Data Protection Weekly 31/2023

Aug 7, 2023

 European Union

EDPB: Adoption of dispute resolution decision on TikTok processing of children’s data

The European Data Protection Board (EDPB) has settled a dispute involving the processing of children’s data by TikTok Technology Limited (TTL). The EDPB’s decision is based on Article 65 of the GDPR, and it addresses objections to the draft decision of the Irish data protection authority (DPA), which was acting as the lead supervisory authority (LSA) The decision is part of an investigation launched in 2021 by the Irish regulator. The LSA’s own-initiative inquiry scrutinised TTL’s processing of personal data of TikTok users aged between 13 and 17, as well as certain issues regarding TTL’s processing of data of children under 13. Key objections included potential infringements of data protection by design and default in relation to age verification, and potential infringement of the principle of fairness linked to certain design practices. The EDPB’s decision seeks to ensure correct and consistent application of the GDPR by national DPAs. The LSA will issue its final decision, influenced by the EDPB’s legal assessment, within one month. The EDPB will publish its decision on its website after the LSA has notified its national decision to the controller. You can read the press release here.

European Commission: Consultation on Digital Markets Act consumer profiling reporting template

The European Commission is seeking public input on a proposed template regarding consumer profiling techniques under the Digital Markets Act (DMA). As stated on the Commission’s website, the consultation is open to all, including potential gatekeepers, consumer interest groups, data experts, authorities, advertisers and auditors. The move comes in response to concerns that gatekeepers are collecting vast amounts of end user data, hindering competition from start-ups and other new entrants. The Commission aims to foster transparency, and ultimately prevent deep consumer profiling from becoming a de facto industry standard. Feedback gathered will help shape the final version of the template. The deadline for submissions is 15 September 2023. You can read the press release here and view the DMA Article 15 report template here.

EDPS: Opinion highlights concerns on compulsory licensing for crisis management

The European Data Protection Supervisor (EDPS) has issued an opinion on the Proposal for a Regulation on compulsory licensing for crisis management. The EDPS calls for the Commission and Member States to ensure that any processing of personal data is necessary, proportionate and is only carried out by competent and designated authorities. Therefore, the EDPS calls for the inclusion of a recital in the proposal that reiterates the applicability of the EUDPR and the GDPR to any processing of personal data under the proposal. They request a clarification under Article 7(5) regarding the publication of personal data, ensuring that it is necessary and justified. It’s also recommended that the Commission only publish decisions on fines, containing the names of persons involved, in exceptional cases and with clear justification. A clear definition of the roles and responsibilities of the Commission and Member States concerning the processing of personal data is also called for. The EDPS emphasises the need to strike a balance between crisis management and the rights to data protection. You can read the full opinion here.

EDPB: Accredia gains clarity on data protection certification and accreditation procedures

In a formal response to Dr. Riva at Accredia, the Italian National Accreditation Body, the European Data Protection Board (EDPB) clarified the procedures and implications of data protection certification under the General Data Protection Regulation (GDPR). The EDPB affirmed its authority to approve the criteria for a European Data Protection Seal without needing the European Commission to adopt an implementing act. This extends to organisations such as the European Centre for Certification and Privacy (ECCP), which can submit certification criteria even without being an accredited body. The EDPB confirmed that the accreditation procedures under Article 43 of the GDPR are performed by the competent authority of the country where the certification body is based. Additionally, the EDPB confirmed that the Europrivacy certification criteria can’t be used for certification outside the scope of Articles 42 and 43 of GDPR but could be reused within a certification mechanism outside the scope of GDPR under certain conditions. You can read the full reply here.

National Authorities

France: CNIL issues an opinion on parental control decrees

The French data protection authority (CNIL) issue an opinion on two decrees implementing the law aimed at strengthening parental control over internet access means. The CNIL emphasised parental control as a fitting tool to safeguard minors on the internet, urging for its development in a way that also protects their data. CNIL reaffirmed its support for parental control measures, stressing the need to balance access control to inappropriate content and respect for children’s privacy and autonomy. It also advised that parental control tools integrate data protection principles by design and by default, highlighting that the implementation of minimal features should not result in the upward transmission of personal data to servers. You can read the press release here (in French).

Germany: DSK advocates for stricter data processing rules in political advertising

The committee of Independent German Federal and State Data Protection Supervisory Authorities – in abbreviated form “Data Protection Conference” (German abbreviation “DSK”), recently expressed it support for strict data processing rules for political advertising. This followed concerns about personalised election advertising through targeting and amplification technologies, which pose a risk of misinformation, polarisation, and voter manipulation. The DSK stressed the need for effective data protection measures to maintain free political dialogue. The European Parliament has proposed legislation to strictly limit data-based targeting for political advertising, even with user’s consent. It seeks to ban processing involving special categories of personal data in connection with political advertising services altogether. The DSK endorses these measures and encourages the trilogue parties to ensure that legal measures secure individuals’ free decisions over the processing of their data. You can read the full opinion here.

