Data Protection Weekly 38/2023

Sep 25, 2023

 European Union

EDPS/ EDPB: Joint Opinion on the Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on the European Commission’s proposal for additional procedural rules to improve the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. The bodies welcome the Commission’s effort to harmonise the admissibility requirements for complaints and to clarify the right of access to an administrative file. To further improve the proposal, they suggest that concerned supervisory authorities (CSAs) should be more involved at different stages of the enforcement process. They also advocate for defining time limits for certain procedural steps. The EDPB and EDPS stress that the proposal should not limit CSAs’ ability to raise objections and caution against changing the approach to parties’ right to be heard during dispute resolution. The EDPB and EDPS urged for the swift adoption of this important legislative measure to improve GDPR enforcement and protect individual rights. You can read the press release here and the joint opinion here.

EDPS: International cooperation vital for advancing data protection standards

On 20th September 2023, the EDPS Supervisor, Wojciech Wiewiórowski, and Leonardo Cervera Navas participated in a high-level event concerning data protection in the Western Balkans and Eastern Partnership Region. The event was a collaborative effort involving various organisations and provided a platform for 11 countries to discuss the challenges and opportunities in advocating for digital rights and personal data protection. The gathering emphasised the importance of international cooperation, particularly among data protection authorities, in the absence of a United Nations’ Universal Binding Declaration on the subject. The General Data Protection Regulation (GDPR) and Modernised Convention 108 of the Council of Europe were cited as influential frameworks that could help standardise global data protection norms. The event also allowed for technical exchanges, enabling participants to share on-the-ground experiences and strategies for navigating the complex digital landscape. The focus was on the need for flexibility, independence, and strategic action in enhancing the efficiency of data protection efforts. You can read the blog post here.

ENISA: ECSF progress and workforce challenges highlighted at EU Cybersecurity Skills Conference

The European Union Agency for Cybersecurity (ENISA) highlighted progress in the European Cybersecurity Skills Framework (ECSF) at a recent conference. Collaborating with the Spanish Ministry of Education and the Spanish National Cybersecurity Institute (INCIBE), the event underlined the need for more cybersecurity professionals to meet EU legal requirements. The conference comes as data shows a workforce shortage in cybersecurity of 300,000, despite a 25% increase in the number of graduates in the past two years. Stakeholders from diverse sectors attended, discussing re-skilling and upskilling as solutions to the workforce gap. ENISA’s Executive Director Juhan Lepassaar urged for more human capital to achieve a high level of cybersecurity across the EU. You can read the press release here.

National Authorities

Ireland: DPC releases comprehensive booklet on GDPR case studies from 2018-2023

The Irish data protection authority (DPC) has released an informative booklet encompassing 126 case studies drawn from the first five years of the General Data Protection Regulation (GDPR) implementation. Organised by category and featuring an index, the booklet serves as a valuable reference for understanding how the DPC handles various complaints in the field of data protection. The compilation aims to make it easier for professionals and concerned parties to locate pertinent examples that illustrate the DPC’s approach to GDPR-related issues. You can download the booklet here.

Poland: UODO investigates ChatGPT over GDPR compliance

The Polish data protection authority (UODO), is investigating a complaint against ChatGPT, OpenAI’s generative artificial intelligence model, for alleged breaches of the General Data Protection Regulation (GDPR). Specifically, the complainant accuses OpenAI of processing his data in a manner that is unlawful, unfair, and non-transparent, implicating multiple articles of the GDPR including Art. 12 and Art. 5(1). UODO’s President, Jan Nowak, has announced that the case is complex and will require a meticulous administrative procedure. Notably, the complaint originates from OpenAI’s failure to correct false information generated about the complainant by ChatGPT. OpenAI is also criticised for giving evasive and conflicting answers to the complainant’s queries, thereby failing to fulfil its informational obligations. As underscored by Jakub Groszkowski, Deputy President of UODO, as artificial intelligence technologies like ChatGPT become more integrated into ‘commercial and widespread use’, it is paramount to ensure they comply with GDPR principles. You can read the press release here (in Polish).

Spain: AEPD discusses differentiating transparency requirements in AIA and GDPR in new blog post

In a recent blog post, the Spanish data protection authority (AEPD) delves into the nuanced differences between transparency requirements in the proposed AI Regulation and the General Data Protection Regulation (GDPR). While GDPR focuses transparency obligations on data controllers and aims to inform data subjects about how their personal data is handled, the AI Regulation targets AI system providers and users, understood as entities that deploy these AI systems, requiring them to disclose information about the system’s capabilities and limitations. This distinction is crucial for entities involved in both data processing and AI deployment, as complying with transparency guidelines in one regulatory framework does not automatically fulfil the criteria set by the other. Moreover, the AI Regulation places an emphasis on transparency throughout the AI system’s entire life cycle, complicating the compliance landscape for stakeholders. You can read the full blog post here (in Spanish).

Sweden: IMY proposes new regulation to streamline data processing for legal compliance

The Swedish data protection authority (IMY), has released a proposal for new regulations aimed at simplifying the process for certain companies to manage personal data related to legal offences. The proposed regulation mainly affects companies in the financial sector as well as those in the security and defence markets. These businesses often need to cross-reference their customers against various sanctions lists to comply with both domestic financial regulations on anti-money laundering and counter-terrorism financing, as well as international export restrictions. The existing process has been criticised for its time-consuming nature, requiring companies to dedicate substantial resources to filing applications and awaiting approvals and also leading to lengthy decision times at IMY.  The new regulation aim to expedite this process for both parties. The proposed changes will undergo a consultation process involving various stakeholder organisations. You can read the press release here and the proposal here (both in Swedish).

