Data Protection Weekly 21/2023

May 26, 2023

 European Union

EDPB: Meta Ireland fined €1.2 billion as a result of EDPB binding decision

Following the European Data Protection Board’s (EDPB) binding decision, the Irish data protection authority (DPC) announced the conclusion of its investigation into Meta Platforms Ireland Limited (Meta Ireland). The inquiry, launched in August 2020, centered around Meta Ireland’s data transfers from the EU/EEA to the US, specifically for its Facebook service. The DPC found that Meta Ireland infringed Article 46(1) GDPR by continuing to transfer personal data post the CJEU judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. The DPC adopted the final decision on May 12, imposing a fine of €1.2 billion on Meta Ireland and ordering the suspension of any future data transfers to the US within five months. Meta Ireland is also required to cease unlawful processing, including storage, in the US of EU/EEA user data transferred in violation of GDPR within six months. You can read the press release of EDPB here and the one from DPC here. The full decision is available here.

EDPB: Anu Talus elected new Chair of the European Data Protection Board

Anu Talus, the current head of the Finnish data protection authority, has been elected as the new Chair of the European Data Protection Board (EDPB), succeeding Andrea Jelinek. With a majority of 19 votes out of 27 in two rounds, she will combine this role with her present position. She expressed gratitude for the opportunity and emphasized the need for coherent data protection laws, addressing the issue of “grey areas” in legislation that could compromise personal data protection and legal certainty for economic operators. Outgoing Chair Jelinek endorsed her replacement, expressing confidence in Talus’s ability to take on the role. The term of the Chair at EDPB is five years, and is renewable once. You can read the press release here.

EDPB: Publication of One-Stop-Shop case digest regarding right of erasure and right to object

The European Data Protection Board (EDPB) has released a thematic digest providing an analysis of One-Stop-Shop decisions related to Articles 17 (right to erasure) and 21 (right to object) of the General Data Protection Regulation (GDPR). Produced by the EDPB Support Pool of Experts, the digest revealed that while most cases didn’t involve critical breaches of these provisions, there were still substantial shortcomings with regards to the exercise and enablement of the right to object and the right to erasure. In particular, the digest highlighted issues with effective information provision to data subjects about their right to object and the procedures adopted for handling such requests. The digest also emphasized the need for the development of appropriate procedures and technical solutions to manage such requests. You can read the full document here.

CJEU: Dismissing of Facebook’s objection over European Commission document request

In Case T‑451/20, the General Court of the European Union dismissed Meta Platforms Ireland’s (Meta Ireland) case against the European Commission’s request for documents related to suspected anticompetitive behavior. Meta Ireland argued that the request exceeded necessity and failed to ensure sufficient protection of sensitive personal data. The Court, however, determined that the request and the document review process were in compliance with EU competition rules and that the implementation of a virtual data room sufficiently secured sensitive personal data. It also highlighted that the documents could be provided in a redacted form, protecting personal data. It further held that the decision did not infringe on the fundamental right to privacy as specified in the Charter of Fundamental Rights of the European Union. You can read the court decision here.

European Commission: Celebrating 5 Years of General Data Protection Regulation

Ahead of the General Data Protection Regulation’s (GDPR) fifth anniversary, Vice-President for Values and Transparency, Věra Jourová, and Commissioner for Justice, Didier Reynders, have issued a statement celebrating the impact of this landmark legislation. In their statement, they underscored how the GDPR has empowered citizens, offering them control over their data, and created a level playing field for businesses. They also discussed the creation of a modern data protection culture in Europe that has inspired other parts of the world. Looking ahead, the European Commission plans to propose new legislation to harmonize procedures of cooperation between data protection authorities on cross-border cases. The GDPR, they affirmed, is a future-proof regulation, set to continue guiding the safe development of new technologies. You can read the full statement here.

