Data Protection Weekly 36/2023

Sep 11, 2023


ADPO: Upcoming webinar on the pressures faced by Data Protection Officers

The Association of Irish DPOs (ADPO), member of CEDPO, is hosting a webinar titled “Saving Private DPO: Insights from Inside the World of the DPO” on 19th September 2023, 12:00 – 13:30 CET, via Zoom. This session will discuss the intense pressures DPOs often face, leading to challenges like loss of confidence, isolation, and even mental health issues. Bruno Rasle, former General Delegate of the AFCDP and author of the study “Saving Private DPO”, will be the key speaker.  You can read more about it here and register here.

Asso DPO: Registration to the 9th Annual ASSO DPO Congress 2023

The 9th Annual ASSO DPO Congress is set to take place on 25th and 26th September 2023 at the Swiss Chamber in Milan: ASSODPO is a member of CEDPO. This year’s congress promises a fresh experience with a new location, dates, and program. The first day will be entirely dedicated to technological revolution, with a special emphasis on artificial intelligence (AI) and cybersecurity. As technology rapidly transforms how businesses and organisations manage personal data, ASSO DPO offers privacy and information security professionals an opportunity to stay updated on the latest trends and challenges. You can register here.

 European Union

European Commission: Designation of six companies as gatekeepers under DMA

The European Commission has marked six tech giants – Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft – as “gatekeepers” under the Digital Markets Act (DMA). This decision, following a 45-day review, mandates these companies to ensure full DMA compliance within six months. Concurrently, the Commission is investigating specific services from Microsoft and Apple to determine if they qualify as gateways. Apple’s iPadOS is also under review for potential gatekeeper status. Notably, Gmail,, and Samsung Internet Browser, despite meeting DMA criteria, were not designated as core platform services after their parent companies presented compelling arguments. Non-compliance with DMA obligations could lead to fines of up to 10% of a company’s global turnover, with stricter penalties for repeated violations. The DMA, in force since November 2022, aims to ensure fairness in digital markets. You can read the press release here.

EDPS: Opinion on proposal for a regulation on European statistics

The European Data Protection Supervisor (EDPS) has issued an opinion on the European Commission’s Proposal to amend the Regulation on European statistics. While the EDPS supports modernising the legal framework, there’s unease over potential personal data collection from diverse sources, notably private data holders. The EDPS emphasises that personal data collection might not be necessary or proportionate, considering potential risks to individual rights. The EDPS suggests the Proposal should explicitly state that only anonymised data will be sought from private entities. If personal data is to be collected, the Proposal should detail the categories and sources of such data, ensuring necessity and proportionality. The EDPS underscores the need for privacy-enhancing technologies and strict adherence to GDPR and EUDPR provisions. Furthermore, the EDPS advises amending the Proposal concerning statistics from Large-Scale IT systems. You can download the full opinion here.

CJEU: Privacy Directive precludes data use in public sector corruption probes

In Case C-162/22, the European Court of Justice (ECJ) ruled that the Directive on privacy and electronic communications precludes the use, in connection with administrative investigations into corruption in the public sector, of data collected for the purpose of combating serious crime. The case emerged when a Lithuanian public prosecutor was dismissed for allegedly providing information unlawfully to a suspect and their lawyer. The evidence against him was based on data retained by electronic communications service providers. The ECJ emphasised that while combating serious crime can justify interference with fundamental rights, the use of such data in order to combat corruption-related misconduct in office, which is of lesser importance than combating serious crime is not permissible. You can read the press release here and the full decision here.

CJEU: General Court rejects EDPS’s challenge to Europol regulation

In Case T‑578/22, the General Court of the European Union, declared the European Data Protection Supervisor’s (EDPS) action against the amended Europol regulation inadmissible. The EDPS had previously identified infringements of the initial Europol regulation in January 2022. However, following amendments in June 2022 by the European Parliament and the Council, transitional provisions were introduced. The EDPS contended that these provisions retroactively legitimised Europol’s data retention practices, undermining his independence and powers. The General Court countered that the EDPS lacks privileged standing before EU Courts and that the provisions did not directly affect EDPS. You can read the press release here and the full decision here.

Council of Europe: Switzerland’s ratification of Convention 108+

On 7 September 2023, Switzerland ratified the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data, also known as Convention 108+. Switzerland, a party to Convention 108 since 1998, now becomes the 28th State Party to endorse the updated Convention 108 (Convention 108+). This ratification brings Convention 108+ closer to coming into full effect as a unique global legal instrument safeguarding personal data and the right to privacy. Only 10 more ratifications are required for the Convention 108+ to be fully implemented. You can read the press release here.

