Data Protection Weekly 30/2023

Jul 31, 2023

 European Union

European Commission: Presentation of the future common European tourism data space

The European Commission has unveiled plans for a common European tourism data space, aiming to foster innovation, sustainability, and competitiveness within the EU tourism industry. The data space will facilitate sharing data from various sources, including businesses, local authorities, and academia, to shape the key features of the data space. It will promote access to a wide range of users, such as business intermediaries, destination managers, and tourism service providers, helping them to create, improve and personalise services and support decision-making for sustainable tourism offerings. The framework for the data space will be based on existing EU and national legislation, ensuring trustworthiness and efficiency. The initiative also emphasises interoperability with other sectoral data spaces with clear connections to the tourism experience. The Commission aims to finalise the blueprint for the data space by the end of 2023 through Coordination and Support Actions under the Digital Europe Programme. You can read the press release here.

National Authorities

France: CNIL launches call for projects on artificial intelligence in public services

The French data protection authority (CNIL) has announced the third edition of its “sandbox” initiative, targeting artificial intelligence (AI) applications in public services. The “sandbox” is not a regulatory relief but a device for providing support to organisations dealing with new issues concerning personal data regulations, especially those relevant to their AI projects. With a direct focus on improving the quality of public service delivery, selected projects will receive comprehensive guidance from CNIL teams during the early stages of their development. CNIL’s goal is to build appropriate regulations in concert with relevant stakeholders, fostering trust in these new AI applications. Interested organisations can apply for the initiative until 30 September 2023. You can read the press release here.

Norway: Datatilsynet issues guidance for analytical and tracking tools in compliance with GDPR

The Norwegian data protection authority (Datatilsynet) published guidance concerning the use of tracking and analytics tools on websites. The guidance highlights a comprehensive approach towards GDPR compliance, emphasising data minimisation, valid user consent, and the prohibition of unauthorised third-party usage of personal data. It also stresses the importance of transparency and respect for user rights, particularly in relation to sites handling sensitive data. The guidelines voice particular concern over misuse of invasive tracking tools on public websites and illegal data transfers to non-EU/EEA countries. Datatilsynet’s guidance provides a robust framework for legal and ethical digital tracking and analysis. You cand read the full guidance here (in Norwegian).

Spain: AEPD publishes blog post on Digital Citizen’s Folder as transparency tool for public administrations

The Spanish data protection authority (AEPD) recently drew attention to the Digital Citizens’ Folder in a blog post. Developed by the General Secretariat for Digital Administration, this online platform serves as a centralised access point, enabling citizens to identify their data held by various public entities. The AEPD emphasised that the initiative simplifies the exercise of citizens’ right of access to their data, in line with article 28(2) of Law 39/2015. This law underscores the citizen’s right not to provide data already in the possession of Public Administrations. Additionally, the platform includes a “Transparency” section, further enhancing transparency in public administrations. Future enhancements to the platform are anticipated in late 2023 and 2024. You can read the full blog post here.

UK: ICO raises concerns over banks sharing personal data with media

Information Commissioner John Edwards has expressed concern over the recent incident in which NatWest Bank leaked personal financial information about Nigel Farage to the BBC. Underlining the importance of confidentiality, Mr Edwards stressed that banks are trusted custodians not only of customer’s money but also of their personal information. He reminded them that any breach of trust could lead to concern among customers and regulators alike. He also reminded banks of their data protection obligations in response to allegations that they collect too much customer information, and stressed the importance of data accuracy and minimisation. The Commissioner added that the ICO is coordinating with the HM Treasury and the Financial Conduct Authority to ensure compliance. You can read the statement here.


PICCASO: Privacy Awards Europe Shortlist for 2023 Revealed

Following on from the success of the inaugural PICCASO Privacy Award awards in 2022, the awards are making a grand return in 2023, and growing to include nominations from all across Europe. The PICCASO Privacy Awards Europe is delighted to announce its cohort of shortlisted individuals, teams, initiatives, and organisations for 2023. Shortlisted categories include the Best Privacy Programme Award, Best Privacy Culture Improvement Award, Most Impactful Privacy Product, and numerous others, making up a total of 19 categories. With over 150 finalists competing, the stage is set for an exciting and highly competitive event. Winners will be announced on 8 November 2023 at the awards ceremony at ‘The Brewery’ venue, in London. For more information on the shortlisted finalists, please see the press release here.

Amazon: Biometric payment expansion raises surveillance and privacy concerns

Amazon has announced plans to expand the use of its Amazon One palm-scanning payments technology to all Whole Foods stores by the end of 2023. The technology, which was first introduced in Amazon Go “cashierless” stores, links biometric data to a saved credit card, enabling users to pay for purchases quickly and without a physical card. Beyond payments, Amazon One can also be used for identification, age verification, and accessing venues and buildings. However, privacy advocates have raised concerns about potential surveillance and identity theft risks. Amazon faces a class action lawsuit for allegedly not providing adequate notice under New York City’s biometric surveillance law. You can read the full article here, the full cited class action here, and amazon’s press release here.

