CEDPO
CEDPO DPO Conference: Registration Now Open! 📣
On 14 October 2024, join us in Brussels for the inaugural CEDPO DPO Conference, a must-attend event in English for data protection professionals! This conference will take place at the Thon Hotel EU in the heart of the European Quarter. It’s a unique opportunity to engage with High-level speakers from the industry, representatives of the EDPS, the EDPB, the European Commission and national supervisory authorities on the current challenges of our profession. Featuring a rich and diverse program, including panel discussions and debates, the day promises stimulating insights into the future of the DPO role in an increasingly complex environment. As members of a CEDPO-affiliated association, you can enjoy a discounted fee of €190. Please contact your association to obtain the promotional code. For more information and to register, click here. We hope to see many of you in Brussels!
Thank you to our Sponsors for their Support:
Privacy Engine | Data Legal Drive | Dastra |Â Meta | GFT | Labor Project Srl
 European Union
European Commission: EU signs Council of Europe Framework Convention on AI and human rights
The European Commission has signed the Council of Europe’s Framework Convention on Artificial Intelligence, human rights, democracy, and the rule of law, marking the first legally binding international agreement on AI. Signed by Vice-President VÄ›ra Jourová in Vilnius, Lithuania, the Convention aims to regulate AI in line with human rights and democratic values. It adopts a risk-based, human-centric approach and is fully compatible with the EU’s AI Act. The Convention applies to public authorities and private actors acting on their behalf, introducing obligations such as transparency, risk management, and accountability. Exemptions exist for research, development, and national security. Private actors can either follow the Convention’s obligations or apply alternative measures to mitigate risks. This signature expresses the EU’s intention to become a Party to the Convention, with formal accession requiring approval from the European Parliament. You can read the full details here.
EDPB: Virtual stakeholder event on ‘Consent or Pay’ guidelines on 18 November 2024
The European Data Protection Board (EDPB) will host a virtual stakeholder event on 18 November 2024 to discuss upcoming guidelines on ‘Consent or Pay’ models. These models allow users to either consent to data processing or pay a fee to access services. The event seeks input from organisations, academics, and other experts to help shape the guidelines, which will cover a broader scope beyond the EDPB’s previous Opinion 08/2024 on large online platforms. Participation is limited to ensure productive discussions, with only one representative allowed per organisation. The call for expressions of interest opened on 12 September 2024 and will close once enough participants have registered. You can read the press release here and submit your application here.
EDPB: Collaboration with European Commission to develop guidance on GDPR and DMA
The European Data Protection Board (EDPB) and the European Commission’s services responsible for enforcing the Digital Markets Act (DMA) have agreed to work together to develop guidance on the interplay between the DMA and the General Data Protection Regulation (GDPR). This enhanced dialogue will focus on clarifying the obligations of digital gatekeepers under the DMA where these obligations intersect with GDPR requirements. The goal is to ensure consistent enforcement of both regulatory frameworks while respecting the competences of each regulator. This collaboration builds on ongoing discussions within the DMA’s High Level Group, which includes representatives from the European Commission, EDPB, and the European Data Protection Supervisor (EDPS), and has already engaged on data-related and interoperability obligations. This initiative further deepens cooperation between the two frameworks. You can read the press release here.
Supervisory Authorities
Netherlands: AP warns organisations about inadequate data breach notifications
The Dutch data protection authority (AP) has warned that organisations often provide insufficient and unclear information to victims of data breaches, leaving them unaware of the risks and steps they can take to mitigate potential harm. Following an investigation into the largest data breaches of 2023, which affected around 10 million people, the AP found that many organisations are slow to send warning messages, averaging more than three weeks after a breach is discovered. These alerts often lack clarity about what data has been compromised and fail to use language that draws the recipient’s attention. Organisations claim that the delays are due to internal approval processes and the need to further investigate the breach. In response, the AP has issued guidelines and example text to help organisations improve their communications, while stressing the importance of quick and informative notifications. You can read the press release here.
Luxembourg: CNPD releases annual report for 2023
The Luxembourg data protection authority (CNPD) presented its 2023 activity report, marking five years since the GDPR’s implementation. Key highlights include 44 published opinions on proposed legislation covering topics like affordable housing, bodycams, and juvenile criminal procedure. The CNPD received numerous information requests, particularly concerning workplace surveillance and data subject rights, reflecting growing public awareness. The organisation handled 434 data breaches, primarily caused by human error, and conducted 21 investigations. Educational efforts continued, with training initiatives like the ‘Data Protection Basics’ course. Notably, the CNPD remains the only European authority to have developed a GDPR certification system. As the CNPD looks ahead, it is preparing for future responsibilities under upcoming EU legislation such as the Digital Services Act and the AI Act, while developing new tools like an e-learning platform and a regulatory sandbox for AI. You can read the press release here.
Ireland: DPC concludes proceedings on X’s AI tool ‘Grok’
The Irish data protection authority (DPC) has concluded High Court proceedings against X regarding its AI tool, Grok. X has agreed to permanently adhere to terms outlined in an earlier DPC undertaking, prompting the case to be strike out. The DPC initially raised concerns that X’s processing of personal data from EU/EEA users’ public posts for AI training risked infringing fundamental rights. This was the first instance of the DPC using its powers under Section 134 of the Data Protection Act 2018. Additionally, the DPC has requested an opinion from the European Data Protection Board (EDPB) to clarify legal and regulatory questions concerning personal data use in AI models, aiming for a consistent regulatory framework across Europe. The request is linked to various complaints received about data controllers’ AI model training practices. You can read the press release here.
