Data Protection Weekly 23/2024

Jul 3, 2024

 European Union

European Commission: Feedback sought on draft implementing act under the NIS2 Directive

The European Commission is inviting public feedback on the draft implementing act under the NIS2 Directive, which aims to enhance cybersecurity across the Union. This directive now includes medium and large entities from critical sectors such as public electronic communications, digital services, wastewater and waste management, space, critical product manufacturing, postal and courier services, and public administration. The Commission plans to adopt the implementing act by 17 October, detailing the technical and methodological requirements for cybersecurity risk management for entities in digital infrastructures, digital providers, and ICT service management sectors. The draft implementing act is open for public feedback via the Have Your Say portal for 4 weeks. You can read the press release here.

European Commission: First high-level meeting of the upcoming AI Board to drive AI Act implementation forward

On 19 June, the European Commission hosted the first high-level meeting of the forthcoming AI Board at the Borschette building to set the groundwork for the AI Act’s implementation, expected to enter into force in early August. The meeting emphasised early collaboration, discussing strategic vision, national approaches to governance and supervision, first deliverables and priorities, and the organisation of the Board. Key attendees included Director-General Roberto Viola, AI Office Director Lucilla Sioli, and high-level delegates from all EU Member States, as well as observer representatives from the European Data Protection Supervisor (EDPS) and EEA/EFTA members—Norway, Liechtenstein, and Iceland. The Commission aims for a robust setup of the AI governance framework to ensure effective Member State participation from the start. The next meeting is scheduled for early autumn, post-entry into force of the AI Act. You can read the press release here.

European Commission: Feedback sought from industry on the use of artificial intelligence in finance

The European Commission has launched a targeted consultation and a series of workshops to gather input from financial stakeholders on the use of artificial intelligence (AI) in finance. These initiatives will address use cases, benefits, barriers, risks, and stakeholder needs. The feedback will enable the Commission to provide implementation guidance for the AI Act within the financial sector. Stakeholders are encouraged to respond to the consultation by 13 September, with particular interest in contributions from companies developing or using AI systems. Additionally, workshops co-hosted with European Supervisory Authorities and national supervisors will allow stakeholders to present projects and discuss recent developments. Registration for the workshops, scheduled for autumn, is open until 26 July. Commissioner Mairead McGuinness emphasised the importance of collaboration between the Commission, authorities, and market participants to ensure sensible and responsible implementation of AI regulations. You can read the press release here.

ENISA: Cyber Europe 2024 tests EU cyber preparedness in energy sector

The EU Agency for Cybersecurity (ENISA) conducted the 7th edition of Cyber Europe, focusing on the resilience of the EU energy sector amidst increasing cyber threats. With over 200 reported cyber incidents targeting the energy sector in 2023, more than half in Europe, the exercise highlighted the sector’s vulnerability. EU Commissioner Thierry Breton emphasised the importance of such exercises for cybersecurity resilience, while ENISA’s Executive Director Juhan Lepassaar reiterated the need to protect critical infrastructure. The event involved a scenario of cyber threats stemming from geopolitical tensions, requiring swift coordination to prevent economic and political destabilisation. Over 1000 experts and 30 national cybersecurity agencies participated in the two-day event, enhancing crisis management skills. Following the exercise, an after-action report will analyse weaknesses and provide recommendations to bolster the EU energy sector’s resilience. You can read the full the press release here.

EDPB: Zdravko Vukić elected new Deputy Chair

On 19 June 2024, Zdravko Vukić, Director of the Croatian data protection authority, was elected Deputy Chair of the European Data Protection Board (EDPB). He succeeds Aleid Wolfsen, who completed his five-year term. Vukić will work with Deputy Chair Irene Loizidou Nikolaidou and Chair Anu Talus to ensure consistent application of EU data protection rules and effective cooperation among European Economic Area (EEA) data protection authorities. Vukić aims to raise GDPR awareness, empower individuals, and support businesses in compliance. He stressed the importance of improving enforcement cooperation and ensuring adequate staffing for the EDPB Secretariat. Anu Talus thanked Wolfsen for his service and welcomed Vukić, highlighting the need to manage the EDPB’s growing responsibilities. You can read the press release here.

