Data Protection Weekly 26/2024

Sep 3, 2024

CEDPO

Save the date: CEDPO DPO Conference Brussels, 14 October 2024

The Confederation of European Data Protection Organisations (CEDPO) invites you to its annual DPO Conference in Brussels on 14 October 2024. This event is a key opportunity for data protection professionals to engage with experts, share insights, and discuss the latest developments in data protection. Mark your calendars and join us for a day of insightful discussions, networking, and professional development. More details and registration information will be available this week!

 European Union

European Commission: EU launches consultation on trustworthy general-purpose AI as AI Act enters into force

On 30 July 2024, just days before the European Artificial Intelligence Act (AI Act) took effect on 1 August 2024, the European AI Office launched a multi-stakeholder consultation on trustworthy general-purpose AI models. Running until 18 September 2024, this consultation invites input from a broad range of stakeholders, including academics, industry, civil society, and public authorities. The feedback will inform the development of the first Code of Practice for general-purpose AI models, which is expected to be finalised by April 2025. This follows a now-closed call for expressions of interest to participate in drafting the Code between September 2024 and April 2025: The consultation focuses on key areas such as transparency, copyright-related provisions, and risk management. Insights gathered will be crucial for shaping the regulatory framework under the AI Act. Stakeholders are encouraged to participate before the deadline. You can read the full details here.

EDPS: New model for data transfers between EU Institutions and International Organisations unveiled

The European Data Protection Supervisor (EDPS) has released a Model Administrative Arrangement designed to streamline and secure the transfer of personal data from EU institutions to International Organisations. This model aims to ensure compliance with EU data protection law, specifically Regulation (EU) 2018/1725. The EDPS emphasises that the new model supports EU institutions in achieving their objectives, such as delivering humanitarian aid or advocating for human rights, while maintaining EU data protection standards. The arrangement focuses on core data protection principles and introduces safeguards to guarantee a level of protection comparable to EU law. While the EDPS must still approve individual administrative arrangements using this model, its adoption is expected to expedite the approval process, benefiting both parties and the individuals whose data is transferred. You can read the press release here.

CoE: Expert report examines neurotechnology and data protection under Convention 108+

A scientific report titled “The privacy and data protection implication of the use of neurotechnology and neural data from the perspective of Convention 108+,” authored by Eduardo Bertoni and Marcello Ienca, was presented at the 46th plenary meeting of the Committee of Convention 108 (T-PD) held in June 2024 in Strasbourg. The report provides a comprehensive legal and technical overview of neurotechnology and its potential impact on human rights, particularly privacy and data protection. It discusses the current and future capabilities of Neural Interfaces and examines regulatory initiatives related to Neurotechnologies. The report also offers solutions to address the challenges of “mental privacy,” with a focus on how Convention 108+ can be leveraged to protect individual privacy while fostering innovation in neuroscience. This framework is deemed essential for safeguarding personal data in the evolving field of neural research. You can read the press release here and the full report here.

Supervisory Authorities

France: CNIL publishes monitoring tool for Binding Corporate Rules compliance

The French data protection authority (CNIL) has published a monitoring tool to help multinational groups verify their compliance with Binding Corporate Rules (BCR). BCRs are intra-group data protection policies that allow group entities to transfer personal data outside the European Union in compliance with the GDPR. The tool, available in both French and English, is deployed in three stages using two adaptable questionnaires. First, the group’s data protection officer (DPO) or compliance lead selects the entities to be monitored. These entities then complete the ‘Local Entity’ questionnaire and return it to the group level. The DPO uses this feedback to fill out the ‘Group DPO’ questionnaire, providing an overview of BCR governance. Based on the results, the DPO may update compliance documentation, propose action plans, or request audits. This initiative underscores the CNIL’s support for BCR holders. You can read the press release here.

Ireland: DPC welcomes X’s suspension of data processing for AI training

The Irish data protection authority (DPC) has welcomed X’s agreement to suspend the processing of personal data from public posts by its EU/EEA users. This data, processed between 7 May and 1 August 2024, was used to train the AI tool ‘Grok’. The suspension follows an urgent High Court application by the DPC under Section 134 of the Data Protection Act 2018, marking the first time the DPC has utilised this power. The application, presided over by Ms. Justice Reynolds, highlighted the protection of data subjects’ rights across the EU/EEA. Commissioner Dr. Des Hogan stated that the decision supports the DPC’s ongoing efforts to ensure compliance with the GDPR, emphasising the importance of protecting data subject rights under EU law. The DPC, in collaboration with other EU/EEA regulators, continues to assess the legality of X’s data processing practices. You can read the press release here.

