Data Protection Weekly 3/2024

Jan 22, 2024

 European Union

EDPB: Adoption of a report on the findings of its second coordinated enforcement action on DPOs

The European Data Protection Board (EDPB) adopted a report detailing the outcomes of its second coordinated enforcement action, focusing on Data Protection Officers (DPOs). This EU-wide investigation highlighted the challenges DPOs face and proposed recommendations for improvement. Anu Talus, EDPB Chair, emphasised the importance of DPOs in ensuring data protection law compliance and protecting data subject rights. The investigation involved 25 Data Protection Authorities across the European Economic Area, garnering over 17,000 responses from various organisations and DPOs. Although many DPOs reported having adequate skills, knowledge, and independence, issues like insufficient resources, lack of designation or of high-level reporting were noted. The report suggests that DPAs increase awareness-raising activities, and organisations should provide DPOs with more opportunities and resources to stay updated on data protection developments. You can read the press release here and download the full report here.

CJEU: A parliamentary committee of inquiry must in principle comply with the GDPR

The European Court of Justice (ECJ) ruled in Case C-33/22 that parliamentary committees of inquiry must generally comply with the General Data Protection Regulation (GDPR). This case arose when an Austrian parliamentary committee, investigating political influence over the Austrian Federal Office for the Protection of the Constitution and Counterterrorism, published hearing minutes with a witness’s full name, despite his anonymisation request. The witness, an undercover investigator, complained to the Austrian data protection authority, which rejected his complaint citing the separation of powers. The Austrian Supreme Administrative Court sought clarification from the ECJ on whether such committees are subject to GDPR and monitoring by the data protection authority. The ECJ affirmed that, unless a committee’s activity directly relates to national security, it is in principle subject to GDPR. The ECJ also established that the Austrian data protection authority is responsible for ensuring GDPR compliance by such committees, underscoring the primacy of EU law over national constitutional law. You can read the press release here and the full decision here.

EDPB: Publication of OSS case digest on Security of Processing and Data Breach Notification

The European Data Protection Board (EDPB) has released a thematic one-stop-shop case digest, focusing on Security of Processing (Article 32 of the GDPR) and Data Breach Notification (Articles 33 & 34 of the GDPR). This publication provides insights into how data protection authorities (DPAs) have interpreted and applied these GDPR provisions in various scenarios, including hacking, ransomware, and accidental data disclosures. The digest compiles decisions made by DPAs since the GDPR came into force, offering a comprehensive analysis of security incidents and the adequacy of corresponding security measures. This resource is beneficial for organisations, both controllers and processors, in evaluating their security measures, pre- and post-data breach. It represents the second instalment of the EDPB’s case digests series, produced as part of the EDPB Support Pool of Experts initiative, aimed at enhancing DPAs’ supervisory and enforcement capacities. You can read the press release here and download the OSS case digest here.

EDPS: Publication of the results of the coordinated enforcement action on DPOs

The European Data Protection Supervisor (EDPS) has published the outcomes of a survey conducted as part of the European Data Protection Board’s (EDPB) Coordinated Enforcement Action. This survey assessed the role, responsibilities, and tasks of data protection officers (DPOs) within EU institutions, bodies, offices, and agencies (EUIs). The results indicate a high level of compliance and awareness in EUIs regarding the advice of DPOs. Launched in March 2023, the survey forms part of a broader initiative to ensure adherence to EU data protection law, specifically Regulation (EU) 2018/1725. The survey revealed that DPOs significantly impact their organisations, demonstrating high expertise and professionalisation in their roles. However, the EDPS noted that DPOs often lack the necessary time and resources to perform their duties optimally. The findings will guide the EDPS in strengthening the role and independence of DPOs in collaboration with the network of EUIs’ DPOs. You can read the press release here and download the full report here.

EDPS: Celebrating 20 years of advancing data protection

As it marks its 20th anniversary, the European Data Protection Supervisor (EDPS) reflects on two decades of significant contributions to privacy and data protection. Established on 17 January 2004, the EDPS has played a crucial role in the evolving digital landscape of the European Union. Across four mandates, the EDPS has been instrumental in shaping the approach to data protection, with initiatives ranging from upholding privacy within EU institutions to influencing global data protection standards, particularly with the General Data Protection Regulation and Regulation (EU) 2018/1725. The current focus is on fostering a safer digital future, especially for the vulnerable. The anniversary celebrations encompass four pillars: a comprehensive book and timeline of the EDPS’s impact, a series of talks with worldwide experts, initiatives to reinforce individual rights, and the upcoming European Data Protection Summit on 20 June 2024. These initiatives are geared towards equipping the EDPS for future challenges in data protection and privacy. You can read the full article here and visit EDPS’ 20th Anniversary website here.

