Data Protection Weekly 37/2023

Sep 18, 2023

 European Union

CJEU: Advocate General considers GDPR’s applicability to Anti-Doping rules

Advocate General Tamara Ćapeta issued an opinion on Case C-115/22 concerning the publication of personal data of athletes found guilty of anti-doping violations. An Austrian professional middle-distance runner faced sanctions for doping violations, leading to the publication of her personal data on a public website by the Independent Anti-Doping Agency. This raised questions regarding the compatibility with GDPR. In her opinion, Advocate General Tamara Ćapeta considers that the GDPR might not apply as anti-doping rules primarily regulate the sport and its non-economic facets. Moreover, if GDPR was to be considered relevant, it would allow for such data processing without necessitating an individual proportionality assessment. She further underscores the importance of online publication in today’s age to effectively deter potential doping offenses among young athletes and keep stakeholders informed. You can read the press release here and the full opinion here.

National Authorities

Netherlands: AP seeks clarity from tech firm on AI aimed at children

The Dutch data protection authority (AP) is growing increasingly concerned about how personal data is managed by organisations harnessing generative artificial intelligence (AI). Their focus is especially on apps targeted at young children. Recently, the AP has requested more information from a tech company about a chatbot feature in their child-popular app, querying its transparency regarding user data handling. As generative AI sees rapid uptake, the AP points to substantial risks in presenting such technologies to children, who might not fully grasp the implications. The AP is scrutinising the app’s transparency concerning data use and is probing into the firm’s data retention strategies. Following these investigations, the AP will decide on further actions if necessary. You can read the press release here (in Dutch).

Spain:  AEPD discusses digital currency evolution in new blog post

In a recent blog post, the Spanish data protection authority (AEPD) delved into the evolving landscape of digital currencies. The AEPD highlights the emergence of central bank digital currencies (CBDCs) and their centralised nature, contrasting them with decentralised cryptocurrencies such as bitcoin. The AEPD underlines the potential of CBDCs to revolutionise the financial sector, but also highlights the challenges they pose, in particular with regard to individual rights and data protection. The AEPD advocates for a delicate balance between robust data protection and curbing illicit financial activities in the design of CBDCs. You can read the full blog post here (in Spanish).

UK: ICO urges organisations to share data when child protection is at stake

The UK data protection authority (ICO) has unveiled a new publication titled “A 10 step guide to sharing information to safeguard children.” This guide aims to bolster effective and responsible data sharing practices among organisations, particularly when the safety of children and young people is at stake. With the launch of this guide, the ICO aims to address and alleviate concerns that organisations and frontline workers might have about potential breaches of data protection law. Alongside this guide, the ICO reiterated its stance, emphasising that organisations will not be penalised for sharing information if it means protecting children and young people who are in potential danger. The ICO remains dedicated to ensuring that data protection laws support responsible information sharing to prevent harm, and not hinder it. You can read the press release here and the new guide here.

Berlin Group adopts final version of working paper on “Smart Cities”

The International Working Group for Data Protection in Technology (IWGDPT), known as the “Berlin Group”, has released a working paper on “Smart Cities”. Chaired by Prof. Ulrich Kelber, the paper offers practical advice to cities, service providers, and regulators on implementing data protection-friendly solutions. “Smart Cities”, while enhancing urban life through intelligent services, also present potential privacy risks due to the extensive collection and processing of personal data. Thus, the Berlin Group emphasises the need for stakeholders to uphold data protection standards to ensure individuals’ right to privacy. You can read the press release here (in German) and the full paper here (in English).

Global

NOYB files complaints against French apps over illegal data sharing

NOYB has lodged complaints with the French data protection authority (CNIL) in France against three companies: Fnac, SeLoger, and MyFitnessPal, alleging illegal sharing of users’ personal data. These apps purportedly share information, including Google’s Advertising ID, with third parties as soon as they are opened. This action has raised concerns about the adherence to the ePrivacy Directive, which emphasises the necessity for explicit user consent prior to data sharing or access. NOYB is urging CNIL to direct the implicated applications to erase all data that has been processed without proper consent. Furthermore, they recommend that all data recipients be informed about the request for deletion. Given the gravity of the allegations, NOYB has also suggested the consideration of imposing fines on these firms. You can read the press release here.

Dutch groups launch class action against Google for privacy violations

The Stichting Bescherming Privacybelangen, a Dutch foundation advocating for the privacy of Google users, and the Consumentenbond, a renowned consumer protection association, announced their joint challenge against Google’s alleged breach of privacy rights. The tech company is accused of unlawfully collecting and processing Dutch consumers’ data without obtaining their explicit consent. Such actions are deemed in violation of both Dutch and European privacy regulations. The two organisations urge consumers to join the legal proceedings against Google, aiming to enforce privacy rights and demand financial compensation for affected users. Furthermore, it was highlighted that Google’s manipulative design techniques, or “dark patterns”, make it challenging for users to understand and control their personal data. The organisations’ collective action seeks compensation for consumers who have used Google’s services since March 1, 2012. This is not the first time the Consumentenbond has confronted Big Tech, they have previously taken legal action against Facebook and TikTok. You can read the joint statement here.

