Data Protection Weekly 21/2024

Jun 19, 2024

  European Union

ECHR: Extraction and use of personal data collected from a lawyer’s phone constituted a violation of Article 8

The European Court of Human Rights (ECHR) ruled in the case of Bersheda and Rybolovlev v. Monaco that there was a violation of Article 8 of the European Convention on Human Rights. The case involved the extraction and use of personal data from lawyer Tetiana Bersheda’s mobile phone by an investigating judge. The ECHR found that the investigations undertaken by the judge, which involved the massive, indiscriminate recovery of personal data – including those previously erased by Bersheda – had exceeded his remit. The judge’s remit was confined to accusations of invasion of privacy and lacked the necessary procedural safeguards to respect Bersheda’s status and professional privilege as a lawyer. Consequently, the ECHR concluded that there had been an unjustified interference with her private life and professional communications. Mr Rybolovlev’s application was declared inadmissible as it did not concern his personal data or correspondence. You can download the press release here and read the full judgement here (only in French).

ESAs and ENISA: Signature of a MoU to bolster cybersecurity cooperation

The European Supervisory Authorities (EBA, EIOPA, and ESMA) have formalised a Memorandum of Understanding (MoU) with the European Union Agency for Cybersecurity (ENISA) to enhance cooperation and information exchange. This agreement, influenced by the NIS2 Directive and the Digital Operational Resilience Act (DORA), aims to improve policy implementation, incident reporting, and oversight of critical third-party ICT providers. Verena Ross, Chair of the Joint Committee of the ESAs, emphasised that the MoU will strengthen the EU’s financial system against cybersecurity risks by uniting sector-specific efforts. ENISA’s Executive Director, Juhan Lepassaar, noted that this agreement exemplifies a collective approach to cybersecurity, promoting the harmonisation of NIS2 and DORA provisions. The MoU also supports regulatory convergence, cross-sectoral learning, and capacity building in cybersecurity. This collaboration is crucial in an interconnected world where ICT risks are not confined to specific regions or sectors. You can read the full press release here.

EDPB: Opinion on Sweden’s accreditation requirements for certification bodies

The European Data Protection Board (EDPB) has issued its opinion on Sweden’s draft accreditation requirements for certification bodies under Article 43(3) of the GDPR. The Swedish data protection authority (IMY) proposed these requirements, which the Swedish national accreditation body will use to accredit bodies responsible for GDPR certification. The EDPB assessed the draft, highlighting the use of GDPR certification criteria, ISO 17065, and additional IMY requirements if approved. The EDPB recommended several modifications to ensure consistent application, including the need for transparency from applicants, compliance with approved criteria, and clear definitions in the certification agreement. The opinion also stressed the importance of the certification body’s independence, the necessity for relevant expertise, and the requirement for accessible documentation. Certifications should have a maximum validity of three years, and notifications should be immediate. The final decision will be registered by the EDPB as part of the consistency mechanism under GDPR. The full opinion is available here​​.

Supervisory Authorities

Germany: Berlin Group adopts working paper on facial recognition technology

The International Working Group on Data Protection in Technology (IWGDPT), known as the “Berlin Group”, chaired by the BfDI, has adopted a working paper on facial recognition technology. This document outlines potential applications in both private and public sectors while highlighting associated risks and providing recommendations for data protection-compliant usage. Professor Ulrich Kelber, the BfDI, stressed the global rise of facial recognition technologies, noting their increasing use in settings like airport passport controls. The paper particularly underscores the high risks to personal freedoms and rights posed by the use of such technology in public spaces. Additionally, the Berlin Group has rejected the use of facial recognition to infer emotions or character traits due to accuracy concerns and potential discrimination. The IWGDPT urges awareness of the technology’s potential for intrusive surveillance and advocates for targeted, protective solutions. You can read the press release here and download the paper here.