National Authorities

France: CNIL releases recommendations on remote exam monitoring

Amid the growing popularity of online examinations by both public and private higher education institutions, the French data protection authority (CNIL) has published recommendations on the use of remote monitoring tools. Prompted by the widespread adoption of digital teaching methods during the COVID-19 crisis and subsequent complaints, the CNIL conducted a public consultation to gain a better understanding of the sector’s practices and challenges. Their recommendations covers the implementation of online exam monitoring, emphasising GDPR compliance, mutual trust between students and institutions, and promoting digital inclusion. The CNIL stresses that while such tools can be intrusive, they should strike a balance between combatting fraud and preserving individual rights. Institutions are advised to offer students the choice of remote exams and ensure early communication about surveillance measures, always prioritising data protection. You can read the press release here and the full recommendations here (both in French).

Netherlands: AP issues draft decision approving Code of Conduct for ISPS companies

On 6th September 2023, Port Privacy B.V. put forth a conduct code for the access policies of ISPS (International Ship and Port Facility Security) companies in the Netherlands. The Dutch data protection authority (AP) has adopted a draft decision indicating potential approval of this code. Designed to detail GDPR obligations, the code aims to guide ISPS companies handling personal data for ship and port facility security. An industry or sector can draft such conduct codes regarding personal data management, subsequently seeking AP’s endorsement. Organisations introducing these codes must also establish a supervisory body ensuring compliance. Port Privacy B.V., aiming to serve as the supervisory body, has sought accreditation from the AP, but has not yet been accredited. As a result, the AP has attached a suspensive condition to its endorsement of the conduct code. Interested stakeholders can present their views to the AP on this draft. You can read the press release here, the draft decision here and the code of conduct here (all in Dutch)

UK: ICO will investigates data security in period and fertility apps

The UK data protection authority (ICO) is scrutinising period and fertility tracking apps after a survey revealed over half of women have data security concerns. The poll highlighted that 59% of women value transparency on data usage and 57% prioritise data security over cost and ease of use. Interestingly, over half of the respondents felt they encountered more fertility-related advertisements after using these apps, with 17% finding such ads distressing. The ICO has initiated a call for users to share their experiences and has approached app providers to understand their data handling practices. The aim is to identify potential issues, from ambiguous privacy policies to intrusive targeted ads. Collaborations with stakeholders, including the National Data Guardian and women’s health groups, are underway. You can read the press release here.

Germany: DSK issues application note on EU-US Data Privacy Framework

The committee of Independent German Federal and State Data Protection Supervisory Authorities – in abbreviated form “Data Protection Conference” (German abbreviation “DSK”) has released application notes on the adequacy decision for the EU-US Data Privacy Framework. This move comes in response to the need for clarity on transferring personal data to the US under European data protection regulations. Historically, the European Court of Justice declared previous adequacy decisions, the “Safe Harbor” in 2015 and the “Privacy Shield” in 2020, invalid due to the extensive access powers granted to US security authorities. However, since July 10, 2023, there’s been a renewed focus on ensuring compliance with the “EU-US Data Privacy Framework”. This latest guidance aims to assist data exporters and also enlightens affected individuals about their rights, legal protections, and avenues for complaints. You can read the press release here and the application note here (both in German).

Belgium: Market Court awaits CJEU ruling on IAB Europe’s action plan

The Belgian Market Court has issued an interim ruling, suspending its assessment of the Belgian data protection authority’s (APD) decision to validate IAB Europe’s action plan. This comes after IAB Europe’s appeal against the APD’s unexpected validation in January 2023, which was in line with a February 2022 decision. The Market Court’s previous interim judgement in September 2022 had referred questions to the Court of Justice of the European Union (CJEU) for a preliminary ruling, noting the APD’s breach of duty of care. The recent judgement underscores that the APD’s validation decision was premature, as the CJEU’s forthcoming answers will influence the legality of the APD’s action plan validation. Townsend Feehan, CEO of IAB Europe, emphasised that while updates to the TCF can proceed, significant modifications should await the CJEU’s guidance. You can read the press release here.


Mozilla Foundation reveals disturbing privacy issues in modern cars

Mozilla’s latest research has unveiled alarming privacy concerns surrounding modern cars. After analysing 25 car brands, the study found that every single one collects excessive personal data, extending beyond vehicle operation to deeply personal details, including medical and genetic information. A staggering 84% of these brands share this data, with 76% even admitting they can sell it. Moreover, a concerning 92% offer drivers little to no control over their personal data. The only exceptions were Renault and Dacia, which allow complete data deletion, likely influenced by Europe’s GDPR regulation. This investigation underscores the urgent need for more stringent privacy regulations in the automotive sector and increased transparency regarding data practices. You can read the full article here.

