Data Protection Weekly 34/2023

Aug 28, 2023

 European Union

European Commission: Digital Services Act comes into force in the EU

On 25 August 2023, the Digital Services Act (DSA) cames into force. Aimed at bringing European values into the digital realm, the DSA introduces stringent rules around transparency and accountability for large online platforms. Key provisions include clear labelling of online advertisements and an outright ban on ads that target minors based on profiling. The act is part of the EU’s broader efforts to make the online world safer while protecting citizens’ fundamental rights. For more information about DSA, you can read the European Commission’s Q&A here.

EDPS: Publication of opinions on financial data access and payment services

The European Data Protection Supervisor (EDPS) released two Opinions on 23 August 2023, focusing on the proposal for a Regulation on a Financial Data Access Framework and a Regulation and Directive on payment services within the EU. Both proposals are designed to enable broader financial services offerings while ensuring individuals and organisations have control over their financial data. The EDPS emphasised that complete, accurate, and transparent information should be provided when financial institutions request data access. The Opinions also clarified that granting “permissions” for data access should not be mistaken for consent under the GDPR. Furthermore, EDPS Wojciech Wiewiórowski highlighted the necessity for financial and data protection authorities to work closely to safeguard individuals’ rights, especially given the highly sensitive nature of the data that could be shared. The EDPS also recommended specific guidelines and limitations to protect personal data in the financial sector. You can read the full press release here, download the opinion on financial data here and the opinion on payment services here.

ENISA: Upcoming conference on Data spaces in EU in collaboration with AEPD

The European Union Agency for Cybersecurity (ENISA) in collaboration with the Spanish data protection authority (AEPD) has announced an upcoming conference titled “DATA SPACES IN EU: Synergies between data protection and data spaces, EU challenges and experiences of Spain”. Scheduled for 2 October 2023, in Madrid, the event will also offer online participation. This conference aims to bring together experts, industry, academia and public administration, providing a platform to deliberate on the European Union’s data strategy nuances. Special emphasis will be given both on the EU and Spain’s experiences. Topics on the agenda include the challenges in implementing GDPR in EU Data Spaces, insights from current EU Data Spaces initiatives, the interplay between Union law and policies in data sharing, and the importance of engineering data protection by design. While in-person attendance is invitation-only, remote access will be facilitated. You can read the full announce here.

National Authorities

Germany: DSK issued an opinion on health data law

The committee of Independent German Federal and State Data Protection Supervisory Authorities – in abbreviated form “Data Protection Conference” (German abbreviation “DSK”), has released an opinion on the draft law aimed at improving the use of health data. The DSK expresses concerns about the draft law’s approach to privacy and data protection, calling for additional regulations to ensure a balanced approach between research interests and individual privacy. The DSK also recommends that the draft law be amended to address these concerns. You can read the full opinion here (in German). 

Spain: Establishment of the first European agency for AI supervision

The Spanish Council of Ministers approved a Royal Decree that officially establishes the statutes of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA). This action comes two years after the agency’s initial announcement. This new body is a collaborative effort between the Ministry of Finance and the Ministry of Economic Affairs and Digital Transformation. AESIA is part of Spain’s broader digital transformation strategy, aligning with the Agenda Digital 2026 and the National Strategy for Artificial Intelligence (ENIA). These strategies aim to develop AI that is “inclusive, sustainable, and citizen-centric.” AESIA will be overseen by the Ministry of Economic Affairs and Digital Transformation through the State Secretariat for Digitalisation and Artificial Intelligence. With this move, Spain becomes the first European country to create such an agency, preemptively meeting requirements from an upcoming European Regulation on AI that mandates member states to establish a ‘national supervisory authority’ for AI compliance. You can read the official statement here (in Spanish).

Data protection authorities unite against data scraping

On 24th August 2023, 12 national data protection authorities, including those from the UK, Norway, and Switzerland, issued a joint statement to social media platform operators on the protection against data scraping. Data scraping is the automated extraction of data from the internet, which can lead to potential data breaches. The statement calls for social media companies and website operators to take measures to protect personal data against data scraping. The joint statement also includes precautions that individuals can take to minimise the risk, and it requires operators to actively inform customers about protection against data scraping. You can read the press release here and the full statement here.

UK: ICO launches a call for evidence on unwanted employee contact and customer experience

The UK data protection authority (ICO) has launched a call for evidence to combat the illegal behaviour of “text pests” — individuals who misuse personal information for romantic or sexual advances. Research commissioned by the ICO revealed that 29% of 18-34 year olds had experienced unwanted contact after providing their personal information for business purposes. The study also found widespread disapproval, with 66% of the public believing this use of personal information to be morally wrong. The ICO is actively contacting major customer-facing employers to underline legal obligations and gather evidence of the impact of this illegal behaviour. The call for evidence will remain open until 15th September 2023. You can read the full article here.