Denmark: Datatilsynet releases new guidance to prevent abuse of access rights

Amid growing concerns over employees making unauthorised searches in data registers, the Danish data protection authority (Datatilsynet) has published new guidelines on how organisations can prevent the abuse of access rights. Anders Chemnitz, an IT security consultant at Datatilsynet, stressed the need for citizens to trust that their data are being handled responsibly and securely by public bodies and companies. While it is difficult to completely eliminate the abuse of access rights, organisations can minimise the risks through systematic management of permissions, robust control procedures, and effective enforcement by the data controller. The guidelines released by Datatilsynet offer a catalogue of measures organisations can adopt to reduce the likelihood of unauthorised access to registers by employees. You can read the press release here (in Danish).

Romania: ANSPDCP releases 2022 annual report

The Romanian data protection authority (ANSPDCP) has publicly released its annual activity report for 2022, highlighting various aspects of its work. The report is organised into six main chapters that cover general presentation, regulatory activities, public consultation and information, monitoring and control, international relations, economic management, and legislative proposals. Statistics featured in the report indicate that the authority received 4,260 complaints and personal data breach notifications, leading to 629 investigations. As a result, 69 fines were imposed, totalling 1,058,863 lei (equivalent to €213,000), alongside 134 warnings and 93 corrective measures. The ANSPDCP also fielded 948 requests for opinions on the interpretation and application of GDPR and issued opinions on 107 legislative projects affecting personal data processing. Additionally, ANSPDCP managed 108 court cases in various procedural stages throughout the year. You can read the press release here (in Romanian).

Italy: Garante launches “Privacy Tour” to promote data protection awareness in smaller communities

Italy’s data protection authority (Garante) has inaugurated the “Privacy Tour,” aimed at enhancing data protection awareness particularly in smaller towns and southern regions. The initiative was announced at the “State of Privacy ’23” event, in collaboration with the Universities of Rome Tre and Florence. Signatories to this initiative, which includes representatives from public institutions and private companies, will undertake various activities throughout 2024 to mitigate the risk of a new digital divide. These activities will follow a format designed by the authority, comprising events, training sessions, and online programmes that focus on privacy issues. The target audience includes children and individuals less familiar with the digital world. Several organisations, including universities, tech companies, and media houses, have already pledged their commitment. The tour will commence in Messina, covering regions of Sicily and Calabria. You can read the press release here (in Italian).


UK’s Online Safety Bill is set to become law

The UK’s Online Safety Bill has successfully passed its final Parliamentary debate and is set to become law. This landmark bill aims to make the UK the safest place in the world to be online by imposing new responsibilities on social media platforms. Key elements include stronger protections for children, more control for adults, and clearer guidelines for social media companies. Social media platforms failing to promptly remove illegal content or harmful material directed at children will face substantial fines, potentially running into billions of pounds. In extreme cases, company executives may even be subject to imprisonment. The bill has undergone rigorous scrutiny in both Houses of Parliament and has been amended to include more robust protective measures. It will also empower users to have more control over their online experiences and hold social media platforms accountable for their terms and conditions. Non-compliance could result in fines by Ofcom, which could be as high as £18 million or 10% of the platform’s global annual revenue, whichever is greater. You can read the press release here.


UK: ICO issues £590,000 in new fines to tackle illegal nuisance calls

The UK data protection authority (ICO) has levied fines amounting to £590,000 against five companies for making a total of 1.9 million unsolicited marketing calls. These calls often targeted the elderly and individuals with vulnerabilities. The enforcement action is part of an ongoing initiative to curb the exploitation of vulnerable groups through high-pressure sales techniques, especially for white goods insurance and household appliances. Since October 2021, the ICO has imposed £1.45 million in fines on 16 companies for making illegal calls, often to individuals who had actively tried to block such calls by registering with the Telephone Preference Service (TPS). The fines resulted from detailed investigations by the ICO, assisted by intelligence from National Trading Standards. The ICO’s actions serve as a reminder that making live marketing calls to individuals registered with the TPS is illegal and can result in significant fines, unless the individual has informed the specific organisation that they do not object to receiving such calls from them. You can read the press release here.

Poland: Supreme Administrative Court upholds penalty imposed by UODO

After more than four years of legal proceedings, the Supreme Administrative Court in Poland has dismissed the cassation appeal filed by Swedish company Bisnode (now Dun & Bradstreet), upholding the judgement of the Provincial Administrative Court in Warsaw. The case revolved around the first fine imposed by the Polish data protection authority (UODO), amounting to just over PLN 943,000 (equivalent to €204,000). The fine was imposed on Bisnode for obtaining data from publicly available registers but failing to inform individuals whose data they were processing. The case has stirred significant debate, particularly around the obligations of data brokers who collect and resell data. The court confirmed that companies obtaining data from public registers must directly inform data subjects as specified under Article 14 of the GDPR. The company had argued that it was exempt from this requirement due to “disproportionate effort,” a claim that the court rejected, emphasising the principle of transparency under the GDPR. You can read the press release here (in Polish).