Data Protection Weekly 22/2023

Jun 5, 2023

 European Union

European Commission: New calls for proposals to strengthen Europe’s cybersecurity

The European Commission has called upon companies, public administrations, and other organisations to submit proposals to enhance the EU’s resilience against cyber threats. The Commission and the European Cybersecurity Competence Centre (ECCC) have opened a new call for proposals, worth a total of €71 million under the Digital Europe Work Programme 2023-2024. From this total, €35 million will support the creation of the Cybersecurity Emergency Mechanism, €30 million will bolster the implementation of the NIS2 Directive and the proposed EU Cyber Resilience Act, and €6 million will aid in fostering coordination between civil and defence sectors of cybersecurity. Alongside this, a previous call with a remaining budget of €36.5 million has been reopened, covering the topics of Resilience, Coordination and Cybersecurity Ranges, Capacity Building for Security Operation Centres and Uptake of Innovative Cybersecurity Solutions The calls are open to entities from EU Member States and EFTA/EEA countries until 26 September and 6 July 2023, respectively. You can read the press release here.

European Commission: EU-ASEAN collaboration on model clauses for data transfers

The European Union (EU) and the Association of Southeast Asia (ASEAN) have developed a joint guide that identifies the commonalities between the EU standard contractual clauses and ASEAN model contractual clauses for data transfers. Model contractual clauses are a commonly used tool for data transfers across different jurisdictions. The guide aims to assist companies operating in both jurisdictions to comply with both sets of clauses. It will also incorporate best practices from companies that utilise these contractual tools for data transfers. You can read the press release here and the full Joint Guide is available here.

ENISA: Publication the outcome of the Public Consultation on the draft Candidate EUCC Scheme

The public consultation on the first draft of the cybersecurity certification candidate EUCC scheme has led to significant changes in the proposed system. Developed by the Ad Hoc Working Group (AHWG) of ENISA, in line with Article 48.2 of the Cybersecurity Act, the EUCC scheme is designed to succeed the existing ICT product certification schemes under the SOG-IS MRA. Major modifications include additional and clarified definitions, streamlined cooperation with the ECCG for guidance document development, clarified activities related to certificate maintenance, and specific timelines for addressing non-conformities, and vulnerabilities. Other changes involve the status of the new patch management process, the logo linked to the certificates, simplification of peer assessment requirements, and updates to annexes 7 and 9 based on their recent evolutions within the SOG-IS, with an added annex related to ST sanitisation. You can download the full report here and the full EUCC scheme here.

EDPS: Wojciech Wiewiórowski delivered the CPDP closing remarks highlighting the importance of privacy protection in a changing environment

In his closing remarks at the CPDP conference, European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, stressed the importance of privacy as a right, not a privilege. Amid global change, he urged for more focus on individuals’ vulnerability. Wiewiórowski highlighted the dualistic nature of privacy, fundamental yet context-dependent, with reference to the evolving digital landscape. He warned that contextual privacy could risk reducing fundamental rights to non-transparent procedures. Calling for flexibility and readiness to adapt to shifting privacy boundaries, he emphasised collective action to empower individuals, enhancing their control over their digital footprints. The EDPS underscored the CPDP’s role in discussing diverse digital regulation fields, while looking forward to future discourse. You can read the full transcript here.

National Authorities

UK: ICO rejects criticisms regarding data protection enforcement during pandemic

A report scrutinising the Information Commissioner’s Office’s (ICO) role during the Covid-19 pandemic has found it lacking in enforcing data protection laws. It criticises the ICO for failing to prevent clear breaches, leading to excessive data retention and transparency issues. However, the ICO has disputed these criticisms, emphasising their proactive efforts during the pandemic. They highlighted the mobilisation of a dedicated task force and prompt advice provided to organisations using data in uncharted ways. The ICO asserts that their focus remains on protecting people’s rights and supporting organisations. The ongoing disagreement underscores the challenges faced by data protection authorities in ensuring both the facilitation of rapid response during emergencies and the strict adherence to data privacy standards. You can find the report here and read the ICO’ statement here.

Germany: BfDI draws positive conclusion of GDPR’s fiver-year journey

In its recent review of the General Data Protection Regulation (GDPR), the German data protection authority (BfDI) commended the initiative as an European model of success, noting its positive impact on enforcement. Despite initial uncertainties surrounding the large, novel legal system, the BfDI, Professor Ulrich Kelber, expressed that conditions have now become more predictable. He particularly emphasised that major international providers must comply with the law, as demonstrated by recent cross-border case decisions. Furthermore, the GDPR has emerged as a global standard, influencing data protection regulations in countries such as Japan, Korea, Israel, Brazil, and numerous US states. However, Kelber pointed to the need for faster cross-border case processing and producer liability in data protection, especially as artificial intelligence technologies become more prevalent. You can read the press release here.

