Data Protection Weekly 24/2023

Jun 19, 2023

 European Union

European Parliament: Adoption of negotiating position on the AI Act

The European Parliament (EP) has agreed on its negotiating position for the Artificial Intelligence (AI) Act, a milestone set of rules for safe and transparent AI. The legislation, which is designed to promote human-centered and trustworthy AI, aims to protect the health, safety, rights, and democracy from AI’s harmful effects. It was supported by 499 MEPs, with 28 against and 93 abstentions. The rules follow a risk-based approach, with prohibitions on AI systems posing an unacceptable safety risk, such as those used for social scoring, real-time remote biometric identification, emotion recognition systems, and predictive policing. High-risk AI now includes systems that pose significant harm to health, safety, rights, or the environment, or used to influence voters. Furthermore, generative AI systems, such as ChatGPT, must comply with transparency requirements, disclosing AI-generated content, and safeguarding against generating illegal content. The legislation also aims to boost AI innovation and support SMEs, adding exemptions for research activities and AI components provided under open-source licenses. Trilogue negotiations with the Council on the final form of the AI act will now begin. The full press release can be found here.

CJEU: AG opinion on access to personal data in criminal matters

Advocate General Laila Medina has delivered her opinion on case C-333/22 brought to the Court of Justice concerning the “Law Enforcement Directive” (Directive 2016/6801). The directive outlines rules for personal data protection in the context of judicial and police cooperation. The case was brought by an individual who was denied a ‘security clearance certificate’ due to his participation in demonstrations, and subsequently sought access to his personal data. The Advocate General considered that a broad, blanket exemption to the right of direct access to personal data in criminal matters is incompatible with EU law. Furthermore, she proposed that when a data subject exercises rights indirectly through a supervisory authority, they must have a judicial remedy against that authority in relation to its data processing check. You can read the press release here and the full opinion here.

CJEU: AG opinion on Europol and Member State joint liability for unlawful data processing

Advocate General Athanasios Rantos states in case C-755/21 that both Europol and a Member State where damage has been caused due to unlawful data processing can be jointly and severally liable. This case arises from a situation where personal information concerning Mr. Kočner, which had been retrieved by Europol from mobile telephones and a USB device at the request of the Slovak authorities, had been made available to the public by the press. Mr. Kočner’s appeal for compensation was initially dismissed by the General Court. In his Opinion, Advocate General Rantos suggests that the Court of Justice has its first opportunity to rule on the nature of Europol’s non-contractual liability, and proposes that the judgment of the General Court be set aside in part. He maintains that both Europol and the member state could be liable for damages resulting from unlawful data processing. You can read the press release here and the full opinion here.

ENISA: New Chair and Deputy Elected for ENISA’s Management Board

Fabienne Tegeler (Germany) has been appointed as the new chair of the European Union Agency for Cybersecurity (ENISA)’s Management Board. Ms. Tegeler, hailing from the German Federal Office for Information Security (BSI), replaces the outgoing chair, Jean-Baptiste Demaison (France). Fabienne Tegeler is the sixth chair and third woman to hold the position since the establishment of ENISA. Stefan Lee (Finland) has been elected as vice-chair. Both new appointees will bring considerable experience to their roles, promising to continue the valuable contributions to the work of ENISA. The agency, under its new leadership, is expected to carry forward the implementation of the Cybersecurity Act, aiming to achieve a high common level of cybersecurity across the European Union. Outgoing chair Demaison expressed confidence in ENISA’s continued growth and impact on cybersecurity public policies. You can read the press release here.

ENISA: Publication of a study regarding good practices for supply chain cybersecurity

A recent study by the European Union Agency for Cybersecurity (ENISA) offers insight into the current supply chain cybersecurity practices of essential and important entities in the EU. The study details how cybersecurity budgets are allocated. It reveals that 86% of surveyed organisations have ICT/OT supply chain cybersecurity policies, and 47% allocate budget to this. However, 76% lack dedicated roles for ICT/OT supply chain cybersecurity. Good practices, drawn from European and international standards, are discussed in five areas: strategic corporate approach, supply chain risk management, supplier relationship management, vulnerability handling, and quality of products and practices. These practices can be implemented by customers or suppliers under the NIS2 directive, contributing to a more secure digital ecosystem. You can download the full study here.

National Authorities

Germany: Federal Labour Court: Works council chairperson as data protection officer problematic

In its ruling of 6 June 2023 (Case No. 9 AZR 383/19), the Federal Labour Court (Bundesarbeitsgericht, BAG) decided that the duties of the works council chairperson and the data protection officer cannot typically be performed by the same person without a conflict of interest. In its press release on the decision, the BAG explains that the works council decides on the purposes and means of processing personal data within the scope of its activities. Since the chairperson of the works council represents the works council within the framework of the resolutions passed, he or she has a prominent function and thus a conflict of interest that is relevant for dismissal. Read the press release in German here.

Spain: AEPD releases updated version of Gestiona, its data processing and PIA management tool

The Spanish data protection authority (AEPD) has launched an improved version of its Gestiona tool, aimed primarily at small public or private organisations. The redesign includes a more intuitive design and the latest guidedance from the AEPD’s published guides. Gestiona now facilitates the management of an entity’s entire Record of Processing Activities , with up to 500 treatments integrated. Furthermore, it includes functions for identifying risk factors for people’s rights and freedoms whose data are being processed. The tool now allows for risk management with suggested privacy measures for each identified specific risk factor. It also aids in managing data breaches, security, and data protection policies. The tool stores and processes data locally, and can generate management reports in ‘doc’, ‘html’, and ‘csv’ formats. You can read the press release here (in Spanish) and access the tool here.

