Data Protection Weekly 35/2023

Sep 4, 2023

 European Union

European Commission: Turkey joins Digital Europe Programme

The European Commission has signed an association agreement with Turkey to participate in the Digital Europe Programme. This agreement will come into effect upon completion of the necessary ratification processes. Businesses, public administrations, and other eligible organisations in Turkey will gain access to the programme’s calls, which has an overall budget of €7.5 billion for the 2021-2027 period. Turkey will be able to participate in projects focusing on artificial intelligence, advanced digital skills, and the establishment of Digital Innovation Hubs within the country. The European Commission aims to strengthen ties in digital technologies and hopes that Turkey will foster closer links to the EU economy and society. The Digital Europe Programme’s funds will also complement other EU funding available to Turkey, such as Horizon Europe. You can read the press release here.

ENISA: Publication of a report on the cybersecurity challenges in subsea cable ecosystem

The European Union Agency for Cybersecurity (ENISA) has released a report focusing on the cybersecurity challenges facing the subsea cable ecosystem. Subsea cables are crucial for global internet infrastructure, carrying over 97% of the world’s internet traffic. The report identifies weak points such as cable landing stations and areas where multiple cables are in close proximity. Most incidents affecting subsea cables are accidental, often caused by anchoring and fishing activities. However, the report also warns of potential malicious actions like sabotage and espionage. Repairing these cables is a complex and time-consuming process, requiring specialised ships. The report calls for clearer mandates and supervision at the national level to protect these vital assets and suggests that national authorities should exchange best practices for subsea cable protection. The European Commission has also initiated a dedicated study to further analyse the resilience, redundancy, and capacity of subsea cables. You can read the press release here and download the full report here.

National Authorities

France: CNIL opens public consultation on data security for high-risk systems

France’s data protection authority (CNIL), has initiated a public consultation to address the security of what it calls “critical treatments” in information systems. According to CNIL, in 2022, a third of its sanctions were related to failures in data security compliance. The public consultation aims to consolidate advanced security practices recommended by CNIL into a single document. This effort particularly targets systems deemed “critical” based on two cumulative criteria: large-scale processing as per GDPR, and the potential for severe consequences in the event of a data breach, for individual, national security or for society as a whole. The consultation is open to any public or private organisation interested in using this forthcoming document as a best-practice guide for personal data treatment. The deadline for public input is October 8, 2023, and the final recommendation is expected to be published in early 2024. You can read the press release here (in French).

Ireland: DPC advises on safe back-to-school photos

The Irish data protection authority (DPC) has issued a blog post urging parents to exercise caution when posting back-to-school photos of their children on social media. The campaign, titled #PauseBeforeYouPost, outlines four key tips for parents. First, it advises against oversharing details such as the child’s name, age, and teacher. Second, it recommends scrutinising the photo’s background for identifiable information like school crests or location tags. Third, parents are encouraged to consult their children, as the photos are considered their personal data. Lastly, the blog post suggests setting social media profiles to “private” and limiting the audience to “close friends.” The DPC emphasises that even seemingly innocent posts can lead to unintended oversharing, which could have serious consequences. You can read the full blog post here.

Italy: The Garante issues warning on victim details disclosure

The Italian data protection authority (Garante) has initiated an investigation against websites that disclosed the identity of a sexual assault victim in Palermo. Despite journalistic ethical guidelines that prohibit revealing details that could identify victims of violence, several cases have emerged where excessive details were provided. The Garante has previously issued specific warnings to respect legal norms protecting victims of sexual violence. The disclosure of the victim’s personal data not only violates data protection laws but also contravenes criminal law (Article 734 bis c.p.). The Garante also warns that disclosing the names of the perpetrators could indirectly identify the victim. It urges all media operators to refrain from further disclosing the victim’s identity and to communicate in a manner that respects human dignity. You can read the press release here (in Italian).

Netherlands: AP releases first Algorithmic Risks Report

The Dutch data protection authority (AP) has published its inaugural Algorithmic Risks Report, highlighting the need for better control over algorithms and AI. The report identifies the rapid integration of AI innovations into society, such as smart chatbots and inadequate understanding of existing algorithms as significant risks. AP Chair Aleid Wolfsen emphasised the need for effective management of risks like discrimination, unfair outcomes, and lack of transparency. The AP advises focusing on high-risk algorithms and aligning with forthcoming European legislation. It also calls for a one-year transition period for public organisations to register their usage of high-risk algorithms. The report aims to provide an overarching risk perspective to inform policy and will be updated every six months. You can read the press release and download the report here.

Poland: UODO investigates Ryanair’s passenger verification procedures

The Polish data protection authority (UODO) has initiated actions to investigate how Ryanair processes personal data during its passenger verification procedures. The move comes after numerous complaints from passengers alleging improper handling of personal data by the airline, including demands for scans of personal identification documents and additional fees for identity verification in case of refusal. Jakub Groszkowski, Deputy President of UODO, emphasised the risks of unauthorised data usage and welcomed public attention to how and where personal IDs are being used. After formal analysis, the case will be transferred to Ireland’s data protection authority, as Ryanair is headquartered in Ireland. UODO President Jan Nowak has also asked the President of Office of Competition and Consumer Protection (UOKiK) to consider examining whether the airline’s practices violate collective consumer interests. You can read the press release here (in Polish).