National Authorities

Belgium: APD prohibits FATCA “accidental Americans” personal data transfer to the U.S

The Belgian data protection authority (APD) declared today that personal data transfers under the Foreign Account Tax Compliance Act (FATCA) from Belgian ‘accidental Americans’ to the U.S. tax authorities by Belgian Federal Public Service Finance (FPSF) are unlawful and thus prohibited. The APD argues that the data processing under this agreement does not comply with all General Data Protection Regulation (GDPR) principles, including rules on data transfers outside of the EU. The APD also calls on SPSF to notify the competent legislator of the violations identified by the APD. The ADP also orders FPSF to inform the data subjects of the data processing carried out as part of the FATCA agreement. The full judgment, highlighting issues of GDPR principles and proportionality of data processing, follows a complaint lodged in late 2020. This decision can be appealed. You can read the press release here and the full decision (in French) here.

Belgium: APD releases 2022 annual report

The Belgian data protection authority (APD) has released its 2022 annual report. The year was one of transition for the APD, with changes to its management committee and ongoing work to prepare for the EU’s digital package legislation and the upcoming AI Act, both of which have significant implications for personal data processing. Despite these changes, the APD has continued to advance on various themes including direct marketing and cookies, awareness-raising, and international cooperation. Notably, in 2022, the APD received 604 complaints, a significant drop from 1928 in 2021. Meanwhile, mediation requests increased from 142 in 2021 to 177 in 2022. The APD also opened 1426 data breach cases and issued €738,900 in fines through 189 decisions. You can read the press release here and the full report here (both in French, also available in Dutch).

France: CNIL releases 2022 annual report highlighting data privacy efforts

The French data protection authority (CNIL), has released its annual report for 2022, offering insights into its work centered on four major missions: inform and protect the public, accompany and advise professionals and public authorities, anticipate and innovate for the future of digital, and monitor and sanction breaches of the GDPR and the French law. The report details public information campaigns and digital education efforts, noting that the CNIL website recorded over 11 million visits, reflecting heightened public interest. The report also indicates that for the first time since GDPR’s implementation, CNIL has handled more complaints than it received which has led to a decrease in the stock. The regulatory body processed 13,425 complaints while receiving 12,193, an achievement attributing to a user portal that streamlines exchanges with the CNIL. You can read the press release here. The full 2022 annual report is available (in French) here.

Germany: The State Parliament of Baden-Württemberg today elected Prof. Dr. Tobias Keber as State Commissioner for Data Protection and Freedom of Information by a large majority.

Prof. Keber who replaces Dr Brink, has held a professorship for media law and media policy at the Stuttgart Media University since 2012 and is also a lecturer in the master’s program on media law at the Mainz Media Institute for International Media and Data Protection Law.

Prof. Keber has been associated with the GDD for many years as chairman of its Scientific Advisory Board. The tasks of the Scientific Advisory Board include assisting and advising the GDD’s Executive Board on fundamental issues of data protection.

The board and management of the GDD cordially congratulate Prof. Keber on his election. In his nomination, the state of Baden-Württemberg has an outstanding expert in data protection as its new state commissioner who, based on his research activities, can also competently accompany the current and rapid developments in the use of artificial intelligence (AI). Read announcement (in German) here.

Germany: GDD Explores the far-reaching consequences of the CJEU decision on Right to copy under Art. 15 (3) of the GDPR

The German Association for Data Protection and Data Security (GDD) has conducted an assessment  on the impact of the judgment in connection with the right to obtain a copy. The GDD raises two practical questions which have been somewhat controversial to date.

  1. What is meant by the term “copy” as defined in Article 15 (3) of the GDPR? Is a photocopy meant in the sense of general usage, i.e. a copy of the original document? Or does it require a specific interpretation under data protection law that is independent of the general usage of the term?
  2. What is the relationship between the right to a copy and the general right to information under Article 15(1) of the GDPR? Another question of practical significance is whether the applicant must explicitly request the copy or automatically receive it when he or she requests information.

Read the full article (in German) here.

Italy: Garante releases second volume of “Applying the GDPR”

The Italian Data Protection Authority (Garante) has published the second volume of “Applying the GDPR,” providing a comprehensive overview of the guidelines and orientation documents produced by the European Data Protection Board (EDPB) between May 25, 2019, and the end of 2022. The publication aims to be a practical and comprehensive tool primarily for data controllers and processors, but also for data protection officers who assist in implementing GDPR regulations. The volume provides insights and reflections for anyone interested in understanding and better safeguarding fundamental privacy and data protection rights. The time frame covered by this publication has seen significant challenges and issues, not only for data protection but for society as a whole, primarily the COVID-19 pandemic and the emergence of pervasive technologies such as artificial intelligence. You and read the document (in Italian) here.