UK: ICO reviews Meta’s consent-based behavioural advertising plan

The UK data protection authority (ICO) is scrutinising Meta’s decision to seek consent from EU users for behavioural advertising, specifically excluding the UK. This follows related findings by the Court of Justice of the European Union, Irish Data Protection Commission and Norwegian Data Protection Authority. Stephen Almond, ICO Executive Director of Regulatory Risk, confirmed that the ICO is evaluating the implications for the information rights of UK residents and considering an appropriate response. You can read the press release here.

France: CNIL updates DPO accreditation framework

Following a public consultation, the French data protection authority (CNIL) has revised the accreditation framework for the certification of data protection officer (DPO) competencies. Launched two years ago, this voluntary certification scheme allows individuals to certify their DPO skills in accordance with the General Data Protection Regulation (GDPR). The main changes to the certification process include: a change to the accreditation application process, a requirement for certification bodies to hold a specific accreditation for the certification of DPO skills, the possibility for candidates to take certification tests remotely and the removal of the requirement to submit a register of certified individuals to the CNIL. The basic certification requirements for candidates remain the same. You can read the press release here (in French).

Fines

France: CNIL closes injunction issued against Google over cookies consent

The French data protection authority (CNIL) has closed an injunction against Google LLC and Google Ireland Limited, originally issued on 31 December 2021. The injunction was ordered in addition to a €150 million fine, requiring Google to enable users of google.fr and youtube.com in France to easily reject cookies placed on their devices, as easily as to accept them, within three months. Failure to comply would have resulted in a daily €100,000 fine. Google responded within the time frame by introducing a “Only allow essential cookies” refusal button near the acceptance one on the aforementioned websites. Thus, CNIL closed the procedure on 13 July 2023. However, this closure does not preclude future CNIL assessments regarding the compliance of the new cookie consent windows with all provisions of Article 82 of the French Data Protection Act. You can read the press release here and the full decision here (in French).

UK: ICO reprimands NHS Lanarkshire over WhatsApp use and data breach

The UK data protection authority (ICO) has reprimanded NHS Lanarkshire for staff’s unauthorised use of WhatsApp to share patient data. Between 2020 and 2022, 26 staff members shared sensitive patient data, including names, contacts, addresses, and clinical information, in a WhatsApp group more than 500 times. An individual outside the staff was mistakenly added to the group, leading to data disclosure to an unauthorised person. The ICO found that NHS Lanarkshire lacked sufficient policies and processes when WhatsApp was introduced. The Commissioner, John Edwards, stressed the need for healthcare providers to maintain data protection standards and recommended that NHS Lanarkshire take measures to comply with data protection law. You can read the press release here and download the full decision here.

UK: ICO issues two reprimands over email data breach incidents

The UK data protection authority (ICO) has reprimanded two Northern Irish organisations, the Patient and Client Council (PCC) and the Executive Office, for inappropriately disclosing personal data via email. The PCC and Executive Office exposed recipient details by employing incorrect group email options. The PCC’s email inferred private information about 15 individuals, while the Executive Office’s e-newsletter, sent to 251 subscribers, revealed sensitive details about victims and survivors associated with the Historical Institutional Abuse Inquiry compensation scheme. ICO’s investigation uncovered that both organisations lacked adequate guidance for staff on sending bulk emails. The Commissioner, John Edwards, highlighted the potential distress and harm that such breaches can cause and recommended both organisations to review their procedures. You can read the press release here, download the PCC’s reprimand here and Executive Office’s reprimand here.

Romania: ANSPDCP fines Med Life SA for DSAR violation

The Romanian data protection authority, ANSPDCP, has concluded an investigation into Med Life SA for violations of the provisions of articles 12 (4) and 15 (3) of the EU Regulation 679/2016 (GDPR). Consequently, Med Life SA has been fined 9,839.6 lei (equivalent of €2,000). The penalty comes in response to a complaint claiming that the healthcare provider infringed upon an individual’s right of access by refusing to release certain video recordings from the reception of one of its hospital. Additionally, Med Life SA infringed GDPR by not providing the complainant with information regarding the possibility of lodging a complaint before the National Supervisory Authority. The ANSPDCP has also imposed a corrective measure on the operator to fulfil the data subject’s requests. You can read the press release here (in Romanian).

Italy: Garante fines a local health authority for displaying patient’s health data

An Italian Local Health Authority (ASL) has been fined €20,000 by the Italian data protection authority (Garante) for the unlawful processing of personal data, following a complaint by a patient who found his name and health data displayed on a billboard. The billboard, located in the main entrance corridor of the emergency room, featured an image of a healthcare worker at a computer, with the patient’s personal information and health service details visible on the screen. Despite the ASL arguing that the data was published due to simple oversight and the billboard was only displayed for a few weeks, the Garante reinforced that disseminating information that could reveal someone’s health status is a GDPR violation. You can read the press release here and the full decision here (both in Italian).