Switzerland: FDPIC publishes factsheet on Data Protection Impact Assessment

The Swiss data protection authority (FDPIC) has released a factsheet on Data Protection Impact Assessments (DPIAs). This comes in light of the revised Data Protection Act, which mandates federal bodies and private individuals to prepare a DPIA when planning data processing activities that could highly risk individuals’ personality or fundamental rights. The factsheet outlines the procedure for conducting a DPIA in compliance with Articles 22 and 23 of the Federal Act on Data Protection (FADP). You can download the factsheet here.

UK: ICO issues new guidance on bulk communications by email

The UK’s data protection authority (ICO) has released new guidance advising organisations to use alternatives to the blind carbon copy (BCC) email function for sending sensitive personal information. The guidance comes in the wake of numerous data breaches involving incorrect use of BCC. Mihaela Jembei, ICO Director of Regulatory Cyber, stated that failure to use BCC correctly is one of the top data breaches reported annually. The ICO recommends using alternatives like bulk email services, mail merge, or secure data transfer services for sending sensitive information. The guidance is part of ICO’s commitment to help organisations improve email security. The ICO has also taken enforcement actions against organisations for inappropriate email disclosures, emphasising the need for proper technical and organisational measures to protect personal information. According to ICO data, the education sector is the biggest offender for BCC breaches, followed by health, local government, retail, and the charity sector. You can read the press release here and the full guidance here.


OpenAI launches ChatGPT Enterprise with focus on security and privacy

OpenAI has announced the launch of ChatGPT Enterprise, a new product aimed at satisfying the needs of corporate users with an emphasis on enterprise-grade security and privacy. This iteration of ChatGPT provides advanced features such as longer context windows for processing inputs, faster performance, and advanced data analysis capabilities. Notably, the platform is SOC 2 compliant and encrypts all conversations in transit and at rest. ChatGPT Enterprise also allows organisations to maintain full control and ownership of their business data, specifying that the data will not be used for training OpenAI models. Since its launch nine months ago, OpenAI notes that ChatGPT has been adopted by teams in over 80% of Fortune 500 companies. This enterprise version is presented as a response to the demand for a more secure and productive AI-assisted working environment for large organisations. You can read the full article here.


Netherlands: Dutch Court overrules AP’s decision on DPG Media’s data access policy

A Dutch court has ruled on a case involving DPG Media B.V. and the Dutch data protection authority (AP). The case examined whether DPG Media’s policy of requiring a copy of an identity document for all data access or deletion requests made outside of their login environment was in compliance with Article 12(2) of the GDPR. The court found that while using an identity document is not an unreasonable means of identification, DPG Media’s rigid approach did not sufficiently facilitate the exercise of GDPR rights. However, the court also noted that DPG Media had not been given adequate guidance by the AP and had already changed its policy by the time the case came to court. Consequently, the court ruled that the fine imposed on DPG Media was not justified. You can read the full decision here (in Dutch).

Denmark: Datatilsynet reprimands Danish National Police for inadequate search protocols in EU information systems

The Danish data protection authority (Datatilsynet), has issued a ruling reprimanding the Rigspolitiet (Danish National Police) for not adequately complying with the conditions for searches in the Visa Information and EURODAC systems. These systems can be used by Rigspolitiet under certain conditions for law enforcement purposes based on requests from local police districts. Datatilsynet found that in one instance, Rigspolitiet failed to conduct the necessary control before searching the Visa Information System, and in another case, the control was insufficient. Additionally, Datatilsynet found that Rigspolitiet conducted a search in the EURODAC system without a prior unsuccessful search in the Visa Information System, which is a prerequisite for searching in EURODAC. The authority reprimands Rigspolitiet’s lack of oversight in adhering to search conditions in both systems. You can read the press release here and the full decision here (both in Danish)

Sweden: Insurance company fined SEK 35 million for security breaches

Sweden’s data protection authority (IMY), has imposed a fine of SEK 35 million on insurance company Trygg-Hansa for security lapses that exposed data of 650,000 customers online. The investigation began after a tip-off where a person received an email from the company containing a link to an offer page. The tipster discovered that by altering some numbers in the web link, he could access other customers’ insurance documents without any login. IMY’s review revealed that customer data, including sensitive health information, was accessible from October 2018 to February 2021. IMY concluded that Trygg-Hansa failed to take appropriate technical measures to ensure data security, resulting in the fine. You can read the press release here (in Swedish).

UK: ICO fines This Is The Big Deal Limited £30,000 for unsolicited direct marketing messages

“This Is The Big Deal Limited” was fined £30,000 by UK data protection authority (ICO) for sending over 41 million unsolicited direct marketing messages by email and text messages. The UK company violated PECR regulations by sending these messages without recipients’ consent and failing to include opt-out information. You can read the press release here and the full decision here.