UK: ICO evaluates impact of the Children’s code a year after implementation

The Information Commissioner’s Office (ICO) has published an evaluation report assessing the impact of the Children’s code (or Age appropriate design code) a year after the end of its transition phase on September 2, 2021. The code aims to improve and secure children’s online experiences and applies to online services likely to be accessed by children, such as apps, online games, social media platforms, and websites. Over 50 organisations have been evaluated for conformance with the code, and 11 investigations are currently open. The ICO has also audited ten online services and revised its position to clarify that adult-only services are in scope of the Children’s code if they are likely to be accessed by children. ICO plans to release guidance for adult-only services and other organisations in the near future. The evaluation reveals that nearly half of the surveyed businesses believe they fully conform with the code. The ICO is considering strategies to further enhance children’s online experiences over the next two to five years. You can read the press release here and the full evaluation report here.

Italy: Garante requests information from TikTok regarding data access by China

The Italian data protection authority (Garante) has sought information from TikTok regarding statements from a former executive of parent company Byte Dance. As reported by the press, these statements suggest the Chinese Communist Party may have accessed personal user data. Given that the allegations suggest a potential unlawful data transfer from TikTok to the Party — a claim firmly denied by the company in recent institutional meetings on the topic — the Guarantor has asked TikTok to provide observations on the reports. Specifically, the inquiry seeks to determine if TikTok Technology Ltd may have been involved in transmitting data from Italian and European users to Chinese government authorities. TikTok is required to respond to the Authority within 15 days of receiving the request. You can read the press release (in Italian) here.

UK: ICO warns businesses over AI privacy risks

The UK data protection officer (ICO) has warned businesses of the potential privacy risks associated with the use of generative Artificial Intelligence (AI). Generative AI, projected to become a £1 trillion market within a decade, generates content by collecting large volumes of information, including personal data, from publicly accessible sources. ICO Exec Director of Regulatory Risk, Stephen Almond, emphasised the importance of understanding how AI uses personal information and mitigating any identified risks before implementation. The ICO has outlined eight questions that organisations using generative AI should ask themselves, and committed to acting where laws aren’t followed. Almond warned that businesses must address privacy risks before deploying generative AI, and that the ICO will take action where there is risk of harm due to poor data use. You can read the full article here.


US: Zoom introduces tools and features to strengthen user privacy

Zoom is stepping up its commitment to data privacy by introducing a host of new features designed to give users greater control over their personal data. These measures include the ability for users based in the European Economic Area (EEA) to opt for their data to be stored within the EEA. In addition, the company has established a dedicated support team in Europe and introduced a tool to facilitate responses to data access or deletion requests, aligning with GDPR. A Marketing Preference Centre allows users to control the marketing communications they receive. Moreover, an Audit Log Tracking feature helps record administrative actions, while more transparency is provided on data retention and deletion policies. Zoom’s new initiatives stem from a partnership with SURF, an ICT organisation in Dutch education and research. You can read the press release here. 

Europe: Submission deadline for the PICCASO Privacy Awards Europe 2023

Just over two weeks left to nominate your peers and teams for the PICCASO Privacy Awards Europe 2023; the nominations process is in full swing! Who do you want to see recognised and celebrated for going ‘above and beyond’ the work they do in the privacy sector? Multiple award categories to consider here, and to make your nominations you can do so here


Sweden: IMY fines Spotify over its handling of customers access right

The Swedish data protection authority (IMY) has imposed an administrative fine of SEK 58 million (~ € 5,000,000) on Spotify for deficiencies in the way the company handles customers access right to their personal data. Under the General Data Protection Regulation (GDPR), individuals have a right to know what personal data a business holds about them and how it is used. While Spotify releases this personal data upon request, IMY determined the company fails to provide clear information on how this data is used. Spotify allows customers to choose which personal data they want access to by dividing it into different layers. Despite these efforts, Spotify’s unclear information made it difficult for users to understand the processing and legality of their data handling. This decision was made in collaboration with other EU data protection authorities. You can read the press release here.

France: CNIL fines online clairvoyance company KG COM €150,000 for multiple GDPR infringements

The French data protection authority (CNIL), has fined online clairvoyance company KG COM €150,000 for various violations of the General Data Protection Regulation (GDPR) and the French Data Protection Act. The investigations by CNIL revealed that KG COM had been collecting excessive data, as well as sensitive data without explicit consent, and inadequately securing personal data. The company also violated rules regarding the use of cookies, leading to an additional fine. The amount of the fine reflects the severity and quantity of the infringements, the sensitivity of the data processed, and the number of individuals affected. However, CNIL also considered the company’s financial situation and size to ensure the fine was proportionate yet dissuasive. You can read the press release here and the full decision (in French) here.

Italy: Garante fines energy and telephone companies for illegal telemarketing practices

The Italian data protection authority (Garante) has adopted three corrective and punitive measures against the pervasive issue of illegal telemarketing practices, following recent seizures of several call centre databases. Telecom company Tim SpA received a fine of €7,631,175 for inadequate monitoring of abusive call centres and other issues, including a poor response to requests for exercising data subjects’ rights and the improper publication of personal data in public directories without consent. The Garante also acknowledged some improvements by Tim SpA, indicating the need for further progress to eradicate the damaging issue that irritates citizens. Energy companies Green Network SpA and Sorgenia SpA were fined €237,800 and €676,956 respectively, for failing to implement measures ensuring traceability of operations on platforms for contractual proposals and demonstrating full accountability for all treatments within the telemarketing chain. The main aim of these measures is to close potential loopholes that illegal call centres exploit within the information and commercial assets of telephone and energy companies. You can read the press release (in Italian) here and the full decisions (in Italian) here (Tim SpA), here (Green Network SpA), and here (Sorgenia SpA).