Data Protection Weekly 27/2023

Jul 10, 2023

 European Union

European Commission: New rules to ensure stronger enforcement of the GDPR in cross-border cases

The European Commission announced on July 4, 2023, a new law proposal to strengthen enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. The proposal sets up concrete procedural rules for data protection authorities (DPAs) when applying GDPR, in cases which affect individuals located in more than one Member State. It introduces measures to bring about swifter case resolution, thereby offering more legal certainty for businesses and quicker remedies for individuals. The new rules also aim to enhance efficiency and smoothen cooperation between DPAs. Importantly, this proposed regulation does not affect substantial elements of the GDPR, preserving the rights of data subjects and the obligations of data controllers and processors. It contributes to the harmonisation of procedural rules, supporting the timely completion of investigations. You can read the press release here and download the proposal here.

European Commission: Article 93 committee record a positive vote on the revised draft of the EU-US DPF adequacy decision

The Committee established under Article 93 of the GDPR published on July 7 the formal results of its voting procedure from July 6 on the revised draft Commission adequacy decision of the EU-US Data Privacy Framework. For reminder, the committee is comprised of representatives from the Member States and chaired by the Commission. The committee assists the Commission when adopting implementing measures such as adequacy decisions. Through a comprehensive vote, 24 Member States were in favour, zero against, with three abstentions. The final step in the process is the formal adoption of the adequacy determination by the European Commission, this is expected shortly. You can access the voting results and supporting documents through the Comitology register here.

CJEU: A national competition authority can find GDPR breaches in dominant position abuse investigations

The European Court of Justice ruled that a national competition authority can find GDPR violations while examining possible abuses of a dominant position, as in the case against Meta Platforms Ireland, which operates Facebook. The German Federal Cartel Office had prohibited Meta from processing “off-Facebook data” without users’ consent, arguing that such processing was inconsistent with GDPR and constituted abuse of Meta’s dominant position. The European court clarified that a competition authority noting a GDPR breach does not replace the supervisory authority set up under that regulation, but should cooperate with them. It added that consent of the data subject can validate data processing but stressed that a dominant player’s position can impact users’ freedom of choice, potentially affecting the validity of given consent. You can read the press release here and the full decision here.

Council of Europe: Publication of new guidelines on data protection for AML/CFT purposes

The Council of Europe has issued guidelines on data protection related to the processing of personal data for anti-money laundering and countering financing of terrorism (AML/CFT) purposes. These guidelines aim to integrate the requirements of Convention 108+ in AML/CFT areas, to ensure an appropriate level of data protection while enabling transborder data flows. They also emphasise certain areas within AML/CFT where data protection safeguards need to be strengthened. The guidelines, which underwent broad consultation with various stakeholders including the Financial Action Task Force secretariat, were adopted by the Committee of Convention 108 during its 44th plenary meeting in Strasbourg. You can read the press release here and the full guidelines here.

ENISA: Publication of new report on Digital Identity Standards

The European Union Agency for Cybersecurity (ENISA) released on July 3, 2023, a comprehensive report detailing critical standards and standardisation organisations in the field of digital identity. Amid the surge in digital services and electronic transactions, particularly due to COVID-19 restrictions, digital identity has become paramount. Defined as the unique representation of a subject engaged in an online transaction, it is now being standardised. The report, intended for both newcomers and experienced professionals in the field, provides an analysis of various mechanisms supporting digital identity, such as means created and managed by trust services, electronic identification means, and the EU Digital Identity Wallet. The publication emphasises that these standards are crucial in facilitating secure, universally recognised digital transactions. Moreover, it presents recommendations for key stakeholders, including EU policymakers and European Standardisation Organisations (ESOs). You can download the full report here.

ENISA: Publication of first cyber threat landscape report for the health sector

In its first cyber threat landscape report for the health sector, the European Union Agency for Cybersecurity (ENISA) reveals that ransomware accounts for 54% of cybersecurity threats. The report, based on 215 publicly reported incidents over two years, found that healthcare providers accounted for 53% of these incidents, with hospitals particularly affected. The study also identified serious vulnerabilities in healthcare systems and medical devices, contributing to over 61% of security incidents according to 80% of respondents. The concurrent COVID-19 pandemic amplified the situation, escalating the frequency of cyberattacks on health systems. Geopolitical developments also resulted in increased Distributed Denial of Service (DDoS) attacks. The report calls for improved cybersecurity measures to protect the healthcare sector. You can read the press release here and download the full report here.

National Authorities

France: CNIL issues technical recommendation on data sharing via APIs

The French data protection authority (CNIL), has released a technical recommendation on best practices for sharing personal data via Application Programming Interfaces (APIs). CNIL notes the increasing use of APIs to transmit data between administrations, private organisations, and individuals, emphasising that API use can be beneficial for personal data protection if good practices are followed in their design, deployment, and use. The recommendation targets all types of data sharing through APIs, whether open or restricted, and includes all types of organisations, both public and private. It also provides guidance to data holders, API managers, and data re-users on compliance with data protection principles and on identifying risk factors. The recommendation follows a public consultation involving feedback from 24 organisations. You can read the press release here and the full recommendation here (both in French).

Portugal: CNPD opens public consultation on 2024-2026 strategic plan

The Portuguese data protection authority (CNPD) has opened a public consultation on their draft Triennial Activity Plan for 2024-2026. The CNPD seeks opinions from all stakeholders including data subjects, public and private organisations as data controllers and processors, and data protection officers. The Triennial Plan outlines three strategic objectives aimed at enhancing the CNPD’s mission efficiency, involving 20 strategic actions. Stakeholders are invited to comment on priority actions and suggest additional activities to be carried out, considering the strategic objectives outlined. Contributions can be submitted to until July 15th, and will be analysed by CNPD for possible incorporation into the organisation’s activity. You can read the press release here and read the full strategic plan here (both in Portuguese).