Apple responds to controversy over CSAM scanning tool decision

In a rare move, Apple has publicly addressed the controversy surrounding its decision to halt the development of its iCloud photo-scanning tool aimed at detecting child sexual abuse material (CSAM). Originally announced in August 2021, the tool faced backlash from digital rights groups and researchers over potential privacy breaches. The child safety group, Heat Initiative, recently pressed Apple to detect, report, and remove CSAM from iCloud and bolster user reporting mechanisms. Responding to the concerns, Apple detailed its shift towards on-device tools, known as Communication Safety features. Erik Neuenschwander, Apple’s director of user privacy and child safety, emphasised the risks associated with scanning all iCloud data, citing potential surveillance and unintended consequences. While Sarah Gardner of Heat Initiative expressed disappointment, Apple remains firm in its belief that on-device solutions are safer alternatives. You can read the full article here.



Norway: Oslo District Court rejects Meta’s appeal against temporary ban on behaviour-based advertising

On 6th September, the Oslo District Court delivered its verdict in the dispute between Norwegian data protection authority (Datatilsynet) and Meta, upholding Datatilsynet’s decision. Earlier in July, Datatilsynet imposed a temporary ban on behaviour-based advertising on Facebook and Instagram. In response, Meta, which owns both platforms, sought a legal stay of this decision through a temporary injunction. The Court, however, affirmed Datatilsynet’s position. The judgment stated that Datatilsynet’s action is valid and saw no grounds for suspension. Meta had raised multiple points during the case, including that Datatilsynet’s decision lacked proper prior notification and that Datatilsynet was not empowered to make such urgent decisions. The Court rejected these arguments. In parallel, Meta has filed several administrative challenges to Datatilsynet’s rulings. Datatilsynet is also contemplating presenting its decision to the European Data Protection Board to broaden the ban across the EU/EEA. These procedures remain in progress. You can read the press release here and the full decision here (both in Norwegian).

UK: ICO reprimands Ministry of Justice over data breach

The UK data protection authority (ICO) has issued a reprimand to the Ministry of Justice (MoJ) in accordance with Article 58(2)(b) of the UK General Data Protection Regulation (UK GDPR) for certain infringements. The MoJ was found to have breached Article 5(1)(f) of the UK GDPR, which mandates the secure processing of personal data. The breach occurred when details of parties involved in an adoption process were mistakenly disclosed to the birth father, even though a court judge had directed his exclusion due to potential risks he posed to the family. The error was attributed to the removal of a cover sheet from the adoption file, a local practice that deviated from national standards. The MoJ acknowledged that this practice was communicated orally and not documented. The Commissioner welcomed the remedial steps taken by the MoJ, which include aligning local processes with national practices and updating the electronic filing system. The Commissioner has also recommended further actions for the MoJ to ensure compliance with the UK GDPR. You can read the decision here.

Germany: BlnBDI reprimands company for email data breach

The Berlin data protection authority (BlnBDI) has issued a reprimand to a company for violations of the General Data Protection Regulation (GDPR). The case arose when a complainant received an order confirmation and subsequent emails, including personal data of another customer, from the company due to an incorrect email address entry. Despite the complainant’s efforts to notify the company, her requests were initially unheeded. The company later acknowledged the error, attributing it to a manual data entry mistake. In response, the company has since automated the customer account creation process and implemented a double opt-in procedure for email registration. The BlnBDI, after assessing the situation, decided to issue a reprimand, noting the company’s subsequent efforts to rectify the situation and prevent future occurrences. You can read the decision here.

Romania: ANSPDCP fines medical professional for privacy breach

The Romanian data protection authority (ANSPDCP) concluded an investigation in June 2023 involving a medical professional who was found to have breached Articles 5, 6(1)(a), and 9(2)(a) of the General Data Protection Regulation (GDPR). The medical professional was fined LEI 9,919 (equivalent to €2,000). The investigation was launched following a complaint revealing that the individual had used their personal phone to film a patient without her consent and subsequently shared the footage on his Facebook page. This led to the exposure of the patient’s personal data, including her image, voice, name, surname, and health status. Although the video was deleted on the same day, it was already viewed by many and spread across various online platforms and media channels. The ANSPDCP also imposed corrective measures, instructing the medical professional to ensure GDPR compliance in all future data processing activities. This incident underscores the importance of patient rights as highlighted by Article 20 of the Law no. 46/2003, which prohibits photographing or filming patients in medical units without their consent. You can read the press release here (in Romanian).