Data Protection Weekly 22/2024

Jun 19, 2024

CEDPO

CEDPO: Report from Multistakeholder Expert group on GDPR application

The Multistakeholder Expert Group has contributed to the European Commission’s 2024 evaluation of the General Data Protection Regulation (GDPR). This group, which includes the Confederation of the European Data Protection Organisations (CEDPO), was established in 2017 to support the GDPR’s application. Their report, published on 10 June 2024, compiles feedback from various stakeholders on 14 key aspects of the GDPR, such as data subject rights, accountability, and international data transfers. The report acknowledges the progress made in data protection compliance and awareness while also addressing persistent challenges and areas for improvement. CEDPO’s involvement underscores its active role in shaping the GDPR’s practical implementation. You can download the full report here.

 European Union

Council of the EU: Adoption of common position on GDPR enforcement rules

The Council of the EU has reached an agreement on a common position regarding a new law aimed at improving cooperation between national data protection authorities in enforcing the General Data Protection Regulation (GDPR). This law will streamline the process for handling cross-border complaints and investigations by harmonising admissibility requirements across the EU. It clarifies procedural deadlines, steps for investigations and binding opinions by the European Data Protection Board (EDPB) in case of disagreements between authorities. The regulation ensures the complainant’s right to be heard if a complaint is rejected and for companies under investigation. Key amendments include clearer timelines, an enhanced cooperation procedure, and an early resolution mechanism for non-contentious cases. This agreement paves the way for negotiations with the European Parliament, which had established its position in April 2024, in order to agree on a final legislative text. You can read the full press release here.

The EU Agency for Fundamental Rights: Report highlights lack of resources undermining EU data protection enforcement

The EU Agency for Fundamental Rights (FRA) has published a report indicating that data protection authorities (DPAs) face significant challenges in enforcing the GDPR due to a lack of human and financial resources. The report, titled ‘GDPR in practice – Experiences of data protection authorities’, identifies underfunding, insufficient staffing, and a growing workload as major obstacles. The FRA urges EU countries to provide DPAs with adequate resources to manage new responsibilities from laws like the AI Act. It also calls for stronger supervisory tools and better consultation processes for new legislation. To improve public understanding and compliance, the FRA recommends increased awareness efforts and specific guidance on new technologies. The report is based on 70 interviews with DPA representatives from all 27 EU Member States conducted between June 2022 and June 2023. You can read the press release here and the full report here.

Council of Europe: 46th Plenary meeting of the Committee of Convention 108

The 46th Plenary meeting of the Committee of Convention 108 (T-PD) was held from 5 to 7 June 2024 in Strasbourg. The committee adopted the third module of the Model Contractual Clauses for transferring personal data from processor to processor, completing the set which already included modules for controller to controller and controller to processor transfers. Additionally, the T-PD approved Guidelines on the protection of individuals with regard to the processing of personal data for the purposes of voter registration and authentication. Further discussions focused on interpreting article 11 of the modernised Convention. An exchange of views took place on data protection in neurosciences, informed by a scientific report by Marcello Ienca and Eduardo Bertoni. The event concluded with the presentation of the Stefano Rodota award by the committee chair, Elsa Mein, to Konrad Kollnig and Lin Kyi for their contributions in the “PhD thesis” and “articles” categories respectively. You can read the full the press release here.

European Commission: Statement on LinkedIn’s commitment to comply with DSA provisions on targeted advertisement

The European Commission has issued a statement regarding LinkedIn’s compliance with the Digital Services Act (DSA). LinkedIn has announced it will disable its functionality that allowed advertisers to target users based on their membership in LinkedIn Groups within the EU Single Market. This decision follows the Commission’s request for information to verify whether this feature complied with the DSA. The Commission’s inquiry was prompted by a civil society complaint suggesting LinkedIn’s targeting feature might have allowed advertisers to use special categories of personal data, such as racial or ethnic origin, political opinions, and religious beliefs. Internal Market Commissioner Thierry Breton noted that LinkedIn’s decision to discontinue this functionality demonstrates the DSA’s effectiveness in protecting sensitive personal data. The Commission will continue to monitor LinkedIn’s adherence to this commitment to ensure full compliance with the DSA. You can read the press release here and the full statement here.

