Data Protection Weekly 29/2023

Jul 24, 2023

 European Union

EDPS: The CJEU’s use of cloud videoconferencing services complies with data protection law

In its Decision published on 13 July 2023, the European Data Protection Supervisor (EDPS) finds that the use of Cisco Webex videoconferencing and related services by the Court of Justice of the European Union (CJEU) meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies. The CJEU is the first EU institution to receive such an approval from EDPS. This decision comes after the invalidation of the EU-US Privacy Shield in July 2020, which governed the transfer of personal data from the EU to the US. The main features of the CJEU’s videoconferencing system include limited data transmission to the cloud with full and strong encryption, strong technical and organisational measures and the exclusive use of cloud servers located within the EU. You can read CJEU’s press release here, EDPS’s press release here and download the full decision here.

EDPB: Information note on the DPF and first review of the Japan Adequacy Decision

During its recent plenary, the European Data Protection Board (EDPB) adopted an information note concerning data transfers to the U.S. under the newly implemented Data Privacy Framework (DPF). The note aims to educate individuals and organisations on their rights and obligations, while explaining the impact of the adequacy decision. It also emphasises the necessary safeguards for data transfers outside the “Data Privacy Framework List”. EDPB Chair, Anu Talus, acknowledged the significance of this decision and expressed the EDPB’s commitment to monitoring the proper implementation of this new instrument. Moreover, the EDPB adopted a statement on the first review of the Japan Adequacy Decision. The review assesses the amendments to the Japanese legal framework, bringing it closer to GDPR, and highlights areas requiring closer monitoring by the European Commission. The EDPB therefore welcomes the European Commission’s commitment to closely monitor these issues.  You can read the full press release here.

Council of the EU: Adoption of Council’s common position on Cyber Resilience Act

On July 19, 2023, member states’ representatives (Coreper) reached a common position regarding the proposed legislation for cybersecurity requirements for products with digital elements, also known as the Cyber Resilience Act. The draft regulation aims to enhance the security of hardware and software products, like “Internet of Things” (IoT) products, throughout their lifecycle. It also aims to improve consumer awareness of cybersecurity features when choosing and using digital products. The agreement is a significant step towards ensuring a secure digital single market within the EU and providing robust protection against cyber threats. The agreement on Council’s common position will allow Spanish presidency enter negotiations with the European Parliament on the final version of the proposed legislation. You can read the full press release here.

European Commission: EU and Latin America and Caribbean form the EU-LAC Digital Alliance

On July 17, 2023, the European Union (EU) and 19 countries from Latin America and the Caribbean announced a partnership to form the EU-LAC Digital Alliance. The Alliance aims to create a framework for regular dialogue and cooperation on digital issues, fostering an inclusive digital society by closing digital gaps and divides. It will tackle various digital matters, including data protection, artificial intelligence, and digital policy dialogue, with emphasis on developing digital competences, particularly among women and girls. In 2023, the alliance plans key initiatives such as the extension of the BELLA fibre-optic cable and the establishment of an EU-LAC Digital Accelerator to boost bi-regional innovation and digital transformation. Progress will be reviewed annually to adjust priorities in line with evolving needs and opportunities. You can read the full statement here.

European Commission: Informal dialogue with the US CFPB on critical financial consumer protection issues

Didier Reynders, Commissioner for Justice and Consumer Protection of the European Commission and Rohit Chopra, Director of the United States Consumer Financial Protection Bureau announced the start of an informal dialogue between the European Commission and the US CFPB to address critical financial consumer protection issues in light of rapid digitalisation of the sector. The dialogue will focus on the impact of automated decision-making, the emergence of new financial products like ‘Buy Now, Pay Later,’ and the expanding influence of Big Tech companies. Policymakers stress the need for proactive measures to mitigate potential consumer risks, such as fraud, limited product choices, data privacy infringements, and discriminatory pricing strategies. They also plan to explore ways to ensure fair access to digital financial services for all consumers. You can read the joint statement here.

European Commission: Call for feedback on ENISA and Cybersecurity Certification Framework

The European Commission has launched an evaluation of the European Union Agency for Cybersecurity (ENISA) and the European Cybersecurity Certification Framework. This review, mandated by Regulation (EU) 2019/881, will evaluate ENISA’s performance in achieving its mandate, objective and tasks and the potential need for mandate adjustments. It will also assess the impact and efficiency of the Cybersecurity Certification Framework. A feedback period, from 14 July 2023 to 16 September 2023, is currently open for public input. The Commission is expected to adopt the findings in the second quarter of 2024. Individuals and entities are encouraged to contribute their perspectives to this significant initiative. You can read more about this initiative here.

National Authorities

Netherlands: AP publishes first report on algorithmic risks

The Dutch data protection authority (AP) recently released its first “Report on Algorithmic Risks in the Netherlands.” In this landmark report, the AP identifies intelligent chatbots and the opacity of current algorithms as the most significant algorithmic risks. These risks can affect numerous sectors, from law enforcement to financial transactions, and have potential consequences such as discrimination and lack of transparency. To mitigate these hazards, the AP urges the government and the private sector to strengthen their understanding and control of algorithms and Artificial Intelligence (AI). Additionally, it advocates for a focus on high-risk algorithms and encourages adherence to the anticipated classification of these systems under the forthcoming European legislation. The AP intends to publish similar reports every six months, positioning the Netherlands as a global leader in algorithm supervision. You can read the press release here and download the full report here (both in Dutch).