Poland: Meta ordered to suspend advertisements using Polish businessman’s data

The Polish data protection authority (UODO) has ordered Meta Platforms Ireland Limited to suspend advertisements on Facebook and Instagram that use the personal data of Rafał Brzoska, the President of InPost, in Poland. This decision follows a complaint from Brzoska regarding deepfake ads falsely claiming his involvement in a platform benefiting Polish citizens. The ads, which used Brzoska’s real data and image, were disseminated without proper verification by Meta, potentially harming his reputation and misleading vulnerable groups. Mirosław Wróblewski, the President of UODO, imposed a three-month injunction under Article 66(1) of the GDPR, citing an urgent need to protect the rights of those affected. The case is also under review by the Irish DPA, as Meta’s European operations are headquartered in Ireland. You can read the press release here.

Czechia: ÚOOÚ recommends maintaining internal DPO roles amid concerning trends

The Czech Data Protection Authority (ÚOOÚ) has issued a recommendation against the growing trend of reducing or eliminating Data Protection Officer (DPO) roles within public administration, including schools, museums, cultural institutions, and government offices, in favour of outsourcing these services. The ÚOOÚ stresses that DPOs are crucial for upholding data protection as a fundamental right under Czech and EU law. DPOs ensure compliance with data processing principles, protect data subject rights, and provide essential advice on data protection matters. The ÚOOÚ is concerned that replacing internal DPOs with external services may weaken the enforcement of data protection laws and compromise the safeguarding of personal data. You can read the press release here (in Czech).

Global

The Swiss Federal Council approves the Swiss-US Data Privacy Framework

On 14 August 2024, the Swiss Federal Council approved the Swiss-US Data Privacy Framework, determining that it offers adequate protection for personal data transfers to certified US companies. This decision means personal data can now be transferred from Switzerland to these companies without additional guarantees, a move facilitated by the introduction of a US data protection review court. The amendment to the Swiss Data Protection Ordinance, set to come into force on 15 September 2024, officially adds the USA to the list of countries with adequate data protection levels. This framework aligns Switzerland’s data protection standards with those of the European Union, which implemented a similar framework in July 2023, ensuring consistent protection for individuals and businesses. Certified US companies are required to adhere to strict data processing and disclosure rules under this framework. You can read the press release here.

Sanctions

Netherlands: AP fines Uber €290 million for transferring driver data to US

The Dutch data protection authority (AP) has fined Uber €290 million for transferring European taxi drivers’ personal data to the United States without adequate safeguards, violating the GDPR. The AP’s investigation, initiated after complaints from over 170 French drivers, revealed that Uber had transferred sensitive data, including account details, location data, and even criminal and health records, to its US headquarters for over two years without proper safeguards. The issue was exacerbated by Uber’s cessation of using Standard Contractual Clauses after August 2021, resulting in insufficient data protection. Since the end of last year, Uber uses the framework successor to the Privacy Shield. The fine, one of the largest issued by the AP, follows previous penalties of €600,000 in 2018 and €10 million in 2023. Uber, which has since rectified the violation, plans to appeal the decision. The AP coordinated its actions with other European DPAs to ensure consistency in the penalty assessment. You can read the press release here.

Portugal: Court confirms GDPR violation by Lisbon municipality

On 21 July 2024, the Lisbon Administrative Court confirmed that the Lisbon Municipality violated the GDPR by disclosing the personal data of protest organisers to third parties. The court upheld the findings of the Portuguese data protection authority (CNPD) which originally fined the municipality €1,250,000. However, the court reduced the fine to €1,027,500, taking into account the expiration of certain infractions since the CNPD’s decision in December 2021. Additionally, the court agreed with the CNPD’s stance on not applying specific national legal provisions of Law No. 58/2019, deeming them incompatible with EU law. The case was initiated after two citizens lodged a complaint about the transmission of their personal data to the Russian Embassy. You can read the full article here (in Portuguese).

