Data Protection Weekly 23/2023

Jun 9, 2023

 European Union

EDPB: Adoption of the final version of Guidelines on the calculation of administrative fines

The European Data Protection Board (EDPB) has adopted the final version of the Guidelines on the calculation of administrative fines, following a public consultation. The guidelines seek to standardise the method used by Data Protection Authorities (DPAs) to calculate fines and include agreed upon ‘starting points’. These guidelines consider three aspects: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business. They present a 5-step methodology, considering multiple factors including the number of sanctionable conduct, legal maximums of fines, and the principles of effectiveness, dissuasiveness, and proportionality. An annex has been added post-consultation, providing a reference table and two examples of application. These guidelines will aid the EDPB’s goal of more efficient cooperation among DPAs on cross-border cases. You can read the press release here and download the Guidelines here.

ENISA: Annual Privacy Forum tackles data protection challenges amid AI developments

The Annual Privacy Forum, organised by the European Union Agency for Cybersecurity (ENISA), DG Connect, and INRIA, took place in Lyon, France, this year. Gathering 26 speakers and over 400 participants both in-person and virtually, the forum addressed critical topics concerning personal data protection. Subjects ranged from emerging technologies for personal data protection to GDPR compliance and data subject rights, with a special emphasis on the impact of AI and machine learning on data privacy. Discussions highlighted the need for safeguards, noting that trust is the foundation for the secure adoption of these technologies. The forum also explored the potential benefits and risks of AI to society and underscored the urgency of proactive measures to ensure responsible AI implementation. You can read the press release here.

EDPS: Director at EDPS shares his reflections regarding Explainable AI and its impact on data protection

In a blog post, Leonardo Cervera Navas, director at EDPS, shares the insights gathered from the discussion that occurred during the Internet Privacy Engineering Network (IPEN) event hosted by the European Data Protection Supervisor (EDPS). The event convened experts to explore the implications of Explainable Artificial Intelligence (XAI) on data protection. As mentioned by Navas, XAI, an AI model providing explanations for its decisions, holds the promise of increased transparency and trust. However, the experts highlighted the challenge of simplifying explanations without compromising predictive accuracy, and pointed out risks such as revealing personal or commercially sensitive information. The experts also emphasised the need for interdisciplinary collaboration, prioritisation of individuals’ control over their data, and a rigorous application of EU Regulations, including the GDPR, in AI development. You can read the blogpost here.

European Commission: Code of Practice on Disinformation’s signatories set to discuss future challenges

A year after the strengthened Code of Practice on Disinformation’s launch, its signatories are set to meet to discuss ongoing efforts and upcoming challenges. Chaired by the European Commission, this meeting aims to address issues including preparations for the next European elections, the improvement of fact-checking methods, empowering users, and responding to generative AI developments. Vice-President for Values and Transparency, Věra Jourová, emphasised the need to increase efforts in combating disinformation, specifically calling out pro-Kremlin war propaganda and the misuse of generative AI. Commissioner for Internal Market, Thierry Breton, also noted the need for enhanced fact-checking capacity, content moderation in all EU languages, and improved data access for researchers. He stressed that platforms hold a significant responsibility, particularly considering disinformation risks surrounding Ukraine and potential election impacts. You can read the press release here.

European Commission: Public consultation on the template for DMA compliance report

The European Commission has launched a consultation on a draft template for compliance reports to be submitted by gatekeepers under the Digital Markets Act (DMA). The goal of the consultation is to collect feedback from stakeholders to ensure that all necessary information for assessing compliance is included in the reports. Stakeholders have until July 5, 2023, to submit their views on the draft. The Commission plans to designate the gatekeepers under the DMA by September 6, 2023. These companies will then have six months to comply with the DMA’s obligations and prohibitions, after which they must provide a report demonstrating their compliance and update these reports annually. You can read the press release here.

National Authorities

Netherland: AP asks for clarification on ChatGPT

The Dutch data protection authority (AP) has requested clarification from OpenAI on its handling of personal data while training its AI model, ChatGPT. Concerned about how organisations utilising generative AI manage personal information, AP aims to understand if user inquiries are employed in training the algorithm and the method of data collection from the internet. AP raised concerns about the generated content’s accuracy and the possibility of rectifying or deleting such data. Furthermore, AP emphasises the importance of adherence to the General Data Protection Regulation (GDPR) when using algorithms due to the frequent involvement of personal data. In order to coordinate actions and share information, the European Data Protection Board has established a task force specifically for ChatGPT, as reminded by AP. You can read the press release (in Dutch) here.

Germany: BfDI raises data privacy concerns regarding new draft law about identity documents

The Federal Commissioner for Data Protection and Freedom of Information in Germany (BfDI) has raised concerns over a new draft law that aims to enhance the data processing capabilities of printed and stored data on passports and identity cards. The law aims to provide any public authority access to chip-stored data, including biometric photographs, for identification. The BfDI asserts that this could pose serious threats to the rights of individuals, as the processing of biometric data is subject to high requirements. Moreover, the BfDI criticised the absence of restrictions on data processing, especially regarding purpose and duration. The authority suggested the law should stipulate conditions, such as an explicit legal basis for further processing and immediate deletion of data post-identification, to prevent the creation of shadow databases. The BfDI’s full statement is available (in German) here.