Ireland: DPC welcomes latest successful prosecution of marketing offences
The Irish data protection authority (DPC) has expressed its approval of a recent prosecution at Galway District Court involving Supermac’s Ireland Limited. On 3 September 2024, Supermac’s pleaded guilty to five charges of sending unsolicited marketing emails to a customer, despite being notified that the individual did not wish to receive such communications. The case followed a DPC investigation, initiated after earlier complaints, which resulted in a warning being issued to the company in February 2023. In this instance, instead of imposing a conviction or fine, Judge Fahy directed the company to donate €3,500, to be equally divided between the Galway Simon Community and Cope Galway. You can read the press release here.
Ireland: DPC launches inquiry into Google AI model
The Irish data protection authority (DPC) has initiated a cross-border inquiry into Google Ireland Limited (Google) regarding its compliance with Article 35 of the GDPR. The inquiry focuses on whether Google conducted a required Data Protection Impact Assessment (DPIA) before processing the personal data of EU/EEA citizens during the development of its AI model, Pathways Language Model 2 (PaLM 2). DPIAs are crucial when data processing poses a high risk to individuals’ rights and freedoms, ensuring that adequate measures are in place to protect personal data. The investigation is part of the DPC’s broader efforts, in coordination with other EU/EEA regulators, to oversee the use of personal data in AI development. You can read the press release here.
Denmark: Datatilsynet publishes 2023 annual report
The Danish data protection authority (Datatilsynet) has released its 2023 annual report. The document provides an overview of Datatilsynet’s activities throughout the year, covering areas such as investigations, international cooperation, and security concerns. The report also delves into specific cases handled by the authority, offering a detailed look at its enforcement actions. Additionally, it includes valuable statistics on case processing and the authority’s operational performance. The annual report serves as a comprehensive resource for understanding Datatilsynet’s role and efforts in protecting personal data in Denmark during 2023. You can access the full report here (in Danish).
Spain: AEPD addresses the use of probabilistic methods under GDPR
The Spanish data protection authority (AEPD) has published a detailed blog post discussing the challenges posed by probabilistic methods when processing personal data under the GDPR. These methods, commonly used in AI and machine learning applications, can lead to issues with accuracy, as they may generate false positives or negatives. According to Article 5.1(d) of the GDPR, personal data must be “accurate and, where necessary, kept up to date,” raising questions about whether probabilistic methods can meet this standard. The AEPD clarifies that while such methods may not be inherently non-compliant, they should be part of a broader data processing strategy that ensures accuracy and necessity, particularly in areas like age verification. The AEPD suggests that probabilistic approaches may need to be combined with other methods to achieve GDPR compliance. You can read the full blog post from AEPD here (in Spanish).
Sanctions
Netherlands: AP fines Clearview for the illegal collection of data for facial recognition purposes
The Dutch data protection authority (AP) has fined Clearview AI €30.5 million for violations of the GDPR, with an additional €5.1 million in penalties if the company fails to comply. Clearview, a US-based firm providing facial recognition services, has illegally amassed a database of over 30 billion photos, including those of Dutch citizens, without consent. The AP warns that using Clearview’s services is prohibited. The AP criticises Clearview’s lack of transparency and refusal to provide individuals with access to their data. Although Clearview claims its services are limited to non-EU countries, the AP is exploring further enforcement options, including holding company directors personally liable. Clearview has not contested the fine and cannot appeal. The AP stresses that only competent authorities should use facial recognition under strict conditions. You can read the press release here.
France: CNIL fines CEGEDIM SANTÉ €800,000 for unauthorised processing of Health Data
The French data protection authority (CNIL) fined CEGEDIM SANTÉ €800,000 for processing health data without proper authorisation. The company, which supplies management software to medical practices and health centres, processed pseudonymised health data for research and statistical purposes without obtaining the necessary CNIL approval required under the French Data Protection Act. The data included detailed patient information and unique identifiers, making re-identification of individuals possible and thus failing to meet anonymisation standards. Additionally, CEGEDIM SANTÉ breached Article 5.1.a of the GDPR by automatically downloading patients’ health reimbursement histories from the “HRi” teleservice without lawful basis; doctors could not consult this data without it being collected by the company. You can read the press release here.
Belgium: APD fines telecom operator for delayed response to access request
The Belgian data protection authority (APD) fined a telecom operator €100,000 for responding 14 months late to a customer’s right to access request. The case stemmed from a customer’s inquiry after a contractual dispute, seeking information on the identity of employees who processed his personal data and the purposes of the data processing. Although the request was submitted via the operator’s Messenger channel, it was not forwarded to the Data Protection Officer as requested. Despite being handled by two employees, the company delayed its response by 14 months. The APD found that while the request concerning processing purposes was met, the customer had no right to access the identity of the employees. The decision was based on a violation of Article 15 of the GDPR, while Articles 12.2 and 12.3 were not considered in the final ruling. The company has 30 days to appeal the decision. You can read the press release here and the full decision here (in French).
Belgium: APD sanctions Mediahuis for unlawful cookie banner practices
The Belgian data protection authority (APD) has sanctioned Mediahuis for violations related to cookie banners on four of its news websites. Following complaints filed by NOYB, representing a Dutch citizen, the APD found that Mediahuis failed to offer a “Reject All” button on the first level of its cookie banners and used deceptive design patterns to encourage acceptance of cookies. Additionally, the removal of consent was unnecessarily difficult, and non-essential cookies were placed without valid user consent. Mediahuis was ordered to rectify these issues within 45 days. The APD imposed fines of €25,000 per day for each site if non-compliance persists beyond the deadline. While Mediahuis has since addressed some concerns, it may still appeal the decision. The APD has highlighted cookie compliance as a priority in its enforcement agenda. You can read the press release here (in French).