Data Protection Weekly 25/2023

Jun 26, 2023

CEDPO

CEDPO releases AI and personal data guide for DPOs “Frequently Asked Questions”

The Confederation of European Data Protection Organisation’s (CEDPO) AI and Data Working Group has issued a guide aimed at Data Protection Officers (DPOs). The rapid and exponential growth of artificial intelligence (AI) and machine learning technologies often involves processing personal data on a large scale and with a high level of complexity, bringing new risks for data subjects and challenges for DPOs. The guide is designed to help DPOs navigate the intersection of AI with data protection principles, a task that is becoming increasingly complex and is expected to become even more so with the anticipated enactment of the EU’s Artificial Intelligence Act in 2024. This Act will overlap with the GDPR in crucial ways, adding more obligations for DPOs. The guide offers a starting point for DPOs to understand and navigate the complex world of AI. You can read the press release here and download the FAQs here.

CEDPO member  – the Association of Data Protection Officers Ireland – will host a webinar July 5 entitled: The AI Revolution: what does it mean for DPOs?

Artificial intelligence and machine learning technologies are growing rapidly and exponentially, and although they do not always process personal data, when they do, it is often on a vast scale and level of complexity. In this webinar, William Fry’s Barry Scannell will guide DPOs through the maze and give the essential practical advice on how to prepare for this coming technology revolution. The webinar is open to non-members, for more information and registration please see here.

 European Union

EDPB: Adoption of template complaint form and recommendations on BCR-Cs’ approval applications

The European Data Protection Board (EDPB) has adopted a template complaint form during its latest plenary to streamline the process of complaint submissions and handling by Data Protection Authorities (DPAs) in cross-border cases. The template will enable DPAs to save time and resolve cross-border cases more efficiently by easing the exchange of information. Additionally, an acknowledgement receipt template has been developed to inform complainants about subsequent steps following complaint submission. Furthermore, the EDPB has finalised the Recommendations on the application for approval and on the elements and principles in Controller Binding Corporate Rules (BCR-Cs). This update aims to standardise the BCR-Cs application process, clarify necessary content, and align the guidance with the CJEU’s Schrems II ruling requirements. You can read the press release here and download both templates here.

CJEU: Every person has the right to know the date of and the reasons for the consultation of his or her personal data

In a landmark case (C-579/21), the European Court of Justice has ruled that individuals have the right to know when and why their personal data has been consulted, irrespective of the business domain of the data controller. The case emerged when a former employee of Pankki S Bank, who was also a customer, found out that his data had been accessed by the bank’s staff. He asked the bank for details regarding the identities of those who accessed his data, the exact dates of consultation, and the purposes of such access. The court held that under the GDPR, an individual has the right to obtain details of personal data consultation operations, but the identity of employees involved may remain undisclosed unless essential to exercise the rights conferred by the GDPR, provided it doesn’t infringe upon the rights or freedoms of those employees. The judgment also clarified that the application of these rights is not affected by the individual’s status as an employee and customer of the data controller. You can read the press release here and the full decision here.

ESAs: Consultation on the first batch of DORA policy products

The European Supervisory Authorities (ESAs), encompassing the EBA, EIOPA, and ESMA, have initiated a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA). The package includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). This regulatory framework covers key areas such as ICT risk management, ICT-related incident management and reporting, digital operational resilience testing and the management of ICT third-party risk. The consultation period runs until 11 September 2023. DORA, which took effect on 16 January 2023 and will apply from 17 January 2025, seeks to improve the digital operational resilience of entities in the EU financial sector and further harmonise key digital operational resilience requirements. You can read the press release here.

Council of Europe: Slovakia’s ratification of Convention 108+

On June 15, 2023, Slovakia ratified the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data, also known as Convention 108+. As the 25th state to do so, Slovakia reaffirms its commitment to personal data protection since becoming a party to the original Convention 108 in 2001. The Convention 108+ is the only global international regulatory tool aimed at protecting the rights of individuals in the digital era. It promotes human-centered approaches against algorithmic deduction, control, or surveillance. Although a significant step, 13 more ratifications are required for the Convention to come into full effect worldwide. This event reflects the global trend towards stronger data privacy protections. You can read the CoE’s press release here and the UOOU’s press release (in Slovak) here.

National Authorities

G7: Data protection and privacy authorities discuss Generative AI

The G7 data protection and privacy authorities (DPAs) convened to explore the developments and challenges posed by generative AI technologies from a data protection and privacy perspective. The DPAs underscored the application of existing law to generative AI products and uses. They highlighted key areas of concern regarding privacy and data protection risks within the generative AI context, including legal authority for processing personal information, security safeguards, mitigation and monitoring measures, transparency measures, technical and organisational measures for rights exercise, accountability measures, and data minimisation. The DPAs urged developers and providers to embed privacy into the design, operation, and management of new generative AI technologies, based on the “Privacy by Design” concept. They also agreed on the need for further discussion and collaboration on personal data protection within the generative AI. You can read the full statement here.

UK: ICO publishes new guidance on privacy-enhancing technologies

A new detailed guidance discussing privacy-enhancing technologies (PETs) has been published, targeting both Data Protection Officers (DPOs) and technical professionals. The guidance is divided into two sections, the first part aimed at DPOs and those with specific data protection responsibilities in larger organisations. It illustrates how PETs can be leveraged to achieve compliance with data protection law. The second section is tailored for a more technically oriented audience and DPOs seeking a deeper understanding of currently available PETs. It introduces eight types of PETs, detailing their benefits and potential risks. The document provides a valuable resource for understanding and applying PETs in practice. You can access the full guidance here.