National Authorities

UK: ICO launches consultation on generative AI

The UK data protection authority (ICO) has launched a consultation series on generative Artificial Intelligence (AI) examining how aspects of data protection law should apply to the development and use of the technology. The first consultation examines the lawfulness of training generative AI models with personal data obtained from the web. This consultation process invites input from a diverse group of stakeholders, including AI developers, legal advisors, civil society groups, and other public bodies interested in generative AI. The aim is to provide clear guidance for the industry and ensure the responsible use of AI while protecting individual information rights. This initial consultation is open until 1 March 2024. Subsequent consultations planned for the first half of 2024 will delve into issues like the accuracy of AI-generated outputs. You can read the press release here.

Italy: Garante calls for more protection of video-recorded legal proceedings

The Italian data protection authority (Garante) has recommended increased confidentiality measures for legal proceedings documented in audiovisual forms, such as suspect interrogations. This comes in response to the Cartabia reform’s expanded use of audiovisual recording in criminal processes. While supportive of the legislative decree’s alignment with data protection laws, the Garante suggests an additional rule to regulate the public access of such recordings. The aim is to find a balance between the need for public transparency, the privacy rights of individuals involved, and the principle of data minimisation as per EU regulations. Acknowledging the significant impact of audiovisual documentation on personal data processing, the Garante also expresses readiness to assist in the formulation of this new regulatory framework. You can read the press release here (in Italian).

Italy: Garante gives favourable opinion on new regulations for body donations to science

The Italian data protection authority (Garante) has endorsed a decree for electronically processing consent for the post-mortem donation of bodies and tissues for research and education. This measure, initiated by the Ministry of Health, includes a specific section within the advance healthcare directives (DAT) database for storing donor consents. Local health authorities (Asl) are tasked with electronically submitting these consents, which should detail donor information, trustee and substitute nominations, parental consents for minors, and any revocations. Donors can express their consent through various means, including public deeds, authenticated private writings, or personal submission to civil status offices or healthcare facilities. In cases of disability, video recordings or special devices can be used. The Asl is responsible for storing and transferring these records to the DAT database. The Ministry of Health is permitted to share this data only in an anonymised, aggregated form and must delete it ten years post-donor’s death or when a minor donor turns 18. You can read the press release here (in Italian).

Global

IAB Europe raises concerns over GDPR procedural regulation draft

IAB Europe, representing digital marketing and advertising sectors, has conveyed significant apprehensions to the European Parliament about the draft report on GDPR procedural regulation by the LIBE Committee. The association argues that the draft, in its current form, deviates from its goal of harmonising procedural rules, potentially affecting the fairness and consistency of the GDPR cross-border complaints process. IAB Europe’s letter outlines six recommendations: maintaining the administrative nature of cross-border complaints, adhering to the GDPR governance model, enabling early resolution, ensuring confidentiality of business information, harmonising the defendant’s right to be heard, and incorporating flexible time limits for the defendant’s views. They emphasise that addressing these concerns is crucial for a fair, predictable, and efficient resolution process in cross-border GDPR cases. You can read the full article here.

Sanctions

France: CNIL fines Yahoo! €10 million for cookies consent violation

On 29 December 2023, the French data protection authority (CNIL) imposed a €10 million fine on Yahoo EMEA Limited for breaches in cookie consent practices on its “Yahoo.com” site and “Yahoo! Mail” service. The CNIL’s investigation, prompted by 27 complaints, revealed that Yahoo failed to respect users’ refusal of cookies and made it difficult to withdraw consent. Specifically, Yahoo.com deposited advertising cookies without explicit user consent, and Yahoo! Mail linked access to its services with consent to cookies, making it hard for users to withdraw consent without losing access to their email services. The CNIL stressed the importance of consent being freely given, without repercussions for the user. This case falls under the CNIL’s jurisdiction as per the “ePrivacy” Directive, transposed in Article 82 of the French Data Protection Act. You can read the press release here and the full decision here (in French).