Spain: AEPD discusses importance of accuracy in AI data processing

The Spanish data protection authority (AEPD) recently published a blog post examining the crucial role of accuracy in AI data processing. They highlighted the GDPR’s accuracy principle (Article 5(1)(d)), noting the potentially serious implications of inaccuracies in input data, as demonstrated by a case involving a triage AI system in a healthcare setting. The case underscored the importance of accurately defining and understanding input data. Furthermore, AEPD emphasised that safeguards to prevent inaccuracies should be incorporated into these systems by design. The post also reminded designers of the necessity for regular reviews and updates. The blog post called for a comprehensive assessment of processing activity, extending beyond the AI algorithm to include data gathering, data checking, and decision-execution procedures. You can read the full blog post here.

Italy: Garante to discuss future strategies with Italian DPOs

On June 23, Data Protection Officers (DPOs) from both public and private sectors in Italy will meet with the Italian data protection authority (Garante) in Bologna for a strategic discussion. This event comes five years after the application of the GDPR, and aims to assess accumulated experiences and identify intervention areas to strengthen the role of DPOs in the future. Topics of focus will include DPO designation and qualifications, risks associated with DPO positions such as independence and conflicts of interest, and their contribution in complex situations. The discussion will also explore ways to build more collaborative relationships with the Garante. The event will serve as a critical platform for exchange and collaboration between DPOs and the Garante. You can read the press release (in Italian) here.

Luxembourg: JCA publishes its 2022 annual activity report.

The Judicial Control Authority (JCA) has released its 2022 Activity Report. The JCA, comprised of six active members and their alternates, including two representatives from the CNPD, is responsible for overseeing personal data processing operations carried out by judicial and administrative courts, including the public prosecutor’s office. In 2022, the JCA’s meetings largely focused on advice requests relating to Bill No. 7881 concerning information exchange on non-EU nationals and the European Criminal Records Information System (ECRIS), as well as a bill introducing specific provisions for personal data processing in the “JU-CHA” application. Significantly, the number of complaints the JCA handled in 2022 nearly tripled compared to 2021, moving from three to eight. You can read the press release here and the full report here (both in French).

Global

UK: Concerns over surveillance cameras around MP’s homes

The Biometrics and Surveillance Camera Commissioner of England & Wales, Fraser Sampson, recently addressed a letter to Lucy Allan, MP for Telford, discussing the operation of surveillance cameras around the homes of members of Parliament. Despite acknowledging that the described surveillance system fell outside his statutory functions, Sampson chose to provide insights due to the proliferation of biometric surveillance and future regulation of the area. The Commissioner emphasised that under the existing regulatory framework, such surveillance is largely treated as a data protection matter under the remit of the Information Commissioner, falling within the purview of the Data Protection Act 2018 and the General Data Protection Regulation. While Sampson acknowledged the risks from such equipment, he also highlighted the necessity for further actions, including raising a complaint with the Information Commissioner, sharing concerns with local police, and contacting the Security Minister. You can read the full letter here.

EU: Tech chief Vestager sees draft voluntary AI code within weeks

Following the meeting this week of the EU-US Trade and Technology Council (TTC) Margrethe Vestager stated  she believed a draft code of conduct on artificial intelligence (AI) could be drawn up within weeks, allowing industry to commit to a final proposal “very, very soon”. Vestager said the United States and European Union should push a voluntary code to provide safeguards while new laws are developed. The TTC closing statement said the two partners had created expert groups to assess risks, and cooperate on AI standards while monitoring existing and emerging risks. The full Reuters article can be read here.

Fines

France: CNIL closes the injunction issued against Microsoft Ireland in a €60 million fine decision

The French data protection authority (CNIL) announced the closure of its injunction against Microsoft Ireland Operations Limited on May 11, 2023. Issued on December 19, 2022, the injunction imposed a €60 million fine on the company and demanded that “bing.com” users in France be allowed to consent to the use of trackers for countering ad fraud upon landing on the site. Failure to comply with the injunction risked a daily €60,000 penalty. Microsoft Ireland Operations Limited addressed these requirements within the prescribed three-month period by implementing technical changes to deactivate the mentioned trackers in absence of specific consent from French users. CNIL, acknowledging the company’s compliance, ended the injunction process. You can read the press release here and the full decision (in French) here.

Germany: Bank fined  €300,000 over lack of transparency in automated decision-making

The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed a fine of €300,000 on a bank for failing to provide transparency over an automated individual decision. The bank refused to provide a customer with understandable explanations for the automated denial of his credit card application. Although the bank cooperated fully with BlnBDI and accepted the penalty notice, it violated GDPR’s transparency obligations. GDPR mandates that personal data be processed transparently and that individuals have a right to understand the logic behind automated decisions. The bank did not adhere to this with its digital credit card application, as the customer could not comprehend the data and factors that led to his application’s rejection. Despite the customer having a good credit score and regular high income, the bank did not provide specific information on why it assumed poor creditworthiness in his case. You can read the press release (in German) here.