Global

US: Oracle introduces sovereign cloud regions for the European Union

Oracle Cloud Infrastructure (OCI) announced plans to launch new sovereign cloud regions in the European Union (EU) in 2023. This move caters to increasing demands for localised data storage, processing, and enhanced control over data security. OCI’s sovereign cloud regions will extend their existing practice of not moving customer content from chosen regions and will restrict operational and customer support to EU residents. This is designed to ensure alignment with relevant EU regulations. Initially, these sovereign cloud regions will be established in Germany and Spain. These regions will offer all of OCI’s 100+ services currently available in its existing public cloud regions. You can read the press release here.

Fines

France: CNIL fines CRITEO €40 million for unlawful data processing

The French data protection authority (CNIL), has imposed a €40 million fine on CRITEO, an online advertising firm, for failing to ensure that individuals had provided consent for data processing. CRITEO specialises in “behavioral retargeting”, tracking users’ online behaviour to display personalised advertisements. Investigations led by CNIL, initiated after complaints from Privacy International and NOYB, revealed several GDPR violations, including inadequate evidence of user consent, non-compliance with transparency and information obligations, and failure to respect user rights. The amount of the fine reflects the vast amount of data collected by the company across the EU, and the fact that processing individuals’ data without proof of valid consent boosted the company’s financial income. The decision was approved by all 29 European supervisory authorities under the GDPR’s ‘one-stop shop’. You can read the press release here and the full decision (in French) here.

Italy : Garante imposes heavy fines to Rome authorities over privacy breach

Municipality of Rome and Ama, an in-house company managing cemetery services, have been fined €176,000 and €239,000 respectively by the Italian data protection authority (Garante) for violating the privacy of women who had undergone abortions. The infringements occurred when data was improperly displayed on plaques at the Flaminio Cemetery. Health data, including pregnancy termination information, is protected by strict privacy laws in Italy. This breach of privacy emerged from data communication that violated the principle of data minimisation. Asl Roma 1, which was also reprimanded, had transmitted identifying information of the women to cemetery services, enabling potential extraction of a list of all women who had undergone pregnancy terminations across all hospital facilities. The Garante has instructed health companies not to openly display personal data on burial and transport authorisations and on legal medical certificates. You can read the full article (in Italian) here.

Italy : Garante fines Volkswagen leasing €40,000 for unlawful data processing

The Italian data protection authority (Garante) has fined Volkswagen leasing €40,000 for unlawful data processing and refusal to provide a customer with complete personal data access. The penalty was the result of a complaint by a customer whose request for financing was declined and who was denied access to personal data pertaining to the refusal. The company only provided a copy of the client’s original documentation, indicating a consultation with a Credit Information System (SIC), and directed the customer to contact the SIC for further information. However, the investigation revealed that the company refused the financing based on the client’s creditworthiness after consulting with the SIC. The Garante has underlined the responsibility of the data processor to provide all information acquired from the SIC and effectively processed. By not providing timely and correct access to the client’s personal data, Volkswagen Leasing was deemed in violation of privacy regulations. You can read the full article (in Italian) here.

Romania: ANSPDCP fines Dante International SA for multiples GDPR violations

Based on the cooperation mechanism provided by GDPR , the Romanian data protection authority (ANSPDCP) was notified by the data protection authority of Hungary regarding the complaints made by three natural persons from the Hungarian state against Dante International SA. The Hungarian data protection authority considered the ANSPDCP as the lead supervisory body in this case, given the fact that this company has its main headquarters in Romania. The investigation uncovered several breaches, including insufficient procedures for personal data deletion requests and failure to provide appropriate data protection training to its employees. Dante also wrongly rejected a deletion request based on technical limitations and failed to provide complete information on data transfers to third countries. In another instance, the company continued processing an individual’s email without their consent. Dante was fined a total of 198 440 lei (equivalent to €40,000) and issued a warning for these violations. Corrective measures have also been ordered, including complete information provision, anonymisation method implementation, and regular staff training. You can read the press release (in Romanian) here.

Poland: Warsaw Administrative Court upholds UODO decisions on data protection fines

The Voivodship Administrative Court in Warsaw has dismissed complaints from P4 Sp. z o. o. and Santander Bank Polska against the decisions of the Polish data protection authority (UODO), thus confirming imposed fines. The P4 Sp. z o. o., which is the legal successor of Virgin Mobile Polska Sp. z o. o., received a fine of almost PLN 1.6 million (equivalent to ~€362,000). In another case, Santander Bank Polska was fined over PLN 545,000 (equivalent to ~€123,300). Deputy President of the UODO, Jakub Groszkowski, noted that this adds to the growing body of jurisprudence supporting UODO’s decisions. Data from the first quarter of 2023 shows that rulings upholding UODO’s decisions are over twice the number of those repealing them, a trend that mirrors the data from the previous year with 142 upheld decisions compared to 57 overturned decisions. These decisions uphold UODO’s commitment to the protection of natural persons’ data and legal certainty in this domain. You can read the press release (in Polish) here.

UK: ICO fines tracing agent for illegal personal data collection

Former tracing agent Michael Isaacs has pleaded guilty to the illegal collection of personal data, primarily used to assess the debt repayment capacities of a high street bank’s customers. Isaacs, the sole director of Datasearch Services Limited (DSS), used voice changing software to impersonate others, enabling him to bypass basic security questions and gather detailed personal information. This data, which included bank account details, direct debits, and outstanding mortgages, was unlawfully collected on behalf of the Royal Bank of Scotland (RBS). Six counts of unlawfully obtaining personal data were acknowledged by Isaacs, leading to an application under the Proceeds of Crime Act. The Kingston-upon-Thames Crown Court ordered Isaacs to repay £38,000 obtained through his criminal conduct, and further fined him £10,560 with additional court costs of £15,000. You can read the press release here.