Italy: Garante releases new Guide on GDPR application  

On the occasion of the five years anniversary since the full application of the General Data Protection Regulation (GDPR), the Italian data protection authority (Garante) has launched a new edition of the Guide to the application of the GDPR. This guide is designed as a practical reference for those operating in both public and private sectors. It offers an overview of the key aspects businesses and public entities should consider for full GDPR implementation. It also details new user rights introduced by the GDPR, including the right to data portability and the right to be forgotten. The guide incorporates references to European guidelines and national legislation, offering useful recommendations in each chapter. It will be subject to ongoing updates in line with national and European developments. You can read the press release here and download the full Guide here (both in Italian).

Portugal: CNPD launched public consultation on DPO performance evaluation

The Portuguese data protection authority (CNPD) has launched a public consultation on guidelines for the performance evaluation of workers who serve as Data Protection Officers (DPOs). The public consultation, which runs until June 9, 2023, was prompted by the absence of legal norms regulating the legal status of DPOs within public entities, particularly regarding their performance evaluation when they hold other roles. The CNPD is seeking contributions and practical experiences to enhance perspectives and strengthen the utility and appropriateness of the guidelines. The CNPD also recently approved guidelines on the incompatibility of combining DPO functions with other roles. Furthermore, CNPD recalled that a coordinated EU action is underway to survey DPOs about their positions within organisations. The deadline for this survey is next week, May 15. Those who haven’t yet responded are urged to do so as soon as possible. You can read the press release (in Portuguese) here.


US: Microsoft Settles FTC Charges for $20 Million over COPPA Violations

Microsoft has agreed to a $20 million settlement to resolve allegations by the Federal Trade Commission (FTC) that it violated the Children’s Online Privacy Protection Act (COPPA). The FTC claimed Microsoft illegally collected personal data from children without parental consent through its Xbox gaming system. As part of the proposed order awaiting federal court approval, Microsoft will bolster its privacy protections, extending COPPA safeguards to third-party gaming publishers. The order explicitly includes children’s avatars, along with biometric and health data, under COPPA regulations and reaffirms that personal data cannot be retained longer than necessary. Through this settlement, the FTC aims to underscore the importance of children’s online privacy rights and adherence to COPPA. You can read the full statement here.

US: Amazon Faces $25 Million Fine over COPPA Violations

The Federal Trade Commission (FTC) and the Department of Justice (DOJ) have filed charges against Amazon, accusing it of violating the Children’s Online Privacy Protection Act (COPPA) and misleading users of its Alexa voice assistant service about data deletion practices. Allegedly, the tech giant retained sensitive voice and geolocation data for years, using it for its own benefit and neglecting the COPPA requirements for parental rights to delete data. The proposed settlement includes a $25 million fine, and mandates Amazon to delete inactive child accounts as well as certain voice and geolocation data. Furthermore, Amazon is prohibited from using such data to refine its algorithms. The order is pending federal court approval to be enforced. This case emphasises the FTC’s commitment to upholding privacy protections for consumers, especially children. You can read the full statement here.

FEDMA highlights areas for GDPR Improvement

The Federation of European Data and Marketing (FEDMA) has published an assessment of the General Data Protection Regulation (GDPR), identifying key areas for improvement. Despite the Regulation’s transformative influence on data protection and privacy, FEDMA has identified challenges such as fragmentation and legal uncertainty that contradict the harmonisation goal of the GDPR. Recommendations include adopting a risk-based approach for GDPR interpretation, promoting an inter-regulatory approach in GDPR enforcement, and enhancing legal certainty in international data transfers. FEDMA also advocates for the importance of legitimate interest for data subjects, encouraging investment in privacy-enhancing technologies, and maintaining a clear allocation of responsibilities between data controllers and processors. The recommendations were based on a survey of FEDMA and DMA members. You can read the press release here and the full report here.


Italy: Garante seizes telemarketing databases and imposes heavy fines in unprecedented action

In an unprecedented operation, the Italian data protection authority (Garante) has taken action against illegal telemarketing activities by seizing databases and imposing fines on the offending companies. This enforcement action,  carried out in cooperation with the Special Privacy and Technological Fraud Unit of Rome and the Provincial Command of the Guardia di Finanza of Verona, marks the first time databases have been confiscated. The companies involved – Mas s.r.l.s, Mas s.r.l., Sesta Impresa s.r.l., and Arnia Società Cooperativa, were found guilty of violating personal data protection laws and were imposed substantial fines. Mas s.r.l.s was fined €200,000, Mas s.r.l. €500,000, Sesta Impresa s.r.l. €300,000, and Arnia Società Cooperativa was fined the highest at €800,000. Two of these companies also had their databases confiscated, further incapacitating their illicit activities. This incident underscores the increased effort from the Privacy Authority to combat illegal telemarketing and uphold personal data protection laws. You can read the press release here.

Denmark: Datatilsynet reprimands Boligportal over EU/US data transfer following NOYB complaint

The Danish data protection authority (Datatilsynet) recently levied serious criticism against Boligportal, one of Denmark’s largest online marketplaces for rental properties, for their failure to demonstrate that their processing of personal data through Facebook Business Tools complies with the General Data Protection Regulation (GDPR). This scrutiny arose from one of 101 complaints lodged in 2020 by NOYB, which questioned the use of either Google Analytics or Facebook Business Tools on various websites. The Datatilsynet determined that Boligportal and Meta Ireland Limited (the provider of Facebook Business Tools) acted as joint controllers of personal data processing. However, Boligportal could not adequately demonstrate its role and responsibility distribution with Meta Ireland, particularly regarding data transfer outside the EU/EEA. Consequently, Datatilsynet directed Boligportal to align their data processing with GDPR rules. You can read the press release here and the full decision here (both in Danish).