Spain: Worldcoin suspends operations following AEPD provisional measure

Worldcoin has committed to halting its activities in Spain until the end of the year or until the Bavarian data protection authority (BayLDA) issues a final decision. This follows a provisional measure from the Spanish data protection authority (AEPD) in March, which ordered Tools for Humanity Corporation, the company behind Worldcoin, to cease data collection and processing in Spain. The BayLDA, where Tools for Humanity has its main European establishment, is currently conducting an investigation expected to conclude soon, in coordination with other European supervisory authorities. The binding commitment from Worldcoin does not affect the BayLDA’s or AEPD’s authority to take further supervisory actions if obligations are breached. This precautionary measure, supported by the Spanish National Court, prioritised the protection of personal data rights over the company’s interests. Additionally, Tools for Humanity Corporation has announced operational changes, such as implementing age verification and allowing iris code deletion. The AEPD continues to collaborate with the BayLDA on this matter. You can read the press release here (in Spanish).

France: CNIL publishes its first recommendations on the development of AI systems

The French data protection authority (CNIL) published its first recommendations on the development of artificial intelligence (AI) systems to help professionals reconcile innovation with respect for individual rights. Following a public consultation, these recommendations provide clarity on applying the GDPR to AI, especially generative AI systems. Key points include determining the applicable legal regime, defining purposes, classifying actors, establishing legal bases, conducting tests and checks, performing impact assessments, and incorporating data protection from the design phase. The recommendations aim to support AI ecosystem players in complying with data protection laws, offering concrete answers and examples to legal and technical challenges. Contributions from various stakeholders, including businesses, researchers, associations, and public institutions, have enriched these recommendations. CNIL will continue to provide further guidance on topics like legitimate interest and data subject rights in the coming months. You can read the press release here and the recommendations here.

France: CNIL pronounces nine new sanctions in simplified procedure

The French data protection authority (CNIL) announced nine new sanctions totalling €83,000, highlighting various breaches including data minimisation, cookies, unlawful processing, data security, and non-cooperation. Since March 2024, the CNIL has identified key infractions such as the unlawful processing of sensitive data through promotional videos, excessive data collection through full call recordings, and non-compliant cookie consent mechanisms. Specific cases include a company recording all call centre conversations unnecessarily and another unlawfully using patient data in promotional material without consent. Additionally, one website was penalised for making it easier to accept cookies than to refuse them, violating legal consent requirements. These actions confirm the diversity of breaches sanctioned by the CNIL in its simplified procedure. You can read the press release here (in French).

Luxembourg: CNPD launches DAAZ, ‘Data Accountability from A to Zen’

The Luxembourg data protection authority (CNPD) in collaboration with the Luxembourg House of Cybersecurity and the National Cybersecurity Competence Center, has launched DAAZ, a GDPR compliance tool for SMEs in Luxembourg. Funded by the European Union’s ALTO project, DAAZ helps businesses integrate GDPR obligations into their operations through a free, intuitive online platform. Developed in response to the resource and expertise challenges faced by SMEs, the tool focuses on user experience, employing “story learning” and “learning by doing” methods. It underwent extensive testing and optimisation with SME feedback and technical input from cybersecurity experts. Available initially in French, with German and English versions forthcoming, DAAZ aims to enhance GDPR compliance, transparency, and consumer trust among SMEs. You can read the press release here and access DAAZ here.

Norway: Nordic DPAs enhance cooperation on children’s data protection, AI, and administrative fines

On 30-31 May 2024, Nordic data protection authorities (DPAs) convened in Oslo for their annual meeting to discuss data protection issues and share best practices. The meeting culminated in a declaration addressing several key areas. The DPAs, encompassing Denmark, the Faroe Islands, Finland, Iceland, Norway, Sweden, and Åland, adopted joint principles on children and online gaming, emphasising their shared values and challenges. They also stressed the importance of cohesive supervision in the face of the EU’s digital package to avoid fragmentation. With AI development heavily involving personal data processing, the DPAs highlighted the necessity of applying both GDPR and the forthcoming AI Act, requiring sufficient resources to manage legal uncertainties. Furthermore, the Nordic DPAs advocated for the ability to issue fines against public sector bodies, a power not uniformly held across all Nordic countries. Efficiency and a risk-based approach remain their operational focus amidst resource constraints. You can read the press release here.

Monaco: CCIN publishes 2023 activity report

The Monegasque data protection authority (CCIN) has published its 2023 activity report, highlighting the main actions undertaken over the past year, which saw a consistent increase in the number of complaints received. Additionally, the CCIN has been increasingly solicited by both public and private entities for guidance on compliance in progressively technical and complex areas. The report opens with a message from the President, who provides a retrospective of the CCIN’s activities since his appointment in 2014, as his term comes to an end this year. This summary encapsulates the CCIN’s ongoing efforts and the evolving landscape of data protection challenges they have addressed. You can read the press release here and the full report here (both in French).