ENISA: Designation as a Common Vulnerabilities and Exposures Numbering Authority announced

The EU Agency for Cybersecurity (ENISA) has increased its support for EU CSIRTs for Coordinated Vulnerability Disclosure (CVD) by becoming a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This new role authorises ENISA to assign CVE Identifiers and publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs. ENISA’s initiatives aim to foster the adoption of CVD practices at the national level, providing guidelines, recommendations, and analyses. Hans de Vries, ENISA’s Chief Cybersecurity and Operating Officer, highlighted the importance of addressing software vulnerabilities promptly to ensure digital security. Additionally, ENISA is developing a European Vulnerability Database (EUVD) to offer transparent access to vulnerability information and support efficient vulnerability management using the Common Security Advisory Framework (CSAF). Other legislative developments will also address vulnerability disclosure, with the Cyber Resilience Act (CRA) already including vulnerability handling requirements. You can read the full the press release here.

Supervisory Authorities

Germany: Berlin Group adopts working paper on digital central bank money

The International Working Group on Data Protection in Technology (IWGDPT), known as the “Berlin Group”, chaired by the BfDI, has adopted a working paper on digital central bank money. This document outlines significant privacy risks and offers practical recommendations for mitigating these risks. Professor Ulrich Kelber, the BfDI, highlighted the growing trend towards digital payment systems and the potential decline of cash use, stressing the importance of data protection in this transition. The paper addresses the introduction of digital central bank money, such as the proposed digital euro by the EU, emphasising the potential loss of anonymity with digital payments compared to cash transactions. It warns that inadequate data protection could allow unprecedented access to personal financial data by authorities and financial institutions. The IWGDPT urges all stakeholders to consider data protection risks and develop measures to maintain the privacy-supportive characteristics of cash. You can read the press release here and the full paper here.

Norway: Datatilsynet publishes results of 2024 data protection survey

A new survey from the Norwegian data protection authority (Datatilsynet) reveals that Norwegians have increased their knowledge about data protection, but many still feel insecure about online tracking and surveillance. Six years after the introduction of new data protection rules, fewer people (21 percent) feel poorly informed, compared to 37 percent in 2019. Around 70 per cent are now aware of their basic rights, although those with higher education and income remain the best informed. Young people aged 15-19 are particularly uninformed and express uncertainty. Only 29 per cent feel in control of their personal data and half feel uncomfortable with the amount of information available about them online. Younger people are less concerned about privacy, but use a wider range of services that require personal data. The use of artificial intelligence is seen as a significant threat to privacy by 69 per cent of respondents. You can read the press release here and the full report here (both in Norwegian).

France: CNIL publishes recommendations on open data and reuse of personal data online

The French data protection authority (CNIL) released recommendations following a public consultation on the open data and reuse of personal data published online. These recommendations aim to help professionals balance their obligations and interests with the rights of individuals regarding their personal data. As the regulatory movement towards public data sharing accelerates, the CNIL recognises both opportunities and risks for individuals’ rights and freedoms. The recommendations outline how legal provisions should apply, supplemented by practical examples. To aid all stakeholders, the CNIL has provided detailed guides, including principles and case studies for data disseminators and reusers. Additionally, resources for the general public address changes in the reuse of data for commercial and directory purposes. The CNIL’s recommendations reflect contributions from a diverse range of public and private entities, enhancing clarity and aiding legal compliance. The CNIL will continue its efforts to address data sharing scenarios and regulatory developments. You can read the press release and access recommendations here (in French).

UK: ICO to investigate 23andMe data breach with Canadian counterpart

The UK’s data protection authority (ICO) and the Canada’s data protection authority (OPC) have launched a joint investigation into the October 2023 data breach at 23andMe, a global direct-to-consumer genetic testing company. The joint investigation aims to assess the breach’s scope, the adequacy of 23andMe’s safeguards, and the company’s compliance with notification requirements under UK and Canadian data protection laws. This collaboration underscores the importance of international cooperation in protecting sensitive personal data, especially genetic information that reveals details about health, ethnicity, and biological relationships. The investigation will focus on potential harms to affected individuals and seek to reinforce public trust in genetic testing services. Both regulatory bodies emphasised the critical need for robust security measures to prevent misuse of genetic data. You can read the press release here.