Ryanair: noyb launches complaint over facial recognition verification process

Ryanair, Europe’s leading airline, is subject to a complaint by digital rights group, noyb, regarding the use of a facial recognition system for customers booking flights through online travel agencies. This “verification process”, not needed for direct bookings, has sparked data protection concerns. The system is handled by an external firm, GetID, which manages sensitive customer biometric data. Ryanair maintains that customer consent justifies their facial recognition use. However, noyb suggests that Ryanair doesn’t provide comprehensible information for valid consent, potentially making it non-compliant under the GDPR. In light of the complaint, the Spanish AEPD could impose a fine up to €192 million on Ryanair, based on its 2022 turnover, as noted by noyb. You can read noyb’s press release here.

Apple: French competition authority launches investigation over mobile ad practices

The French competition authority (the authority), has lodged a complaint against Apple for potentially abusing its dominant position in non-transparent and discriminatory practices involving user data for mobile app advertising. These practices may influence several related markets of advertising and consumer services. However, the initiation of this process does not imply Apple’s guilt; a full procedure respecting the company’s defense rights will follow, determining the complaint’s validity after written observations and an oral hearing session. On 23 October 2020, the authority received a request for interim measures from various associations representing online advertisers. It called for mandatory implementation of the App Tracking Transparency (ATT) prompt for iOS apps to regulate data linking across apps and websites for ad targeting and measurement. The request was rejected in decision 21-D-07, but the authority specified that it would continue the investigation. The authority has made no further comments. You can read the press release here.


Italy: Garante fines newspaper €40,000 for intrusive home photography

The Italian data protection authority (Garante) has imposed a €40,000 fine on RCS Mediagroup S.p.a. for publishing intrusive photos of a public figure’s private life within his residence. Captured from a car parked outside, these photos were found to breach the principles of fair data collection and transparency. The newspaper’s justification of the subject’s willingness to be in the media spotlight was rejected as grounds for collecting and using such data and images, particularly in personal spaces like a home. The newspaper’s objective to break a story on a love affair didn’t justify infringing on the individual’s right to privacy, despite their public status. The Garante has also banned any further publication of these photos. You can read the press release here and the full decision here (both in Italian).

Italy: Garante fines Thin SRL €15,000 for unlawful health data processing

The Italian data protection authority (Garante) has imposed a €15,000 fine on Thin SRL, for unlawfully processing health data from thousands of patients gathered from approximately 7,000 general practitioners (GPs). The company was involved in an international project aimed at improving patient care by collecting and analysing health data. The Garante’s investigation found that the data anonymisation add-on used in the “Medico 2000” management system failed to effectively anonymise patient information, leading to a violation of the principles of lawfulness and transparency. The Garante also criticised the incorrect classification of GPs as data controllers. The authority has warned all doctors that using the “Medico 2000” management add-on, as currently configured, is a violation of patients’ privacy. You can read the press release here and the full decision here (both in Italian).

Italy: Garante fines Ew Business Machines €20,000 for excessive employee surveillance

The Italian data protection authority (Garante) has imposed a €20,000 fine on Ew Business Machines SpA for breach of the Italian labour law and data protection law. The company installed an alarm system based on fingerprints, a video surveillance system capable of capturing both visuals and sound, and an application to geolocate employees, all without adequate employee notification or necessary legal procedures as per the Italian labour law. The video surveillance system and geolocation app were used to improperly monitor employees, a wrongful practice. Moreover, the alarm system processed the biometric data of 21 individuals, including employees. Biometric data processing is usually prohibited, except under specific circumstances not applicable in this case. The Garante has not only levied the fine, but also ordered a cessation of data processing collected through these means. You can read the press release here and the full decision here (both in Italian).

Poland: UODO issues fines for non-cooperation in GDPR enforcement

The Polish data protection authority (UODO) has imposed fines on several entities for inadequate cooperation in GDPR enforcement. This encompasses denial of access to personal data and other necessary information, obstructing UODO’s duties. For effective enforcement of the General Data Protection Regulation (GDPR), UODO reminds that it must exercise its powers, including obtaining access to all personal data and necessary information from data controllers and processors. Moreover, it should have access to all facilities of data controllers and processors, along with their data processing equipment. Obstructing these rights complicates UODO’s tasks and could potentially infringe citizens’ data protection rights. Instances of non-cooperation highlighted by UODO include delayed responses to its correspondence and refusal to supply crucial information, thereby unnecessarily extending proceedings. UODO asserts that it must use appropriate legal tools, such as administrative fines for non-cooperation, in the face of such obstructions. UODO emphasises these penalties aim to foster better cooperation with the authority, rather than merely being punitive. You can read the press release here (in Polish)