Data Protection Weekly 25/2024

Jul 23, 2024

CEDPO

Save the date: CEDPO DPO Conference Brussels, 14 October 2024

The Confederation of European Data Protection Organisations (CEDPO) invites you to its annual DPO Conference in Brussels on 14 October 2024. This event is a key opportunity for data protection professionals to engage with experts, share insights, and discuss the latest developments in data protection. Mark your calendars and join us for a day of insightful discussions, networking, and professional development. More details and registration information will be available soon.

 European Union

EDPB: Statement on the role of DPAS in AI Act framework

The European Data Protection Board (EDPB) has adopted a statement on the role of Data Protection Authorities (DPAs) within the Artificial Intelligence Act (AI Act) framework. The EDPB highlights the existing expertise of DPAs in addressing the impacts of AI on fundamental rights, especially personal data protection. It recommends that DPAs be designated as Market Surveillance Authorities (MSAs) for high-risk AI systems, such as those used in law enforcement and border management. This designation would improve regulatory coordination and enhance legal certainty. The EDPB also suggests that DPAs act as single points of contact and that MSAs establish clear cooperation procedures with other regulatory bodies. EDPB Deputy Chair Irene Loizidou Nicolaidou emphasised the DPAs’ suitability for this role due to their independence and experience with AI-related risks. You can read the press release here and the full statement here.

EDPB: Adoption of two FAQs on EU-U.S. Data Privacy Framework

The European Data Protection Board (EDPB) has adopted two FAQ documents aimed at clarifying the EU-U.S. Data Privacy Framework (DPF). One FAQ targets individuals, explaining how they can benefit from the DPF, lodge complaints, and understand the complaint handling process. The other FAQ is for businesses, detailing the eligibility criteria for U.S. companies to join the DPF, steps to follow before transferring personal data to a DPF-certified company, and where to find additional guidance. These documents aim to enhance understanding and facilitate the functioning of the DPF, promoting better data protection practices between the EU and the U.S. You can download the FAQ for individuals here and the FAQ for businesses here.

EDPS: IPEN event on “Human oversight of automated decision-making”

The EDPS and the University of Karlstad are hosting an Internet Privacy Engineering Network (IPEN) event on 3 September 2024, focusing on “Human supervision of automated decisions.” The event, held both physically at Karlstad University and online, aims to explore whether current regulations shift the burden of responsibility from system providers to operators, and what measures are needed to ensure oversight is effective and meaningful. The event will feature discussions on the role of human oversight in the context of the GDPR and the AI Act, the challenges to effective human oversight, and strategies for empowering operators to oversee AI systems effectively. You can read the full article here.

EDPB: Approval of new European Data Protection Seal

The European Data Protection Board (EDPB) has approved the EuroPriSe Criteria Catalogue for certifying processing activities by processors, resulting in a European Data Protection Seal. This seal is an important tool for GDPR compliance, enhancing transparency and trust in data processing activities. Initially recognised in Germany, the updated scheme now applies across the entire EU/EEA. The certification allows organisations to demonstrate their compliance efforts and provides a clearer assessment of the data protection measures in place. You can download the full opinion here.

Supervisory Authorities

GPEN Sweep: Majority of websites and mobile apps use deceptive design to influence privacy choices

A global privacy sweep that examined more than 1,000 websites and mobile apps has found that nearly all of them employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions. These patterns include multiple steps to find privacy policies or delete accounts, and repetitive prompts to gather more personal information. Conducted from January 29 to February 2, 2024, the sweep involved 26 privacy enforcement authorities worldwide and was coordinated with the International Consumer Protection and Enforcement Network (ICPEN). Findings revealed that 89% of privacy policies were overly complex, 57% made less privacy-friendly options more accessible, and 35% nagged users about account deletion. The sweep was not an investigation but may lead to enforcement actions by GPEN members. GPEN encourages better design practices to support informed privacy choices, enhancing user trust and privacy protection. You can read the press release here and download the full report here.

Netherlands: AP warns rapid rise of AI requires vigilance

The Dutch data protection authority (AP) has stressed the need for vigilance in light of the rapid advancements in artificial intelligence (AI) in its new AI & Algorithm Risks Report. Although AI technology is still in its early stages, extensive experimentation is ongoing, from generative AI by big tech companies to behaviour recognition systems in supermarkets. However, AI risk management is lagging. This means the Netherlands must exercise caution and prepare for more AI-related incidents. Trust in AI in the Netherlands is lower than in other countries, with risks ranging from cyberattacks and deepfakes to privacy breaches and discrimination. AP chair Aleid Wolfsen advises organisations to be cautious with AI until its risks are fully understood. Emphasis is placed on democratic oversight, random sampling to combat discrimination, and transparency about information sources. The AP calls on the government to prioritise algorithm registration and review the national AI strategy. You can read the press release here (in Dutch).

France: CNIL launches public consultation on workplace diversity measurement

The French data protection authority (CNIL) has opened a public consultation until 13 September 2024 on a new recommendation to guide diversity measurement surveys in public and private organisations. These surveys, aimed at combating discrimination, involve collecting sensitive data and must comply with GDPR. The CNIL advises that such surveys be voluntary, anonymous, and use closed questions to protect privacy. Employers are encouraged to use trusted third parties to prevent access to collected data. This initiative follows the strict guidelines of the Constitutional Council’s decision from 15 November 2007 on origin-related statistics. All stakeholders, including employers, employees, and trusted third parties, are invited to participate, ideally combining their comments into a unified contribution per organisation. The final recommendation will be published after the consultation period. You can read the press release here (in French).