UK: ICO issues new guidance on SAR for employers

The Information Commissioner’s Office (ICO) has issued new guidelines for businesses and employers, on how to respond to Subject Access Requests (SARs). SARs, part of the UK GDPR and the Data Protection Act (DPA), grant individuals the right to request a copy of their personal data from organisations. Companies failing to comply with SARs face penalties, such as fines or reprimands. The guidance aim to help organisations avoid misunderstandings around SARs and comply with the strict timeframe for response thus ensuring that individuals can access their personal data when needed. From April 2022 to March 2023, the ICO reported 15,848 complaints related to SARs. Furthermore, ICO reaffirms its commitment to uphold and protect data rights, promising appropriate action against non-compliant responses. You can read the full guidelines here.

UK: ICO reprimands Ministry of Justice over confidential document mishandling in prison

The Information Commissioner’s Office (ICO) has issued a formal reprimand to the UK Ministry of Justice after 14 bags of confidential documents were left unsecured in a prison holding area for 18 days. These documents, accessible to prisoners and staff, contained sensitive medical and security vetting information. Staff interactions with prisoners found reading these documents were not proactive in securing the information, leading to at least 44 individuals gaining access. The ICO investigation revealed a lack of robust data protection policies at the prison, including unsecured areas for confidential waste, staff unawareness of document shredding needs, inaccurate data protection training records, and a general lack of comprehension of data risk and breach reporting. The ICO requires a thorough review of all data protection protocols, creation of a separate data breach reporting policy for staff, and a progress report by October 2023. You can read the press release here.


G7 pledges to improve international governance of emerging digital technologies and Data Free Flow with Trust

In a recent statement, the G7 nations affirmed their commitment to international governance of emerging digital technologies such AI. They recognised that the principles of fairness, accountability, transparency, and respect for privacy should underpin the governance of new technologies. The G7 also expressed concern about the increasing prominence of generative AI, calling on organisations like the OECD to analyse the impact of policy developments in this area. They also stressed the importance of trustworthy cross-border data flows to invigorate the digital economy. The group emphasised its commitment to operationalising the concept of Data Free Flow with Trust (DFFT), preserving governments’ ability to address legitimate public interest. Importantly, the G7 underscored their opposition to unjustified obstacles to the free flow of data, as well as their opposition to any misuse of digital tech infringing human rights. You can read the full statement here.

FPF publishes a report on GDPR’s data protection by design and default obligations

The Future of Privacy Forum (FPF) recently released a report on the enforcement of Article 25 of the EU’s General Data Protection Regulation (GDPR), known as Data Protection by Design and by Default (DPbD&bD). The report, analysing more than 92 cases and guidelines from data protection authorities (DPAs), courts, and the European Data Protection Board, looks into enforcement trends concerning this article. The study examines various data processing activities, such as online services, emotion recognition AI systems, and more. The FPF’s research indicates a divergence in the interpretation of the preventative nature of Article 25 among European DPAs. It also demonstrates that despite criticism over its ambiguous wording, Article 25 often features in some of the highest GDPR fines. This underlines the importance of understanding the concepts of DPbD&bD for organisations. You can read the press release here and the full report here.


Romania: ANSPDCP fines Global Baby brands SRL for unsolicited messages

Romania’s data protection authority  (ANSPDCP) finalized an investigation in May 2023, finding Global Baby Brands SRL guilty of violating articles 7 and 21 of the General Data Protection Regulation (EU) 2016/679 (GDPR). The company was fined 4,929.4 lei (equivalent to €1,000) for violating article 7 and article 21 of the GDPR. The investigation was initiated following a complaint that the company sent multiple unsolicited commercial SMS messages without the recipient’s consent. Global Baby Brands failed to present proof of consent, violating GDPR requirements. The company also violated article 21 of the GDPR by continuing commercial communication after the recipient’s objection. Corrective measures have been ordered to ensure future compliance with personal data processing conditions. You can read the press release (in Romanian) here.