Supervisory Authorities

Spain: AEPD and EDPS analyse neurodata protection challenges

The Spanish data protection authority (AEPD) and the European Data Protection Supervisor (EDPS) have released a joint report on the challenges posed by the processing of neurodata. Neurotechnological advances have enabled devices to monitor brain activity, originally developed for clinical and research purposes, to be used in marketing and consumer behaviour analysis. These technologies are also being integrated into everyday activities like education and entertainment. The report highlights the intrusive nature of neurodata processing and emphasises the necessity of strict data protection compliance, noting the invasive impact on personal privacy. The document advocates for a thorough evaluation of neurodata’s impact on fundamental rights and underscores the importance of establishing neurorights, especially concerning services for minors. You can read the press release here (in Spanish) and the full report here.

Belgium: Belgian DPA releases 2023 annual report

The Belgian data protection authority (DPA) has published its Annual Report for 2023, highlighting significant organisational changes and achievements. The Executive Committee was strengthened with two new directors, and operational laws were amended. Emphasising internal and external collaboration, the DPA implemented the “cookies” priority with new compliance tools and guidelines, supported by the EDPB. It also engaged with DPOs through events and coordinated European action on the DPO. To raise data protection awareness among young people, the DPA partnered with educational stakeholders. The DPA addressed ethical and societal aspects of artificial intelligence in Parliament and contributed to high-profile EDPB dispute resolutions, including cases against TikTok and Meta. In 2023, the DPA received 694 complaints and 1292 data breach notifications, noting an increase in hacking incidents. The Litigation Chamber issued 171 decisions. Detailed figures are available in the report. You can read the press release and download the full report here.

Netherlands: AP calls for transparency and judicial oversight in the government’s use of algorithms

Aleid Wolfsen, chairman of the Dutch data protection authority (AP) stressed the need for transparency and judicial review of government decisions involving algorithms. Speaking during the Week of the Rule of Law, Wolfsen highlighted the challenges that algorithms and AI pose for judicial review of government actions. Referring to past problems with the Tax and Customs Administration and the Education Executive Agency, he noted that the late discovery of algorithmic problems could have been mitigated with greater transparency and judicial vigilance. Wolfsen argued for proactive disclosure by government when algorithms influence decisions, including clear explanations in decision letters. He stressed the importance of judicial review of potential discrimination in algorithmic decision-making and urged judges to be particularly vigilant. The event featured discussions on upcoming AI regulations and their oversight, including insights from AI expert Manuella van der Put, who argued for the irreplaceable role of human judges while acknowledging AI’s potential to support judicial efficiency. You can read the press release here (in Dutch).


EDRI: Joint statement on the future of the CSA Regulation

On 1 July 2024, EDRi and 47 civil society organisations sent a joint statement to the Hungarian Council Presidency and various member state representatives, urging the withdrawal of the draft Child Sexual Abuse (CSA) Regulation. The statement highlights concerns that the proposed regulation could undermine secure communications without effectively addressing the issue of child sexual abuse. For two years, member states have struggled to reach a consensus on the CSA Regulation, with the recent Belgian Presidency also failing to broker a deal. The statement calls for collaboration with children’s rights groups, digital human rights organisations, and cybersecurity experts to develop feasible solutions. It also emphasises the importance of implementing the Digital Services Act, investing in national child protection hotlines, and pursuing primary prevention strategies. You can read the press release here and the full statement here.