IWGDPT: Joint statement on the 71st Meeting of the “Berlin Group”

The International Working Group on Data Protection in Technology (IWGDPT), also known as the Berlin Group, held their 71st meeting in Rome from June 6 – 7, 2023, under the joint organisation of Italy’s Garante per la Protezione dei Dati Personali (Garante) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI) of Germany. Attendees from various international data protection authorities, civil societies, and other international organisations participated in extensive discussions on issues related to data protection and technology. Keynote speeches revolved around technological safeguards and privacy risks in current data sharing strategies. The meeting saw the adoption of a new paper on “Telemetry and Diagnostic Data”, and decided on the future focus areas, including “Generative AI” and “Neurotechnology”. The Berlin Group also discussed ongoing work on papers about “Central Bank Digital Currencies” and “Data Sharing”. You can read the press release here.


EU-US DPF: ODNI releases IC procedures implementing new safeguards in Executive Order 14086

The Office of the Director of National Intelligence (ODNI) has released the policies and procedures of the Intelligence Community (IC) to implement privacy and civil liberties safeguards specified in Executive Order (EO) 14086, titled “Enhancing Safeguards for United States Signals Intelligence Activities.” The order, signed by the President on October 7, 2022, directs the United States to fulfil its commitments under the European Union-United States Data Privacy Framework (EU-U.S. DPF). The EO enhances the existing privacy and civil liberties safeguards for U.S. signals intelligence activities. It emphasises considering the privacy and civil liberties of all individuals, regardless of nationality or country of residence, and conducting such activities only when necessary and proportionate to intelligence priorities. The IC elements’ procedures, developed in consultation with the Attorney General, the ODNI Civil Liberties Protection Officer, and the Privacy and Civil Liberties Board, further implement the EO’s requirements and the United States’ commitments under the EU-U.S. DPF. You can read the press release here.

Meta: No Instagram Threads app in the EU

Meta’s Twitter competitor, Threads, will not be launched in the European Union or Ireland for now, according to a spokesperson for Ireland’s Data Protection Commission (DPC). Currently released in the US and the UK, Threads platform is designed to extract a wide range of data from Instagram users, including health, financial information, location, browsing histories, and more. Despite the DPC not actively blocking the service, Meta has refrained from launching in the EU due to perceived ambiguity in the EU’s Digital Markets Act, which places restrictions on how “gatekeeper” companies handle users’ personal data. The decision follows previous restrictions on Meta from launching advertising services on Whatsapp in the EU using data from Facebook or Instagram. You can read the full article here.

EU AI Act: Stakeholders express concerns over proposed regulation

Over 160 executives from companies like Renault and Meta, representing key stakeholders in the European economic sector, have raised concerns about the proposed EU AI Act. They warn that the legislation, recently adopted by the European Parliament, could severely restrict generative AI by enforcing heavy regulations on foundation models, regardless of use-cases. This could lead to increased compliance costs and disproportionate liability risks, driving companies to move their operations overseas and investors to withdraw funds from European AI development. Criticising the European Parliament’s shift from a risk-based to a technology-based approach, the executives fear the legislation could create a significant productivity gap between Europe and the rest of the world. They are calling on the EU to revise the AI Act towards a risk-based approach that fosters innovation while ensuring safety and transparency. You can read the open letter here.

EU AI Act: Spanish presidency sets out options on key topics of negotiation

Spain took over the rotating presidency of the EU Council of Ministers on 1 July. On top of its digital priorities, Madrid seeks to reach a political agreement on the AI Act during the course of its presiding term. As expected, the topics of AI definition, high-risk classification, list of high-risk use cases and the fundamental rights impact assessment will be on the table of the Council as the Spanish presidency prepares to dive headfirst into negotiations. EURACTIV reports this week on these key topics here.


Sweden: IMY fines four companies over use of Google Analytics

The Swedish data protection authority (IMY) has audited four companies regarding the use of Google Analytics for web statistics. As a result, IMY fines two companies and ordered three to stop using Google Analytics due to concerns over the transfer of personal data to the US while one stopped using it on its own. The audits were initiated following complaints from None of Your Business (NOYB), an organisation that alleged the companies violated data protection laws by transferring personal data to the US without adequate protection, in violation of the GDPR and the Schrems II ruling by the European Court of Justice. The audits concerns a version of Google Analytics from 14th of August 2020. The companies involved were CDON, Coop, Dagens Industri, and Tele2, all of whom had based their data transfer decisions on standard contractual clauses. The IMY determined that none of the companies’ additional technical security measures met the required standards, leading to fines of 12 million SEK (approximately €1.14 million) against Tele2 and 300,000 SEK (approximately €28,500) against CDON. You can read the press release (in English) and find the full decisions (In Swedish) here, and noyb press release here.

Romania: ANSPDCP sanctions ANPC for unlawful use of body cams

The Romanian data protection authority (ANSPDCP) concluded an investigation into the National Authority for Consumer Protection (ANPC), citing infringements of GDPR Article 5, Paragraph 1 (a) and Article 6, Paragraph 1. The ANPC was found to unlawfully collect personal data using body camera devices. The data collection, unbased in legal obligation or public interest, has been ongoing since May 2023, including capturing private individuals, employees, or business representatives without consent or oversight. The ANSPDCP imposed a corrective measure, demanding that ANPC cease data processing operations through body cams and delete all collected personal data. ANPC has reported compliance with the measure. Other institutions like the Local Police in Cluj, Constanta, and Bucharest’s Sector 4 were also found in violation of GDPR’s articles for similar practices. You can read the press release (in Romanian) here.