Data Protection Weekly 26/2023

Jul 3, 2023

 European Union

European Commission: New proposals for cash support and digital euro

The European Commission put forward two proposals aimed at continuing access to euro cash and setting a framework for a potential digital euro. The first proposal seeks to ensure that euro cash remains a widely accepted and accessible payment method across the euro area, amid declining usage due to an increasing preference for digital payments. The second proposal establishes a legal framework for a possible digital euro, supplementing euro banknotes and coins. The digital euro, if issued by the European Central Bank, would provide a cheap, secure, and resilient public money form, complementing existing private payment solutions. The final decision on the issuance of the digital euro will be made by the European Central Bank after the proposals are reviewed by the European Parliament and Council. You can read the press release here.

EU Council and Parliament: Provisional agreement on the Data Act

The EU Council and European Parliament reached a provisional agreement on the Data Act, a new regulation for the fair access and use of data. The new legislation is aimed at ensuring fairness in data value allocation, stimulating a competitive data market, and promoting data-driven innovation by making data more accessible. It would also allow individuals and businesses greater control over their data, providing portability rights for data from smart objects, machines, and devices. Further, the act will prevent abuse of contractual imbalances in data sharing contracts, provide additional guidance on compensation for data availability, and ensure the protection of trade secrets. The agreement now awaits endorsement from the Council and European Parliament. You can read the full press release here.

EU Council and Parliament: Provisional agreement on new cybersecurity rules

The Council of the EU and European Parliament reached a provisional agreement on a new regulation aimed at ensuring a high common level of cybersecurity across the EU institutions, bodies, offices and agencies (EUI). Initiated due to an increase in complex cyberattacks affecting the EU public administration, the regulation outlines a common cybersecurity framework to improve resilience and incident response capacities. It mandates that all EUI establish a governance, risk management, and control framework in cybersecurity area and regularly assess their cybersecurity maturity. Moreover, the EU’s Computer Emergency Response Team (CERT-EU) will be strengthened and rebranded as the “Cybersecurity Service for the Union institutions, bodies, offices and agencies”. A new interinstitutional Cybersecurity Board will be set up to oversee the implementation of the regulation. The agreement now awaits finalisation and approval from the member states’ EU ambassadors. You can read the full press release here.

EU Council and Parliament: Provisional agreement on a European digital identity

The Council of the EU and European Parliament reached a provisional political agreement on the key elements of a new framework for a European digital identity (eID). This revised regulation intends to provide universal access to secure, trustworthy electronic identification and authentication via a personal digital wallet on a mobile phone. The European digital identity wallet aims to offer citizens and residents with a harmonised eID means. The regulation also expands the list of trust services, establishes a harmonised approach to security, and aligns with existing cybersecurity legislation. Qualified providers will issue electronic attestation of attributes, such as medical certificates, and the revised framework mandates unequivocal identity matching for cross-border services. The final legal text is yet to be completed, following which it will be submitted for endorsement and formal adoption. You can read the full press release here.

CJEU: AG opinion on mandatory collection and storage of fingerprints on identity cards

Advocate General Laila Medina stated in case C-61/22 that the mandatory collection and storage of fingerprints on identity cards, as set out by Regulation 2019/1157, is valid. This regulation sets the requirement to include an image of the card holder’s fingerprints on a highly secure storage medium in any new identity card issued by Member States from August 2, 2021. The Advocate General concluded that this regulation was correctly adopted under Article 21(2) TFEU to facilitate the right of EU citizens to move and reside freely within the Member States. She stated that it does not constitute an unjustified limitation of the fundamental right to respect for private life in relation to the processing of personal data. The Advocate General also noted that the European Parliament and the Council were not required to conduct a data protection impact assessment during the legislative process that led to the adoption of Regulation 2019/1157. You can read the press release here and the full opinion here.

National Authorities

Ireland: DPC publishes a statement on failure to share information about nursing home resident’s criminal convictions

The Irish data protection authority (DPC) has addressed concerns regarding GDPR compliance in relation to a failure to share information about a nursing home resident’s criminal convictions and the risk this posed to other residents. As stated by DPC, Data protection law offers special protection for information about a person’s criminal convictions or alleged offences, but there are circumstances where this information must be processed and shared. This is permissible under Section 55(1)(b)(iv) of the Data Protection Act 2018 when it’s necessary to prevent injury or damage to another person or property or to protect the vital interests of another person. In such cases, the consent of the person concerned is not required. Nonetheless, the DPC underscores the importance for organisations to ensure that only the required information is shared and that it is handled sensitively and confidentially. The DPC reassures that it will continue to provide guidance on processing personal data in such sensitive contexts. You can read the full statement here.

Spain: AEPD publishes a guide for GDPR compliance in Data Spaces creation

The Spanish data protection authority (AEPD) has released a guide examining the creation and use of Data Spaces in accordance with personal data protection regulations. Named “Approaching Data Spaces from a GDPR Perspective”, the document aims to facilitate compliance with respect for the rights and freedoms of individuals relating to the protection of their data. Given the unprecedented scale at which companies and public administrations are utilising personal data due to technological advances, this guide serves as a necessary step to respect the principles of the General Data Protection Regulation (GDPR). It addresses both the fundamental normative framework affecting Data Spaces and the one under development, including an analysis of data protection applicability and an in-depth section on anonymisation. The guide is intended for controllers and processors involved in these data spaces, as well as data protection officers and advisers, among others. You can read the press release here and the full guide here (both in Spanish)

