Data Protection Weekly 28/2023

Jul 14, 2023

 European Union

European Commission: Adoption of adequacy decision for the EU-U.S. Data Privacy Framework

The European Commission has announced the adoption of a new adequacy decision for the EU-U.S. Data Privacy Framework. This decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. The new framework removes the need for additional data protection safeguards. The EU-U.S. Data Privacy Framework introduces binding safeguards that address concerns raised by the European Court of Justice, and establishes a Data Protection Review Court (DPRC). The DPRC can enforce the deletion of data collected in violation of these safeguards. The decision is seen as a step forward in data protection, as it introduces significant improvements compared to the previous Privacy Shield. The Framework also mandates U.S. companies importing data from the EU to subscribe to specific obligations. The Commission indicates that the safeguards put in place by the US will facilitate transatlantic data flows. You can read the press release here and download the full decision here.

The adopted act is open for feedback for a period of 8 week(s) through 4 September. All feedback received will be summarised by the European Commission and presented to the European Parliament and Council feeding into the legislative debate. You can provide your feedback here.

European Commission: Presentation of strategic plan for Web 4.0 and virtual worlds

The European Commission presented its strategic plan for Web 4.0 and virtual worlds, anticipating the next technological transition. The strategy is aimed at creating an open, secure, trustworthy, and inclusive digital environment for EU citizens, businesses, and public administrations. The future Web 4.0 will integrate digital and physical environments, enhancing human-machine interaction. Virtual worlds, whose market size is predicted to grow from €27 billion in 2022 to over €800 billion by 2030, will significantly influence societal dynamics, bringing opportunities and risks. The strategy is centred around empowering people, supporting a European Web 4.0 ecosystem, advancing virtual public services, and developing global standards for Web 4.0. The approach is in line with the objectives of the Digital Decade policy program set for 2030. You can read the full press release here.

EDPS: Organisational restructuring announced to address data protection challenges

The European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, has announced a series of organisational changes designed to adapt to and address the increasing data protection challenges in a rapidly changing environment. The changes include the appointment of the EDPS’ first Secretary-General, Leonardo Cervera Navas. In addition, the EDPS has established specific sectors to ensure efficient enforcement of data protection law, including areas such as complaint resolution, legal advice, and monitoring of the EU’s Area of Freedom, Security and Justice. The Technology and Privacy Unit has been restructured, leading to the creation of sectors responsible for oversight of IT systems, anticipation of new technologies, and independent digital transformation of EDPS. A task force has also been formed to ensure the use of artificial intelligence complies with data protection laws. You can read the press release here and see the new organigram here.

Council of Europe: Bosnia and Herzegovina’s ratification of Convention 108+

On July 7, 2023, Bosnia and Herzegovina ratified the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data, also known as Convention 108+. Bosnia and Herzegovina, a party to Convention 108 since 2006, is now the 27th State to join Convention 108+ and is already implementing the provisions of the amending protocol. This ratification brings Convention 108+ closer to coming into full effect as a unique global legal instrument safeguarding personal data and the right to privacy. Only 11 more ratifications are required for the Convention 108+ to be fully implemented. You can read the press release here.

National Authorities

Denmark: The DPA has issued guidance on the right to erasure from search engines

The Danish Data Protection Authority has recently published an advisory text on its website about what applies when you want to have a search result about you deleted from a search engine. The authority stated that it often receives inquiries from citizens who are in doubt as to whether they have the right to have their information deleted from search engines such as Google and Bing – and not least how they should approach it in that case. Against this background, the supervisory authority has expanded its existing guidance in the area. You can read (in Danish) the press release here and the corresponding guidance here.

France: CNIL sets up new economic analysis team an publishes work programme

In a move to deepen its understanding of the economic impact of data protection regulation, France’s data protection authority (CNIL) has established a new economic analysis team. This team will carry out impact studies, sectoral analyses, and quantitative work to guide CNIL’s decision-making. It will also collaborate with other economic regulators, thus strengthening connections between data protection, innovation, and competition policies. As a part of its initial projects, the team has already begun investigating free business models in the digital economy, the economic challenges of data in the mobile app ecosystem, and the economic implications of the Data Governance Act.  As part of its medium-term work programme the team will be working on projects focusing on personal data and competition, economic aspects of calculating penalties, virtuous business models for privacy, the secondary data market, and the economic impact assessments of GDPR and the economic benefits of having a Data Protection Officer (DPO). The team’s creation aligns with CNIL’s 2022-2024 strategic plan to further embrace its “role as a regulator with an economic impact.” You can read the press release here and the 2022-2024 strategic plan here.

Germany: BfDI appointed as the EDPB representative on the new European Data Innovation Board

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) announced this week its appointment by the European Data Protection Board (EDPB) as its representative for the European Data Innovation Board (EDIB). The BfDI reaffirmed that the EDIB will advise and support the European Commission regarding compliance with and enforcement of the Data Governance Act and, in the future, the Data Act. Within the remit of its membership, the BfDI – as EDPB representative  – will be able to actively participate in the interpretation and implementation of two of the most important EU digital legal acts for data law. In line with the positions of the EDPB, the BfDI will work in particular to ensure that the existing protective mechanisms, in particular the GDPR, are not undermined by the new legal acts. You can read the BfDI press release in German here.