France: CNIL calls for enhanced data protection in EU cloud certification

The European certification scheme for cloud services (EUCS) currently no longer guarantees the protection of data from access by foreign authorities, unlike the French SecNumCloud certification, which includes such safeguards. The French data protection authority (CNIL) is calling for this level of protection to be reinstated in the EUCS, particularly for sensitive data such as health records, criminal records and information about minors. The CNIL points out that data hosted by companies subject to non-European laws, especially those with parent companies in the US, are at risk of being disclosed to foreign authorities. This risk, although limited for non-sensitive data, requires stronger safeguards for more sensitive data. In these cases, the CNIL recommends using service providers that are exclusively subject to European law. The lack of “immunity” criteria in the EUCS project poses legal, economic and industrial challenges and could hinder the development of European cloud offerings and AI systems. The CNIL calls for the inclusion of these criteria to ensure robust data protection.  You can read the press release here (in French).

Ireland: DPC publishes a blog post on AI, large language models and data protection

The Irish data protection authority (DPC) has published a comprehensive blog post addressing the intersection of Artificial Intelligence (AI), particularly Large Language Models (LLMs), and data protection. The blog highlights how these AI systems, through natural language processing, have become integral in various applications such as chatbots, internet searches, and creative tasks. It emphasises potential data protection risks associated with the use of LLMs, including the extensive use of personal data during training phases and the subsequent implications for data accuracy, bias, and security. The DPC advises both individuals and organisations to be vigilant about how AI systems process personal data, ensuring compliance with GDPR requirements. Organisations are recommended to conduct formal risk assessments and maintain transparency regarding data usage and retention to mitigate any adverse impacts on data subjects. The full blog post provides detailed guidance on managing these risks effectively. You can read the full blog post here.

Portugal: CNPD updates information on the Worldcoin case

The Portuguese data protection authority (CNPD) has issued a new decision regarding the Worldcoin Foundation’s biometric data collection activities. Initially, CNPD suspended the collection of iris, eye, and face data within Portugal to protect personal data rights, especially of minors. This suspension was detailed in Deliberation/2024/137 on 25 March 2024. Following this, Worldcoin disclosed its EU establishment in Erlangen, Germany, positioning the Bavarian data protection authority (BayLDA) as the lead supervisory authority. In response, CNPD’s Deliberation/2024/279 on 9 July 2024 recognised BayLDA as the lead authority and CNPD as a concerned supervisory authority under the GDPR. CNPD has forwarded all pertinent documents to BayLDA and will maintain vigilance over the case’s progress. You can read the full article here.

Spain: AEPD releases a report on addictive patterns on the internet

The Spanish data protection authority (AEPD) has released a report revealing how many online platforms and services use addictive design patterns to increase user engagement and collect more personal data. These patterns are especially harmful to minors, impacting their autonomy and right to development. During the presentation at the Menéndez Pelayo International University, the need to include these patterns in the European Data Protection Board (EDPB) guidelines on the interplay between the General Data Protection Regulation and the Digital Services Act was emphasised. The AEPD classifies addictive patterns into three levels: high, medium, and low, identifying strategies like forced action, social engineering, and persistence. The AEPD will also continue to collaborate with the Spanish National Markets and Competition Commission. You can read the press release here and the full report here (both in Spanish).  

Germany: HmbBfDI releases paper on the applicability of GDPR to large language models

The Hamburg data protection authority (HmbBfDI) has released a discussion paper examining the applicability of the GDPR to Large Language Models (LLMs). This document aims to foster debate and assist companies and public authorities navigating the intersection of data protection law and LLM technology. It explains relevant technical aspects, evaluates them in light of European Court of Justice case law, and highlights practical implications. Key points include that mere storage of LLMs does not constitute processing under GDPR as no personal data is stored. Data subject rights under GDPR cannot be applied to the model itself but can pertain to the input and output of AI systems. Additionally, the training of LLMs using personal data must comply with data protection regulations, although any violations during training do not affect the lawfulness of using such a model within an AI system. You can read the press release here and the full paper here.

Global

PICCASO: Three weeks left to submit your nominations for the PICCASO Awards Europe 2024! 

Before you head off on your summer holidays, take a moment to submit your nominations for the upcoming third edition of the PICCASO Awards Europe 2024. This is a fantastic opportunity to recognise and celebrate the outstanding achievements and contributions of yourself, your peers, teams, partners or organisation. By submitting your nominations now, you ensure that these exceptional individuals and organisations receive the recognition they deserve. Do not let the FINAL entry deadline pass without making your mark: Nominate today and give yourself or your nominees the best possible chance to be recognised as a finalist or, take the stage as a winner! All nominations must be submitted by the deadline 9 August at 12:00 pm. For more information see here.

Sanctions

Netherlands: AP fines Kruidvat.nl €600,000 for lack of cookie consent

The Dutch data protection authority (AP) has imposed a €600,000 fine on the company behind the drugstore Kruidvat.nl for tracking website visitors without their knowledge or consent. AS Watson (Health & Beauty Continental Europe) B.V. collected sensitive personal data from millions of visitors, including browsing history, location data, and product purchases, creating detailed personal profiles. This information, especially given the nature of pharmacy products, such as pregnancy tests and medications, is highly sensitive. AP Chair Aleid Wolfsen highlighted that tracking cookies require explicit consent, which Kruidvat.nl did not obtain, as their cookie banner had pre-ticked boxes and made opting out difficult. Despite a warning in 2019 and follow-up checks, Kruidvat.nl failed to comply until October 2020. The AP plans to increase inspections in 2024 to ensure proper cookie consent practices. AS Watson has appealed the fine. You can read the press release here (in Dutch).