Spain: AEPD issues circular on the right to avoid unsolicited commercial calls

The Spanish data protection authority (AEPD) has published a circular regarding the rights of users to not receive unsolicited commercial calls, establishing the AEPD’s interpretation the Spanish Telecommunications Act’s provisions. The Act, which takes effect from June 29, grants users the right to refuse unsolicited commercial calls, unless they’ve given prior consent or another legal basis for these communications is in place under the General Data Protection Regulation (GDPR). The circular also provides legal security to both callers and receivers. The circular comprises an expository part, six articles, and a final provision, detailing consent from end users, the legitimate interest of the data controller, consultation with advertising exclusion systems, data processing, and additional guarantees. Until the law is effective, users could receive commercial calls unless they opted out. After June 29, users can only receive these calls if they have given prior consent or if the calling company can demonstrate that its legitimate interest prevails over the users’ rights. You can read the press release here and the full circular here (both in Spanish).

Denmark: Datatilsynet releases new guidance on the use of video surveillance

The Danish data protection authority (Datatilsynet) has published new guidance on video surveillance for private companies. As businesses increasingly employ video surveillance, Datatilsynet stresses the importance of understanding the complexities of the Video Surveillance Act and data protection rules. The guidance offers an overview of regulations companies should heed while conducting video surveillance. It covers various aspects, including defining what constitutes video surveillance, obligations to inform the persons monitored, rules around storage and disclosure of recordings, rights of data subjects, and use of data processors. Practical examples have been added to the guidance for easier application. Future guidelines on video surveillance, aimed at public authorities and housing associations, are planned for the second half of 2023. The authority also acknowledges the contribution of the Ministry of Justice to this guidance. You can read the press release here and the full guidelines here (both in Danish).

Andorra: APDA Reprimands Andorran Government for data protection violations

The Andorran data protection authority (APDA) has issued its first reprimand to the Government of Andorra for violating the Personal Data Protection Law (LQPD) 29/2021 by not informing citizens that their personal data related to the digital certificate would be transferred to the Spanish company, AC Camerfirma, SA. The matter came to light on January 5th, when several citizens reported receiving an email advising them to renew their digital certificate from the Andorran Public Administration Certification Entity, issued by the Government, and signed by AC Camerfirma, SA. The Government acknowledged that the mass email sending had no justification, as the contract did not stipulate that the company would contact the concerned parties. However, the Government maintained that the contractual relationship no longer exists, thus no further breaches will occur. The APDA initiated administrative proceedings against the Government, suggesting corrective measures and procedures. Despite this, the Government was reprimanded on June 13th for proven violations. You can read the press release (in Catalan) here.


Ireland: ICCL raises concerns over controversial amendment that may restrict public criticism of Ireland’s DPC

The Irish Council for Civil Liberties (ICCL) recently expressed serious concerns over an amendment proposed by the Irish Government to a miscellaneous provisions bill that could potentially limit criticism of the Data Protection Commission (DPC). The ICCL highlighted that the amendment might prevent individuals from publicly discussing how the DPC handles their complaints or how big tech firms misuse their data. It also voiced fears about the impact on journalistic reporting of Ireland’s GDPR supervision, especially concerning major tech companies with European headquarters in Ireland. The ICCL warned of possible conflicts with imminent European law and disruptions in information sharing between EU data protection authorities. The Council urged all parties in the Irish parliament to challenge this amendment in the final debate.

However, the Department of Justice (DoJ) responded, arguing the ICCL has misunderstood the purpose of the amendment. They clarified that the amendment is intended to bolster the integrity of the DPC’s statutory processes and protect the privacy of EU citizens by enabling more effective investigations into GDPR breaches. The DoJ further explained that breaches of confidentiality during an investigation could undermine the ability to regulate data processors and leave violations unsanctioned. According to the DoJ, while the amendment permits the DPC to limit the disclosure of certain information, it requires the Commission to specify the information and the reasons for its confidentiality. The DoJ insists that the amendment does not prevent complainants from discussing their data privacy complaints and won’t affect media reporting or DPC’s GDPR obligations. Furthermore, the DoJ spokesperson emphasised that the intention to amend the Data Protection Act 2018 had been previously communicated to Irish parliament in 2022. You can read the ICCL full statement here and read more about this story here.


Italy: Garante fines the Benetton Group €240,000 for unlawful data processing

The Italian data protection authority (Garante), has imposed a €240,000 fine on the Benetton Group for unlawful processing of significant amounts of customer and former customer data. Key violations include inadequate security measures and indefinite data retention for marketing and profiling purposes. Customer data were collected via e-commerce service subscription, loyalty program, and promotional newsletters. The company kept the data collected through the fidelity cards, including purchase details since 2015, receipt details, and accumulated points. The management database was accessible by all the employees across seven European countries via a single account and password, posing substantial privacy risks. Benetton has been ordered to adopt necessary measures to conform to privacy regulations, including deleting or anonymising data of ex-customers that are over 10 years old. You can read the article (in Italian) here.

UK: ICO fines Fortis Insolvency Limited for unlawful marketing SMS

The UK data protection authority (ICO) has imposed a fine of £30,000 against Fortis Insolvency Limited for breaching regulation 22 of the Privacy and Electronic Communications Regulations (PECR). Between 26th July 2020 and 26th July 2021, the company sent 558,354 direct marketing SMS messages without valid consent. A significant number of these, 527,481 messages, were received by subscribers. This substantial breach led to the issuance of the fine, as well as an enforcement notice directing the company to correct its practices and ensure future compliance with regulations surrounding electronic communications and data privacy. You can read the press release here and the full decision here.