Norway: Datatilsynet publishes new guidance on electronic monitoring of employees

The Norwegian data protection authority (Datatilsynet) have released new guidance outlining the legal boundaries for employers monitoring their employees’ use of electronic equipment. The guidance clarifies that, as a rule, such surveillance is prohibited in Norway. Exceptions exist for purposes like administering the company’s data network or identifying and resolving security breaches. The guide aims to assist employers in understanding what kinds of monitoring are legally permissible and to inform employees about their rights. Section Chief Ylva Marrable encourages both employers and employees to provide feedback on the guidelines, as input will be considered for future revisions. Feedback can be sent until November 31, 2023, although individual responses will not be provided. You can read the press release here, and the full guide here (both in Norwegian). 

Poland: UODO releases a guide on personal data protection in election campaigns

The Polish data protection authority (UODO) released a guide titled “Protection of personal data in election campaigns.” Jan Nowak, President of UODO, emphasised the significance of upholding privacy rights both in the lead up to and during elections. Election committees and other entities engaged must adhere not only to election regulations but also to data protection rules. The guide an updated version of the September 2018 publication, elaborates on legal acts governing elections, principles of data processing during elections, duties of controllers and election committees, and the rights of voters and others whose data is processed. Additionally, readers can find tips on reporting data protection violations, appointing a data protection officer (IOD), and answers to frequently asked questions. You can read the press release and download the full guide here (both in Polish).


G20: Digital ministers discuss digital innovation and inclusion

On 19 August, 2023, digital ministers from the G20 nations gathered in Bangalore, India, to address digital innovation, inclusion, and security. The meeting, organised under India’s G20 presidency, identified three primary areas for discussion: Digital Public Infrastructure (DPI) for innovation and inclusion, building a secure and resilient digital economy, and digital skilling for a future-ready global workforce. Among other points, the joint declaration acknowledged the importance of a “human-centric approach that protects privacy and data,” reflecting its relevance in the context of digitalisation. This meeting sets the stage for the broader G20 Leaders’ Summit, which is scheduled for 9-10 September 2023, in New Delhi. You can read the press release here and the full declaration here.

DuoLingo investigates data scraping of 2.6 million accounts

Language learning platform DuoLingo has announced an investigation into a dark web post offering data from 2.6 million of its customer accounts for $1,500. A company spokesperson stated that the data, which includes emails, phone numbers, and courses taken, was not obtained through a hack but was scraped from publicly available profiles. The hacker claimed to have used an exposed application programming interface (API) to gather the data. The incident adds to growing concerns over data scraping, a technique that has seen a 240% year-over-year increase according to Human Security. DuoLingo emphasises that it takes data privacy seriously and is looking into further actions to protect its user base. You can read the full article here.


Ireland: DPC reprimands Airbnb over identity verification methods

The Irish data protection authority (DPC) has issued a decision against Airbnb Ireland UC (Airbnb) regarding its identity verification methods. The probe began on 4 March 2022, following a complaint where Airbnb had allegedly unlawfully requested a user’s ID for verification purposes, a procedure that the user contended violated principles of data minimisation and transparency. The decision identified infringements of Article 5(1)(c) and Article 5(1)(e) of the General Data Protection Regulation (GDPR), indicating that Airbnb’s retention practices post-verification contravened data minimisation and storage limitation principles. Consequently, the DPC has reprimanded Airbnb and issued orders including the deletion of specific ID documents from their systems and revising their internal identity verification policies. Notably, the DPC’s decision stands as no objections were raised during the statutory cooperation period with other supervisory authorities. You can read the press release here and the full decision here.

Romania: ANSPDCP fines Uipath SRL €70,000 for data breach

The Romanian data protection authority (ANSPDCP) has fined Uipath SRL 346,598 lei (equivalent to €70,000) for violating articles 25 and 32 of GDPR. The investigation, prompted by Uipath’s reported breach, revealed inadequate protection measures, leading to the unauthorised exposure of around 600,000 users’ personal details from the Academy Platform on a public website. The breach lasted around 10 days. As a corrective measure, the authority directed Uipath to periodically assess and enhance their security protocols to avoid similar incidents in the future. You can read the press release here (in Romanian)

Romania: ANSPDCP fines BODY LINE SRL for multiple GDPR violations

The Romanian data protection authority (ANSPDCP) has concluded an investigation into BODY LINE SRL in July 2023. The investigation found multiple infringements of articles 5, 6, 9, 17, and 32 of the EU General Data Protection Regulation (GDPR). As a result, the company was fined a total of 49,322 lei (equivalent to €10,000). The investigation was initiated after a complaint alleged that the company had disclosed personal data of a client through an audio-video recording on their social media platforms. It was also revealed that BODY LINE SRL had inadequately safeguarded the confidentiality of the personal data being processed through their audio-video surveillance system. The company was also given corrective measures to ensure GDPR compliance in the future. You can read the press release here (in Romanian).