Spain: AEPD updates guide on cookies to match EDPB’s guidelines

The Spanish data protection authority (AEPD) has revised its guide on the  use of cookie, aligning it with the new guidelines on deceptive design patterns in social media platform interfaces issued by the European Data Protection Board (EDPB) in February 2023. This version of the guide, like previous ones, is the result of collaboration with several stakeholders, including associations such as ADIGITAL, Advertisers, AUTOCONTROL, and IAB Spain. The guide includes new examples of how the options to accept or to reject cookies should be presented in terms of colour, size, and placement. It also clarifies that the alternative access to the service without accepting cookies need not be free of charge. The new criteria must be implemented no later than 11 January 2024, providing a six-month transition period for necessary adjustments. You can read the press release here and the full guide here (both in Spanish).

Spain: AEPD director warns against unsupervised mobile use among minor and AI challenges

Mar España Martí, Director of the Spanish data protection authority (AEPD), has stressed the dangers of providing unsupervised mobile and internet access to minors and the challenges presented by Artificial Intelligence (AI) during an event on “Current Data Protection Challenges”. Citing data from the AEPD and UNICEF, Mar España reported that almost half of teenagers use mobile phones for over six hours daily, with one fifth of families offering unrestricted internet access to their children. Furthermore, Mar España highlighted AI’s increasing impact on daily lives, often without comprehensive regulations, leading to potential data discrimination and biases. Mar España also voiced concerns about the rising volume of complaints received by the AEPD, emphasising the  authority’s growing need for resources. You can read the full press release here (in Spanish)

Italy: Garante seeks clarification from Pornhub on user profiling and tracking systems

The Italian data protection authority (Garante) has requested information from MG Freesites Ltd, the Cypriot company that operates Pornhub, about user profiling and tracking systems on the Italian version of the site. This action follows a user complaint, which prompted the Garante to scrutinise the nature and purpose of any user profiling and to examine the legality of the site’s use of non-technical cookies and tracking tools. Further, the Garante is also asking for information on whether the data collected is shared with third parties and whether users have been informed of this. The company must also explain the measures taken to verify user age and to facilitate the exercise of user rights in relation to personal data protection. MG Freesites has 20 days to respond to these requests. You can read the press release here.

Sweden: IMY publishes a blogpost on data processing by privacy-friendly camera surveillance

Sweden’s data protection authority (IMY) has clarified that privacy-friendly camera surveillance, including techniques such as digital masking and pixelation, still involves processing of personal data. The IMY highlighted in a recent case against a municipality that even the initial collection of surveillance footage will often be considered as personal data processing. The IMY’s decision included the observation that individuals can still be identified from pixelated footage, especially in environments where the same people are frequently present. While privacy-friendly technologies, such as pixelation, decrease the intrusion of privacy compared to high-resolution imaging, IMY stresses that it doesn’t necessarily eliminate personal data processing. The case has been appealed to the administrative court. IMY supports the use of such technologies but cautions data handlers to comply with data protection regulations. You can read the full blogpost here (in Swedish).

UK: ICO publishes data protection and journalism code of practice

The UK data protection authority (ICO) has published a code of practice on using personal information for journalism, and submitted it to the Secretary of State at the Department for Science, Innovation, and Technology. This code offers guidance on how to comply with data protection laws while using personal data in journalism. The guidelines have been developed with inputs from various stakeholders, including media organisations, industry representatives, and civil society. While the code does not govern media standards overall, it aligns with and complements existing industry codes. UK Information Commissioner John Edwards stated that the code strikes the right balance between enabling journalism and protecting personal information. The ICO was required by Parliament to produce the code. However, the Code must go through a statutory process before it can be enforced. You can read the press release here and the full code here.


Meta: Threads App faces privacy backlash amidst rapid user growth

Meta’s new app, Threads, has amassed 100 million users in just a few days, sparking concern among privacy experts. They warn that users may not fully comprehend the extent of data collection on the platform. Threads’ launch in the European Union has been delayed, as it’s unclear whether Meta’s handling and sharing of user data across different platforms complies with EU’s Digital Markets Act. This concern echoes Meta’s history of privacy issues, including improper collection and use of data leading to penalties under the US FTC consent decree and European Union’s GDPR. The app is reported to collect substantial user data, including health and financial information, location, browsing history, and user interaction data. Meta’s data collection practices, mainly oriented towards ad sales, could leave users vulnerable to invasive targeted advertising and potential law enforcement requests. You can read the full article here.

Google: AI chatbot, Bard, launched in Europe and Brazil to rival Microsoft’s ChatGPT

Alphabet’s AI chatbot, Bard, is launching in Europe and Brazil, stepping up the competition against Microsoft’s ChatGPT. This marks the largest expansion of the product since its February launch. Bard uses generative artificial intelligence to carry out conversations and answer prompts, similar to its rival. New features have been added to Bard, allowing it to function in over 40 languages and enabling customisation of tone and style of responses. The product also allows for conversations to be pinned, renamed, or exported and supports the use of images in prompts. Importantly, Bard’s EU launch comes after resolving regulatory hold-ups with local privacy authorities, addressing their concerns regarding transparency, user control, and choice. As Google faces a class action in the U.S. over alleged misuse of user data, the company reassures that Bard users can opt out of data collection. You can read the full article here.


Ireland: DPC fines Irish Department of Health for data minimisation infringement

The Data Protection Commission (DPC) has concluded its inquiry into the Department of Health’s processing of personal data in special educational needs litigation. It was found that while the department was in its rights to seek necessary data for open cases, it infringed data protection law by asking broad questions, which led to obtaining sensitive personal data that was deemed excessive and disproportionate. This included information on plaintiffs’ jobs, living conditions, and family details. The DPC also found infringements of transparency obligations and data security requirements. As a result, the DPC imposed a €22,500 fine on the Department of Health, in addition to a ban on further processing of the sensitive data and a reprimand for all the infringements. You can read the press release here and the full decision here.