Sanctions

Ireland: DPC fines TikTok €345 million over child data processing

Following the European Data Protection Board’s  (EDPB) binding dispute resolution decision, the Irish data protection authority (DPC) has issued its final decision regarding its inquiry into TikTok Technology Limited (TikTok). The investigation covering TikTok’s processing activities between 31 July and 31 December 2020, focused on TikTok’s processing of personal data related to child users, and in particular platform settings like “Family Pairing”, age verification, and transparency obligations. The DPC’s draft decision proposed findings of infringement of articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e) of GDPR, in relation to the above processing. The EDPB directed the DPC to include a finding of infringement on the GDPR principle of fairness due to concerns raised by Berlin’s supervisory authority regarding ‘dark patterns’. As a result, the DPC has ordered TikTok to rectify its processing within three months and imposed fines totalling €345 million. You can read the DPC press release here, the EDPB press release here and the full final decision here.

Italy: Garante fines two companies for unlawful telemarketing practices

Italy’s data protection authority (Garante), has intensified its measures against unlawful data processing for telemarketing, imposing fines on both Tiscali and Comparafacile, amounting to €100,000 and €40,000 respectively. This disciplinary action emerged from a complaint by a citizen who persisted in receiving promotional calls despite being on a public opposition registry. Investigations uncovered Comparafacile’s practices of reaching out to individuals without appropriately verifying their consent, a clear infringement of data protection regulations. On a separate note, Tiscali drew attention for not providing comprehensive data protection information. Further, they were found to have engaged in sending unsolicited promotional SMS messages to over 160,000 customers without obtaining the necessary consent. These findings highlight the ongoing challenges in telemarketing practices and the need for companies to rigorously adhere to data protection standards. You can read the press release here (in Italian).

Italy: Garante orders Google to remove fraudulent website’s URL

Italy’s data protection authority (Garante), ordered Google to remove a URL from search results linked to a fraudulent website, bearing an Italian businessman’s full name. Created anonymously, the site contained defamatory remarks tarnishing the individual’s personal and professional standing. It used personal information sourced online, including a misleading email implying a criminal association. Although the entrepreneur secured a deindexing order from a non-European judicial body, the URL persisted within European searches. Google initially rejected the businessman’s deindexing request, seeing it more as defamation than a personal data protection issue. However, the Garante backed the complainant, emphasising the misuse of his personal data and highlighting multiple privacy infractions by the site creators. This decision stressed the importance of considering both time elapsed and data accuracy in deindexing decisions, especially when data gives an inaccurate, misleading impression, echoing the  EDPB right-to-be-forgotten guidelines. You can read the press release here (in Italian).

UK: ICO fined former social services council employee for unlawfully accessing sensitive personal data

A former employee of St Helens Borough Council, Rachel Anderton, has faced legal consequences for accessing social service records without a legitimate business need to do so. Anderton, who was employed as a family intervention officer, was found to have viewed the personal records of 145 individuals on the council’s case management system from 17 January 2019 to 17 October 2019. The illicit activities were identified during an internal council audit, leading to Anderton’s resignation before any disciplinary actions were initiated. Presenting her case at the Wigan and Leigh Magistrates Court on 11 September 2023, Anderton admitted to one offence of unlawfully obtaining personal data, in breach of s170(1) of the Data Protection Act 2018. Consequently, she was fined £92.00, with additional charges of £385.00 for court costs and a £32.00 victim surcharge. Andy Curry, Head of Investigations at the Information Commissioner’s Office, emphasised the fundamental right of individuals to data privacy and the severe repercussions for breaching it. You can read the press release here.

Ireland: DPC welcomes successful prosecutions of marketing offences

On 11th September 2023, the Irish data protection authority (DPC) lauded the outcomes of cases brought before the Dublin Metropolitan District Court against several prominent entities for infringements of unsolicited marketing communication rules. Chill Insurance Limited and Hidden Hearing Limited were charged and mandated to make charitable donations under the Probation of Offenders Act 1907. The Multiple Sclerosis Society of Ireland faced a similar charge. Notably, Vodafone Ireland Limited, with prior convictions related to such breaches, was fined €500. These prosecutions underscore the DPC’s commitment to upholding data protection standards, sending a clear message to all entities involved in electronic marketing about the consequences of non-compliance. You can read the press release here.

Croatia: Azop fines gambling companies for unlawful data processing through cookies

The Croatian data protection authority (Azop) issued fines on two gambling and betting companies, amounting to €20,000 (HRK 150,690) and €30,000 (HRK 226,035), for three distinct violations of the GDPR. Firstly, the firms processed personal data of website visitors via cookies without a legal basis, contravening Article 6(1) of the GDPR. Secondly, they did not provide clear information or facilitate informed and voluntary consent, breaching Article 7. Finally, there was inadequate disclosure to users about data processing through cookies, neglecting the transparency principle and violating Articles 13(1) and 13(2). The penalties were determined based on factors like the breach’s nature, severity, duration, and the data controllers’ responsibility level. You can read the press release here (in Croatian).