Netherlands: AP states that education sector must set clear terms for social media use

The Dutch data protection authority (AP) has stated that educational institutions should only use social media if clear agreements are made with social media companies regarding the handling of student and teacher data. In a recent advice to an educational institution, the AP emphasised that without such agreements, schools and universities should refrain from using these platforms. AP chairman Aleid Wolfsen highlighted the significant risks, such as social media companies’ potential to create detailed profiles for advertising purposes, possibly including sensitive data like health or political views. The advisory underlines the necessity for clear responsibilities concerning compliance with the GDPR and the secure storage of data, especially outside the European Economic Area. Additionally, educational institutions must obtain explicit consent from students and teachers, clearly stating what will happen with their data. The AP urges all educational institutions to review their social media use and establish necessary agreements with platforms. You can read the press release here (in Dutch).

Netherlands: AP calls for more clarity on approaching individuals eligible for benefits or allowances

The Dutch data protection authority (AP) has called for amendments to the proposed legislation allowing government agencies to proactively contact individuals entitled to benefits or allowances. The AP emphasises that clear information must be provided in advance about which personal data will be exchanged. The proposal, which aims to modify the Work and Income Implementation Structure Act (SUWI), seeks to enable agencies like UWV, SVB, and municipalities to share data to identify individuals potentially missing out on benefits. AP board member Katja Mur supports the initiative but stresses the need for clear agreements on data use to avoid surprising citizens. The specific benefits affected and the types of personal data involved remain unspecified, raising concerns about individuals’ ability to assess their participation. The proposal must also include provisions for data retention periods and a streamlined opt-out process, ensuring individuals do not need to separately opt out with each agency. You can read the press release here (in Dutch).

Netherlands: AP and RDI call for coordinated and urgent AI oversight

The Dutch data protection authority (AP) and the Digital Infrastructure Inspectorate (RDI) have advised the government on the urgent need for coordinated oversight of artificial intelligence (AI) systems. This recommendation follows the recent approval of the European AI Regulation, which mandates that high-risk AI systems meet strict product requirements and receive a CE marking. Emphasising the necessity of cooperation, the AP and RDI highlight that all relevant supervisors must have sufficient budget and staff to enforce these regulations effectively. They propose that AI supervision should align with existing sectoral oversight, with AP acting as the ‘market supervisor’ for high-risk AI applications without current CE marking requirements. The document proposes exceptions for financial and critical infrastructure sectors and emphasises the importance of timely appointments of regulators to meet impending deadlines. You can read the press release here (in Dutch).

Global

Meta pauses AI training in Europe following DPC request

Meta has announced a delay in training its large language models (LLMs) using public content shared by adults on Facebook and Instagram in Europe. This decision follows a request from the Irish data protection authority (DPC), representing European Data Protection Authorities (DPAs), despite Meta’s claim of adhering to European laws and incorporating regulatory feedback. Meta emphasised its transparent approach compared to industry counterparts like Google and OpenAI. The company clarified that its AI models use public information and do not utilise private messages or content from users under 18. The DPC acknowledged Meta’s decision, highlighting ongoing collaborative efforts to ensure compliance with European data protection regulations. Meta expressed disappointment, stating the pause hinders AI innovation and competition in Europe, and affects the launch of Meta AI in the region. The company is also addressing specific requests from the UK’s Information Commissioner’s Office (ICO) related to this issue. You can read Meta’s press release here and DPC’s statement here.

Sanctions

Denmark: Datatilsynet reprimands three police districts for inadequate security measures

The Danish data protection authority (Datatilsynet) has reprimanded three police districts—North Jutland, Funen, and Bornholm—for insufficient log control in the use of their case management system, POLSAS. Initiated in 2021, the investigation revealed that while user management and access rights were handled properly, the districts failed to implement regular log checks to ensure that users only accessed data necessary for their work. The lack of routine checks, conducted only when misuse was suspected, was deemed non-compliant with security regulations. Datatilsynet emphasised that ongoing sample checks of logs, ideally at least biannually, are necessary to prevent misuse. Additionally, automatic alerts for suspicious activity were recommended. Proper log control not only corrects but also deters unauthorised access, reinforcing overall data protection. This oversight particularly concerns POLSAS, where sensitive information about criminal matters is processed and broadly accessible to police staff. You can read the press release here (in Danish).