UK: ICO highlights key data protection lessons from recent reprimands

The UK data protection authority (ICO) has outlined key data protection lessons from reprimands issued between April and June 2023, intending to guide organisations in enhancing their practices. The ICO highlights the importance of avoiding inappropriate disclosure of personal information through comprehensive policies and staff training, a lesson drawn from reprimands issued to organisations such as Ministry of Justice and Thames Valley Police. The ICO also stresses the necessity to respond to Subject Access Requests (SARs) on time, referring reprimands against Plymouth City Council and Norfolk County Council for delayed responses. Finally, ICO emphasises the need for a “data protection by design and default” approach, citing reprimands against Sussex Police and Surrey Police for unlawfully capturing personal data via an app. The ICO recommends all organisations to heed these lessons and improve their data protection practices. You can read the full article here.

UK: ICO releases 2022/23 annual report outlining notable achievements

The UK data protection authority (ICO) has published its 2022/23 annual report, highlighting significant achievements aligned with the goals established in ICO25, its three-year strategic plan. The report showcases a range of accomplishments such as conducting insight and research with the communities the ICO aims to reach, working on children’s privacy, assessing the impact of technology on those most at risk of harm, and reducing the cost and burden of compliance for businesses. Other achievements include tackling the ICO’s casework backlogs, producing sector-specific guidance, and enhancing people’s access to information. These efforts illustrate the ICO’s dedication to upholding data privacy rights and supporting businesses in their compliance journey. You can find the full annual report here.

Global

UK: Government finalises first law enforcement data adequacy decision

The UK government has enacted its first law enforcement data adequacy decision since leaving the European Union, allowing for easier transfer of personal data from UK law enforcement to Guernsey authorities. This decision leverages new powers gained post-Brexit and aims to facilitate crime prevention and legal prosecution in Guernsey while providing UK authorities greater certainty about Guernsey’s regulatory landscape. A law enforcement data adequacy decision is issued when the government determines that a country, organisation, or sector meets required data protection and privacy standards to safeguard UK personal data, eliminating the need for additional safeguards or specific authorisation. By deeming Guernsey’s data protection adequate, the UK asserts that Guernsey’s robust privacy laws will ensure the safety of data transfers while upholding the rights and protections of UK citizens. You can read the full press release here.

Fines

Norway: Datatilsynet temporarily bans Meta’s behavior-based marketing

The Norwegian data protection authority (Datatilsynet) has imposed a temporary ban on behavior-based marketing practices on Facebook and Instagram. This move comes after the EU Court of Justice confirmed Meta’s behavior-based marketing to be non-compliant with lawful practices. Taking effect from August 4, the ruling applies solely to Norwegian users and could potentially lead to a daily coercive fine of NOK 1,000,000 (equivalent to €89,150) should Meta fail to comply. Datatilsynet clarifies that the ban does not prohibit Facebook or Instagram operations in Norway, nor personalised marketing based on user’s profile data such as residence, gender, and age, or self-stated marketing interests. Moreover, behavior-based marketing may continue for users giving valid consent.  The ban aims to ensure user rights protection and secure usage. Meta disagrees with the Datatilsynet’s assessments and has the option to appeal against the decision in the Oslo District Court. You can read the press release here and the full decision here (both in Norwegian).

Italy: Garante fines Rinascente S.p.A. €300,000 for multiple GDPR violations

The Italian data protection authority (Garante) has imposed a €300,000 fine on Rinascente S.p.A., a department store chain, for unlawful personal data processing of millions of customers through their loyalty card program. The issue was initially flagged by a customer who discovered offensive content on her replaced loyalty card, revealing unsolicited access to her customer record. Further investigations revealed other breaches of data protection legislation. For instance, the “friendscard” information did not specify data retention periods for marketing purposes nor indicate the company’s collaboration with Facebook-Meta to share customer email addresses. Rinascente’s e-commerce profiling activities also lacked the Data protection impact assessment procedure required by GDPR. The Garante has now ordered Rinascente to establish differentiated data retention periods and anonymise or delete data kept beyond set terms. The fine was determined considering the large number of affected individuals (over 2 million), the duration of the infringements, and the company’s financial capacity. You can read the press release here (in Italian).

Italy: Garante fines ASPI €1 million for unlawful personal data processing of 100,000 users

Following a complaint lodged by a consumer association, the Italian data protection authority (Garante) has imposed a €1,000,000 fine on Autostrade per l’Italia S.p.A. (ASPI), the company responsible for maintaining and managing Italian motorways. ASPI has been found to have unlawfully processed the data of around 100,000 users of the toll reimbursement app developed by Free to X S.r.l. The app allows users to claim reimbursements for motorway tolls delayed by roadworks. The Garante determined that ASPI acted as the data controller, not the data processor as indicated in the data protection agreement with Free to X and in the privacy notice provided to users. No further corrective actions were suggested by the Garante as ASPI had already undertaken remedial actions, including updating the app’s privacy policy, to rectify the situation. You can read the press release here (in Italian).