Data Protection Weekly 33/2023

Aug 21, 2023

National Authorities

Belgium: APD discontinues processing of several older cases

The Belgian data protection authority (APD) has made a strategic decision to cease the processing of 389 older cases, mainly due to the lack of progress for over a year and because the circumstances of these cases are not particularly urgent or socially relevant. In 2022, the APD’s Litigation Chamber received 604 complaints but could only adopt 189 decisions, leading to a significant backlog. The decision to dismiss was made with transparency, and each complainant was informed of their rights, including the option to refile a complaint. The APD emphasised the exceptional nature of this decision, and it will be implementing additional measures to avoid future backlogs, such as focusing on early decision-making, legal settlements, general prevention, and mediation. You can read the full decision here (in French).

Croatia: AZOP requests Greek supervisory authority to act on personal data exposure of Croatian citizens

The Croatian personal data protection authority (AZOP) has initiated action with the Greek supervisory body after learning of an incident where personal information of Croatian citizens suspected of committing criminal acts or offenses in Greece was published on a Greek portal. The exposed information includes names, birth years, document numbers, and parents’ names. Since the portal operates in Greece, the AZOP has made the request in accordance with the General Data Protection Regulation (GDPR), calling upon the Greek supervisory body to take further action against the data controller (the Greek portal) to determine if there was compliance with GDPR. You can read the press release here (in Croatian).

Estonia: Information System Authority begins publishing monthly cyber assessments

Starting from July 2023, the Estonian information system authority (Riigi Infosüsteemi Amet) has begun to publish monthly summaries of cyberspace assessments in English. The first summary highlights not only the 269 incidents recorded in July, which include denial of service attacks and phishing sites, but also details efforts made to counter these threats. Specifically, the summary reports a cyber awareness campaign, a 10-part radio series called “Ohtlik klikk” (A Dangerous Click), and the impact of cyber events such as the NATO summit. By combining incident details with awareness efforts, the summary provides a comprehensive overview of the cybersecurity landscape in Estonia. You can find the cyber space assessments here and download the July monthly summary here.

Italy: Garante launches investigation into personal data dissemination at a villa party in Turin

Italy’s data protection authority (Garante), has launched an investigation into the potential mishandling of personal data following a party at a villa in Turin. During the event, a well-known professional allegedly revealed private details about his ex-partner and third parties. The inquiry aims to determine responsibilities related to the violation of privacy laws, especially assessing the legal basis of those who distributed the data and content including through videos. The Garante has also urged social media users and the media to respect personal privacy, particularly concerning sensitive information that might significantly impact the individuals involved, their reputation, and emotional well-being. You can read the press release here. 

Netherlands: AP raises concerns over alcoholmeter’s reliability in legislative proposal

The Dutch data protection authority (AP) has raised objections to a proposed Dutch law involving the use of an alcoholmeter for individuals with an alcohol ban. The concerns lie in the device’s reliability, with more than 1 in 10 test subjects reporting false-positive results for alcohol consumption. If the uncertainty regarding the device’s accuracy is not resolved, the AP suggests that the legislative proposal should not proceed. The law would enforce wearing the alcoholmeter, an anklet that measures alcohol consumption through sweat on the skin. Doubts about the exact information the alcoholmeter records, such as whether it measures only the presence or the exact amount of alcohol, also need clarification in the proposed legislation. You can read the press release here and the full opinion here (both in Dutch).

UK: ICO investigates data breach at Norfolk and Suffolk Constabularies

The UK data protection authority  (ICO) is currently investigating a data breach announced by Norfolk and Suffolk Constabularies. The breach pertains to responses for Freedom of Information (FOI) requests for crime statistics, issued between April 2021 and March 2022. Deputy Commissioner at the ICO, Stephen Bonner, emphasised the importance of robust measures to protect personal information, especially sensitive data. The ICO is also investigating a separate breach reported in November 2022, while continuing to support organisations in data protection efforts. Concerned individuals can seek advice on handling their information from the ICO’s website. You can read the full statement here.

UK: ICO launches public consultation on the draft biometric data guidance

The UK data protection authority  (ICO) has initiated the first phase of public consultation on its draft guidance regarding biometric data and biometric technologies. This guidance explains the application of data protection law when utilising biometric data in biometric recognition systems. The consultation period will run from 18 August to 20 October 2023. A second phase, focusing on biometric classification and data protection, will follow, including a call for evidence early next year. You can read the press release here and respond to the consultation here.


UN: High-Level Advisory Body on AI: Call for Nominations and Papers

The UN Secretariat has announced the formation of the High-level Advisory Body on Artificial Intelligence (AI), an initiative initially proposed in 2020. In the process of assembling this representative body, which aims to analyse and propose recommendations for international AI governance, a public call has been made for nominations of experts. Nominees should possess leading expertise in AI governance or related domains and may come from government, industry, civil society, or academia. The nomination window will close on 31 August 2023. Additionally, a call for short papers on Global AI Governance themes has been issued, and interested parties can submit their papers until 30 September. You can read the full article here.

US: CFTC fines four financial institutions $260 million for recordkeeping and supervision failures

The Commodity Futures Trading Commission (CFTC) has ordered four financial institutions to pay a combined $260 million for failing to comply with recordkeeping requirements and supervise business matters diligently as CFTC registrants. The penalties have been levied against BNP Paribas ($75 million), Société Générale ($75 million), Wells Fargo ($75 million), and Bank of Montreal ($35 million). The orders detail how the institutions failed to prevent their employees from using unapproved communication methods like personal text or WhatsApp for business-related conversations, which violated both internal policies and CFTC requirements. These actions take the CFTC’s total penalties for similar violations since December 2021 to over $1 billion across 18 financial institutions. Director of Enforcement Ian McGinley emphasised that non-compliance with core regulatory obligations would have severe consequences. You can read the press release here.

noyb publishes analysis of its 101 privacy complaints lodged with data protection authorities

Privacy advocacy group noyb has argued that EU-US data transfers have been illegal for the past 23 years in a new analysis. The Court of Justice of the European Union invalidated data transfer agreements “Safe Harbor” and “Privacy Shield” in 2015 and 2020 and according to noyb, this means that almost all transfers since 2000 have been unlawful. The organisation claims that EU companies have continued to use services such as Google Analytics and tracking tools by Meta, despite the rulings. noyb’s report further contends that the situation has been exacerbated by inactive data protection authorities and new void deals by the European Commission. Out of 101 complaints filed, only two fines have been issued, underscoring what noyb believes to be a lack of enforcement and a collapse of the rule of law in this area. You can read the press release here.


Czech Republic: UOOU fines websites operators for GDPR violations via cookies

The Czech Republic data protection authority (UOOU) has imposed fines totalling CZK 4,443,000 (equivalent to €185,100) for GDPR violations related to the processing of personal data through cookies. Of this amount, penalties amounting to CZK 1,640,000 (equivalent to €68,3440) have become legally binding. The highest fine of CZK 898,000 (equivalent to €37,420) was imposed on a company specialising in electronic communications, primarily for uploading cookies without visitor consent for marketing purposes. After a transitional period, the UOOU focused on compliance with the new amendment to the law on electronic communications, which became effective on January 1, 2022. The UOOU sees these penalties primarily as motivational and warning tools, as the processing of personal data through cookies affects a large number of people. You can read the press release here (in Czech).