Data Protection Weekly 3/2023

Jan 20, 2023

European Union

EDPB determines privacy recommendations for use of cloud services by public sector

The EDPB has adopted a report on the findings of its first coordinated enforcement action, which focused on the use of cloud-based services by the public sector. The EDPB underlines the need for public bodies to act in full compliance with the GDPR and includes recommendations for public sector organisations when using cloud-based products or services. In addition, a list of actions already taken by data protection authorities (DPAs) in the field of cloud computing is made available. The full report can be found here.

Draft Report of the work undertaken by the Cookie Banner Taskforce adopted by the EDPB

The EDPB adopted a report on the work undertaken by the Cookie Banner Task Force, which was established in September 2021 to coordinate the response to complaints concerning cookie banners filed with several EEA DPAs by NGO NOYB. The Task Force aimed to promote cooperation, information sharing and best practices between the DPAs, which was instrumental in ensuring a consistent approach to cookie banners across the EEA. In the report, the DPAs agreed upon a common denominator in their interpretation of the applicable provisions of the e-privacy Directive and of the GDPR, on issues such as reject buttons, pre-ticked boxes, banner design, or withdraw icons. The ‘draft’ report can be read here.

New Cybersecurity Directives (NIS2 and CER) Enter into Force

On January 16 2023, the Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) and the Directive on the resilience of critical entities (CER Directive) entered into force. The NIS2 Directive repeals the current NIS Directive and creates a more extensive and harmonized set of rules on cybersecurity for organizations carrying out their activities within the European Union. The CER Directive repeals the European Critical Infrastructure Directive and brings with it new, stronger rules for the cyber and physical resilience of critical entities and networks. A summary article can be read here. The European Commission press release here.

National Authorities

Belgium: Belgian DPA Approves IAB Europe’s Action Plan For Consent Framework

On January 11 2023, the Belgian Data Protection Authority announced that it has approved the Interactive Advertising Bureau Europe’s (“IAB Europe”) action plan with respect to its Transparency and Consent Framework (“TCF”) following a DPA investigation that resulted in a €250,000 fine for GDPR infringements. IAB Europe now has 6 months to up-date its framework. For background to the initial enforcement decision see the Belgian DPA’s press release from 2022 here and IAB Europe’s recent reaction and press release in response to the action plan approval here.

France: Data collection in mobile applications: the CNIL launches a public consultation on economic issues

As announced in its action plan of November 2022, the CNIL wishes to obtain a better understanding of the economic issues associated with the collection and processing of data in mobile applications. Consequently, it is launching a call for contributions, which will allow it to substantiate recommendations that the CNIL intends to publish in the course of 2023. This call for papers is open until the 10 February 2023. For more information please see the press release here.

Ireland: Data Protection Commission announces conclusion of inquiry into WhatsApp

The Data Protection Commission (“DPC”) has announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million for breaches of the GDPR relating to its service. WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months. The DPC press release can be read here.

Netherlands: The Dutch DPA launches an Algorithms Coordination Directorate

The Dutch DPA has announced the creation of a new Algorithms Coordination Directorate. The DPA will receive 1 million euros from 2023 to take on these new tasks, increasing to a structural 3.6 million euros in 2026. This new area of focus for the DPA will complement existing national market supervisors, government inspectorates, stakeholders and experts already supervising the deployment of AI in other sectors and the intention is to jointly monitor and cooperate in supervisory activities. The Dutch DPA press release can be read here.

Spain: Spanish DPA promotes a mediation system to facilitates a quicker resolution of advertising complaints.

The Spanish DPA – AEPD – announced on 17 January 2023, its approval of the revised Code of Conduct for Data Processing in Advertising initially approved on 3 November 2020, in the presence of the Association for the Self-regulation of Commercial Communication (AUTOCONTROL), as well as of the telecom operators Grupo Másmóvil, Orange Espagne, S.A.U., Telefónica, S.A., and Vodafone España, S.A.U., who are all signatories to the code.

More specifically, the revised code of conduct applies to data processing for advertising purposes, including commercial communications. The code also covers promotional activities carried out in order to collect personal data to use it for advertising purposes as well as the use of cookies or equivalent technologies for conducting behavioural advertising or profiling. Moreover AUTOCONTROL will act as an intermediary ‘out of court’ mediation dispute resolution body between citizens and providers in respect to complaints. The AEPD press release (in Spanish) can be read here.


Germany’s position on the Data Act

The German government’s position on the EU’s Data Act was sent last week to the Swedish presidency of the EU Council, which is gathering member state feedback before submitting a new compromise proposal by the end of the month. In particular, and among other points for discussion, Berlin wants more clarity on how the new data law will interact with the GDPR due to perceived “contradictions, overlaps and inconsistencies between the two”. The full article by EURACTIV can be read here.

ICCL – the Irish Civil Liberties Council – investigation reveals that the European Parliament requested for CCTV cameras with facial recognition capability

Does the European Parliament use facial recognition technology? The ICCL obtained 32 documents from the European Parliament about its use of CCTV cameras. They learned that the European Parliament, which opposes facial recognition technology (FRT), had itself tendered for facial recognition capable cameras in 2015. The European Parliament’s tender also required that all Parliament security systems should integrate with software developed by a Dutch company called Nedap, which is partnered with Chinese surveillance firm Hikvision. ICCL’s press release can be read here.

ISO set to adopt privacy-by-design standard

On February 8, the International Organisation for Standardisation (ISO) will adopt privacy by design as ISO 31700. Initially it will not be a conformance standard. The final ISO 31700 standard will contain 30 requirements. This will include general guidance on designing capabilities to enable consumers to enforce their privacy rights, assigning relevant roles and authorities, providing privacy information to consumers, conducting privacy risk assessments, establishing and documenting requirements for privacy controls, how to design privacy controls, lifecycle data management, and preparing for and managing a data breach. This is a “major milestone” for privacy circles. The full article by IT World Canada can be read here.

Musk should not underestimate EU efforts

EU regulators are monitoring Twitter and its compliance with the data protection rules. The consequences of breaching data protection rules cannot be overemphasised warned Věra Jourová, the European Commissioner for Transparency and Democracy. Read EURACTIV article here.

Norton LifeLock says thousands of customer accounts breached

“Thousands of Norton LifeLock customers had their accounts compromised in recent weeks, potentially allowing criminal hackers access to customer password managers, the company revealed in a recent data breach notice.

[…] The company said it found that the intruders had compromised accounts as far back as December 1, close to two weeks before its systems detected a “large volume” of failed logins to customer accounts on December 12.” Read full TechCrunch article here.


Mobile games: the CNIL fined VOODOO 3 million euros

On 29 December 2022, the CNIL imposed a fine of 3 million euros on the company VOODOO, which publishes video games for smartphones, for using an essentially technical identifier for advertising without the user’s consent. A CNIL press release on the decision was published this week and can be found here.

Greek DPA Imposes a fine of 50,000 Euros on Intellexa AE for non-cooperation with the Authority

The Hellenic Data Protection Authority – HDPA – has announced it has imposed a €50,000 fine on Intellexa Α.Ε. for GDPR violations following an investigation. The decision states that the company unreasonably delayed responding to the Authority’s questions and refused to provide information which it indisputably had in its possession, in breach of GDPR Art 31 obligations which require controllers and processors to cooperate with the Authority. The HDPA press release (in Greek) can be read here.