UK: ICO reprimands Labour Party for significant delays in responding to SARs

The UK data protection authority (ICO) has reprimanded the Labour Party for its repeated failures to respond to subject access requests (SARs) within the legally required time frame. The investigation revealed that, as of November 2022, 78% of the 352 SARs received had not been addressed within the three-month limit, with more than half delayed by over a year. The backlog developed after a cyber-attack in October 2021, leading to a surge in SARs. Additionally, a previously unmonitored “privacy inbox” was discovered, containing over 1,200 unaddressed requests. The Labour Party has since taken measures to address the backlog, including assigning additional staff and allocating extra funds. The ICO stressed the importance of timely responses to SARs, emphasising transparency and accountability, and urged the Labour Party to ensure future compliance with data protection laws. You can read the press release here.

UK: ICO provisionally decides a £6m fine on software provider following NHS ransomware attack

The UK data protection authority (ICO) has provisionally decided to fine Advanced Computer Software Group Ltd (Advanced) £6.09 million. Advanced provides IT and software services to the NHS and other healthcare organisations, handling personal data on their behalf. The ICO’s initial findings suggest that Advanced failed to protect the personal data of 82,946 individuals, including sensitive information, during a ransomware attack in August 2022. The attack disrupted critical NHS services, including NHS 111, after hackers accessed Advanced’s systems through a customer account lacking multi-factor authentication. Personal data, including medical records and home care details, was exfiltrated, though there is no evidence it was published on the dark web. The findings are provisional, and Advanced has the opportunity to make representations before a final decision is made. The fine amount may also change. You can read the press release here.

Poland: UODO fines medical company nearly 1.5 million złoty following data breach

The Polish data protection authority (UODO) has fined American Heart of Poland SA nearly 1.5 million złoty (approximately €350,000) after a ransomware attack exposed the personal data of approximately 21,000 individuals. Hackers gained access to detailed personal and sensitive information, including health records, bank details, and contact information. UODO’s investigation revealed that the company had poorly assessed data protection risks and failed to comply with its own data security policies during the pandemic. The investigation also found that the company’s IT infrastructure was inadequately secured, with outdated software and insufficient protection against phishing attacks. Moreover, the company neglected to regularly test the effectiveness of its security measures, leading to the breach. As a result, UODO has ordered the company to conduct a proper risk analysis within 30 days and implement necessary technical and organisational safeguards. Additionally, the company is required to establish procedures for regular testing of its security measures. You can read the press release here (in Polish).

Spain: AEPD fines Uniqlo €450,000 following human error data breach

The Spanish data protection authority (AEPD) has fined Uniqlo Europe, LTD, €270,000 after a data breach caused by human error exposed the payroll details of all its employees. The breach occurred in August 2022 when a Human Resources employee mistakenly sent a PDF file containing the payroll information of all Uniqlo staff to an unauthorised recipient. The document included sensitive personal data such as names, ID numbers, social security numbers, and bank account details. The breach was not reported to the AEPD until 20 days after a formal complaint was lodged on 31 March 2023, and affected employees were informed 10 days later. The AEPD found Uniqlo in violation of GDPR Article 5.1.f) for failing to ensure data confidentiality and Article 32 for not implementing adequate security measures. Initially fined €450,000, the penalty was reduced to €270,000 after Uniqlo accepted responsibility and paid voluntarily. You can read the full decision here (in Spanish).

Sweden: IMY fines Apoteket and Apohem for transferring personal data to Meta

The Swedish data protection authority (IMY) has imposed fines of SEK 37 million (approx. €3.26 million) on Apoteket AB and SEK 8 million (approx. €0.70 million) on Apohem AB for improperly transferring sensitive personal data to Meta using the Meta Pixel tool on their websites. IMY’s investigation revealed that the companies had inadvertently transferred more data than intended due to the activation of a new feature in Meta Pixel. The data included information on customers’ purchases of over-the-counter medications for specific health issues, self-tests, and other personal items, though it did not involve prescription medications. The companies were unaware of the issue until it was brought to their attention by an external party. After discovering the breach, the companies took steps to improve their internal processes. The incident was reported to IMY in 2022. You can read the press release here (in Swedish).