Sweden: IMY completes in-depth reviews of data protection officers’ roles

The Swedish data protection authority (IMY) has concluded six reviews focusing on potential conflicts of interest for data protection officers (DPOs) in various organisations. This investigation is part of a coordinated action by the European Data Protection Board (EDPB). Under GDPR, certain entities must appoint DPOs to ensure compliance with data protection laws. These officers can hold other roles, provided there is no conflict of interest. IMY found issues in Region Västerbotten, where the DPO’s dual role as a legal advisor created a conflict, resulting in a reprimand and a mandate for corrective actions. Similarly, the social committee in Örebro was reprimanded for insufficient support and resources for its DPO. These findings contribute to the EDPB’s comprehensive report on the role and status of DPOs across Europe. You can read the press release here and full details here (both in Swedish)

Italy: Garante fines Eni Plenitude over €6 million for unlawful telemarketing practices

The Italian data protection authority (Garante) has fined Eni Plenitude €6,419,631 for making promotional calls without consent and failing to monitor contracts obtained through illicit contacts. Following 108 reports and 7 complaints of unsolicited calls, the investigation revealed that out of 747 contracts signed during a sampled week, 657 were from illicit contacts. Extrapolated annually, this could equate to 32,850 illicitly activated services. The Garante highlighted significant deficiencies in the company’s control over agencies and databases, stressing that merely removing rogue agents or conducting audits is insufficient. Measures must prevent contracts from illicit calls from entering the system. Alongside the fine, Eni Plenitude must cease processing complainants’ data, inform the 657 affected individuals of the investigation outcome, and implement controls to prevent future violations, ensuring compliance with data accuracy, deletion, and rectification obligations. You can read the press release here (in Italian).

Sweden: IMY fines Avanza Bank for transferring personal data to Meta

The Swedish data protection authority (IMY) has issued a fine of SEK 15 million (approx. € 1,320,000)  to Avanza Bank AB for transferring customer data to Meta through the use of the Meta-pixel on its website and app. According to Avanza’s report, personal data of up to one million customers, including data on securities holdings and value, loan amount, account number and social security number, were mistakenly transferred to Meta from 15 November 2019 to 2 June 2021. The error occurred due to incorrect settings when new features of the Meta-pixel were activated. IMY’s investigation found that Avanza failed to implement appropriate technical and organisational measures to ensure the security of personal data, violating GDPR. Upon discovery, Avanza deactivated the pixel and confirmed with Meta that the collected data had been deleted. The bank has since improved its internal procedures to ensure proper data handling. You can read the press release here (in Swedish).

Italy: Garante initiates proceedings against 18 regions and 2 autonomous provinces

The Italian data protection authority (Garante) has launched corrective and sanction procedures against 18 regions and the autonomous provinces of Bolzano and Trento for multiple breaches in the implementation of the electronic health record (EHR) 2.0 regulations introduced by the Ministry of Health’s decree of 7 September 2023. This urgent action aims to protect the rights of all Italian patients affected by the processing of health data through EHR 2.0. The discrepancies found during the investigation, which started at the end of January, revealed significant deviations from the required national guidelines, such as data anonymisation, specific consent and security measures, resulting in inconsistent protection of patients’ data, which risk creating discriminatory effects and undermining the functionality and efficiency of the EHR 2.0 system across the country. The breaches may lead to sanctions under the GDPR. You can read the press release here (in Italian).

Norway: Datatilsynet cannot impose daily fines in cross-border cases

The Norwegian Data Protection Tribunal (Personvernnemnda) has ruled that the Norwegian data protection authority (Datatilsynet) cannot impose daily fines in cross-border cases involving international companies such as Meta. The decision is based on the Tribunal’s interpretation that the Norwegian Personal Data Act, which allows for daily fines, does not apply to cross-border data protection issues. Despite the ruling, the ban on behavioural advertising on Facebook and Instagram remains in place. Meta did not comply with Datatilsynet’s original behavioural advertising ban, which led Datatilsynet to impose daily fines. Meta appealed and the court ruled in favour of Meta Ireland and Facebook Norway. Line Coll, director of Datatilsynet, said she was surprised by the decision, but acknowledged its significance and stressed that the behavioural advertising ban remains in place. Coll stated that the court’s interpretation removes a critical enforcement tool against large international companies, potentially leading to unequal treatment between Norwegian and international companies, and hopes for legislative clarification soon. You can read the press release here (in Norwegian).