Netherlands: AP fines ICS €150,000 for failure to conduct a DPIA

The Dutch data protection authority (AP) has fined International Card Services B.V. (ICS) €150,000 for failing to conduct a mandatory Data Protection Impact Assessment (DPIA) before processing personal data of about 1.5 million customers. This DPIA is essential for identifying potential privacy risks in data processing activities. ICS’s omission occurred during their 2019 initiative to digitally identify customers in the Netherlands, involving the collection of data such as names, addresses, and notably, customer photos for identity verification. While financial institutions are required to verify customer identities, they must also rigorously adhere to data protection laws, including conducting DPIAs. This step is vital for mitigating risks such as identity fraud, ensuring that personal data is handled responsibly. You can read the press release here (in Dutch).

Spain: AEPD fines the Eurocollege Oxford English Institute SL for GDPR infringements

The Spanish data protection authority (AEPD) has imposed a total fine of €72,000 on Eurocollege Oxford English Institute SL for multiple GDPR infringements. This action stemmed from a complaint about the mandatory provision of personal data, including health and criminal records, for cabin crew training access. The case was initially against Centro de Estudios Aeronáuticos, SL, which was later absorbed by Eurocollege Oxford English Institute SL. The infringements included the unlawful request of health data and criminal certificates, and excessive data collection, violating Articles 5, 6, and 9 of the GDPR. The fines were reduced by 20% after voluntary payment by the controller, concluding the proceedings under Spanish national procedural law. You can read the press release here and the full decision here (in Spanish).

UK: ICO fines financial services company for sending spam text messages

The UK data protection authority (ICO) has imposed a £50,000 on LADH Limited, a financial services company, for sending over 31,000 unsolicited text messages in violation of the Privacy and Electronic Communications Regulations (PECR). Most of these messages, sent over six weeks from March to April 2022, lacked an option for recipients to opt out, which is also unlawful. The ICO’s investigation followed 106 complaints to Mobile UK’s Spam Reporting Service. Despite LADH Limited claiming they had verbal assurance from a third party that recipients had consented to be contacted, there was no written evidence to support this, leading the ICO to determine that valid consent had not been obtained. This enforcement action underscores the ICO’s commitment to protecting individuals from unsolicited marketing and highlights the necessity for companies to obtain valid consent for direct marketing communications. The ICO also encourages people to report spam messages to Mobile UK’s Spam Reporting Service. You can read the press release here.

Hungary: NAIH orders airline company to erase personal data and imposes fine

The Hungarian data protection authority (NAIH) issued a decision against an airline company for GDPR infringements, stemming from a customer’s complaint initially filed with the Polish Supervisory Authority. The complaint involved the airline’s failure to timely inform the customer of her data erasure request, made in October 2018. NAIH, serving as the Lead Supervisory Authority under the One-Stop-Shop mechanism, identified breaches of GDPR Articles 5(1)(a), 12(3), and 17(1)(a). These breaches included inadequate transparency and a flawed approach to processing data during legal procedures. As a result, NAIH imposed a fine of approximately €13,244 on the airline, underscoring the necessity for companies to adhere strictly to GDPR mandates, especially regarding the prompt and transparent handling of data subject requests. You can read the press release here and the full decision can be found here (in Hungarian).

Iceland: Íþrótta- og sýningahöllin hf. fined 3.500.000 ISK for the use of video surveillance

The Icelandic Supervisory Authority (SA) has imposed a fine of approximately €23,820 (3,500,000 ISK) on Íþrótta- og sýningahöllin hf., a Reykjavík-based sports and entertainment venue, for non-compliance with data protection laws in its use of video surveillance. This decision followed an investigation initiated in July 2021 after media reports of surveillance cameras in areas where teenagers were sleeping and changing during a sports tournament. The SA’s field inspection revealed about 50 cameras in the facility, excluding bathrooms and changing rooms. The investigation found insufficient signage and information about the data controller, a lack of transparency in processing personal data, and failure to demonstrate lawful processing under Article 6. The SA highlighted specific concerns about surveillance in areas where children were present and during a mass COVID-19 vaccination event. The venue was ordered to cease all surveillance unless it can demonstrate that its interests outweigh the privacy rights of individuals, and to provide adequate information to data subjects in line with Article 13. You can read the press release here and the full decision here (in Icelandic).