Noyb urges 11 DPAs to immediately stop Meta’s abuse of personal data for AI

noyb has filed complaints with data protection authorities (DPAs) in 11 European countries, urging them to halt Meta’s latest privacy policy change, which is set to take effect on 26 June 2024. Meta plans to use years of personal posts, private images, and online tracking data for unspecified AI technology, claiming a legitimate interest that overrides users’ data protection rights. Noyb states that users have no clear opt-out mechanism and cannot remove their data once processed. According to noyb, Meta’s policy potentially involves the personal data of approximately 4 billion users, violating several GDPR provisions. Noyb has requested an “urgency procedure” under Article 66 to prevent its implementation. The Irish Data Protection Commission, Meta’s EU regulator, is accused of making deals that circumvent GDPR. Noyb hopes for swift action from DPAs to protect user data rights. You can read the press release here.


Greece: Hellenic SA Fines MEP and Ministry of Interior following a leak of expats’ personal data file

The Hellenic Supervisory Authority (SA) has imposed fines on Member of European Parliament (MEP) Anna-Michelle Asimakopoulou and the Ministry of Interior following a data breach involving expatriate voters’ personal data. The breach occurred when a file created for the June 2023 elections was leaked outside the Ministry, containing email addresses and phone numbers of Greek expatriates. This file was later used by Ms Asimakopoulou to send unsolicited political emails without the required GDPR information. The Ministry of Interior was fined €400,000 for multiple GDPR violations and ordered to enhance its data protection measures. Ms Asimakopoulou was fined €40,000 and ordered to delete the data. Investigations continue into the New Democracy party’s involvement. The Hellenic SA clarified that the infringements did not affect the voting process. You can read the press release here and the full decision here (both in Greek).

Netherlands: AP fines recruitment company for failing to delete personal data

The Dutch data protection authority (AP) has fined recruitment company Ambitious People Group (APG) €6,000 for failing to delete the personal data of three individuals upon request. APG, which allows job seekers to register for its mediation services, did not comply with deletion requests, resulting in names, addresses, email addresses, phone numbers, birth dates, and CVs with educational and work information remaining in its database. These individuals were also contacted about job vacancies despite requesting data removal. The AP emphasised the “right to be forgotten,” which mandates that organisations must delete personal data when requested to protect privacy. Additionally, organisations should practise data minimisation, only collecting and retaining necessary data. APG had a deletion procedure but failed in its application, prompting policy revisions. The fine, issued in 2020, was made public following APG’s legal challenges against the penalty and its disclosure. You can read the press release here (in Dutch).

Italy: Garante fines INPS for unlawful online publication of personal data

The Italian data protection authority (Garante) has fined the National Institute for Social Security (INPS) €20,000 for the unlawful online publication of personal data related to public service competition participants. The fine follows a complaint by a participant in a public service competition for 1858 social protection consultant positions, who reported that the INPS website published lists of admitted and non-admitted candidates, including scores and evaluations, which were subsequently shared on social media by third parties. The Garante emphasised that public bodies must comply with data protection laws during competition procedures and cannot publish participant data not mandated by law. The decision reinforces that data protection standards cannot vary regionally or between administrations when regulated by national legislation. The INPS’s cooperation and the removal of the data, although prompted by the Garante’s request, were factors in determining the fine. You can read the press release here (in Italian).

Italy: Garante rules GDPR applies to Wikipedia

The Italian data protection authority (Garante) has ruled that Wikipedia must comply with the GDPR and adhere to journalism and freedom of expression regulations. This decision follows a complaint regarding Wikipedia’s refusal to delete a biographical article about a judicial matter. Wikipedia Foundation, the US-based non-profit behind the online encyclopedia, argued that it doesn’t offer services to EU users and is merely a neutral host of user-generated content. However, the Garante determined that Wikipedia does target the European market, evidenced by its quality standards and European site versions. Consequently, the GDPR applies to Wikipedia’s data processing activities. While the Garante rejected the request to delete the article, deeming the processing of personal data for journalistic purposes lawful without consent, it mandated the article’s de-indexing to respect privacy concerning minor judicial convictions. You can read the press release here (in Italian).