The Dutch data protection authority (AP) warns that the new proposal for credit registration regulations in the Netherlands does not sufficiently protect individuals’ rights. Although the new rules aim to better safeguard the financial information of millions, AP states that the Credit Registration Office (BKR) is allowed to retain sensitive data for too long. The current proposal permits BKR to keep data for up to three years after a credit agreement ends, which the AP deems still too long. The AP asserts that data should only be retained if there is a demonstrable need, such as in cases of significant payment arrears. Additionally, the proposal makes it harder for individuals to request data deletion and lacks clarity on which types of financial agreements can be registered. The AP calls for improvements to prevent outdated credit information from disadvantaging people. You can read the press release here (in Dutch).

Denmark: Datatilsynet issues new guidance on notification requirements for data breaches

The Danish data protection authority (Datatilsynet) has completed several inspections concerning how companies and public authorities notify citizens of data breaches. These inspections were part of Datatilsynet’s focus on data breach notifications in 2022. The inspections involved a review of specific examples of notifications sent by various organisations, including Aarhus Municipality, Alm. Brand Forsikring A/S, and the Danish Tax Agency. Datatilsynet found that organisations must ensure notifications include all required information in future incidents. Additionally, Datatilsynet reprimanded one company for failing to demonstrate that citizens were notified according to data protection regulations. Data controllers must inform individuals when a data breach poses a high risk to their rights and freedoms, providing detailed information to help them take necessary precautions. Datatilsynet has issued new guidance on the required content for such notifications, which has been sent to the relevant organisations. You can read the press release here and the full guidance here (both in Danish)

Sanctions

Denmark: Copenhagen Municipality receives severe reprimand for lack of security measures

The Danish data protection authority (Datatilsynet) has issued a severe reprimand to Copenhagen Municipality for granting approximately 37,500 employees unauthorised access to information about up to 3.7 million individuals, including sensitive data about children. This breach occurred due to a human error during a data file transfer, which led to overly broad access permissions. The error remained undetected for nearly two months until discovered during a routine security scan. Despite the municipality’s claim that ordinary IT users were unlikely to find the drive, Datatilsynet found the security measures insufficient under GDPR Article 32(1). The Datatilsynet emphasised the need for initial assessments of data necessity and encryption, alongside robust access control, especially during system changes. While the municipality has taken steps to prevent recurrence, ongoing breaches indicate a need for continued vigilance. You can read the press release here (in Danish).

Spain: AEPD imposes temporary ban on Meta’s electoral features

On 31 May 2024, the Spanish data protection authority (AEPD) ordered Meta Platforms Ireland Limited to suspend the deployment of its Election Day Information (EDI) and Voter Information Unit (VIU) features in Spain. This decision, driven by exceptional circumstances, aims to prevent data collection, user profiling, and third-party data sharing that could violate the GDPR. The AEPD highlighted that the planned data processing by Meta could infringe on principles of lawfulness, data minimisation, and storage limitation, posing significant risks to users’ rights and freedoms. The temporary ban is valid for up to three months, coinciding with upcoming European Parliament elections. Italy is exempt from the launch due to ongoing proceedings by its data protection authority. This measure seeks to protect personal data from being used by unknown entities for unspecified purposes. You can read the press release here (in Spanish).