Data Protection Weekly 39/2023

Oct 2, 2023

 European Union

EDPB: Adoption of Guidelines on data transfers under Law Enforcement Directive

The European Data Protection Board (EDPB) adopts Guidelines on Article 37 of the Law Enforcement Directive (LED). The purpose of these Guidelines is to offer practical advice for the lawful transfer of personal data by EU member states’ competent authorities to third country authorities or international organisations competent in the field of law enforcement. Specifically, the Guidelines aim to clarify the legal criteria for appropriate safeguards that these authorities must adhere to. The document also serves as a reference for member states contemplating new or amended data transfer agreements, as well as providing guidance for national data protection authorities during consultations or reviews. The Guidelines stress the necessity for transferred data to receive a level of protection essentially equivalent to that available within the EU. Furthermore, they cover the use of legally binding instruments compared to individual assessments by a data controller, emphasising that the latter should only be considered after a meticulous evaluation of the receiving entity’s legal framework. The consultation period for these Guidelines is open until 8 November 2023. You can read the press release here.

European Commission: Launch of the ECSM to tackle “social engineering”

October marks the 11th European Cybersecurity Month (ECSM), an annual EU campaign focused on enhancing cybersecurity awareness among citizens and organisations. This year, the initiative will centre on “social engineering”, a rising form of cyber threat that manipulates individuals into revealing sensitive information. The Threat Landscape report by the European Union Agency for Cybersecurity (ENISA) highlights that phishing has become the predominant way of gaining unauthorised access to organisations, often leading to further attacks like ransomware. The campaign aims to promote good digital habits to counter such threats. Vice-President Margaritis Schinas stressed the importance of staying alert against scammers, while Commissioner Thierry Breton noted that cyber threats are rapidly evolving and that citizens’ behaviour plays a pivotal role in cybersecurity. The month-long event will feature activities across Europe and is jointly organised by ENISA, the European Commission, and EU Member States. You can read the press release here.

EDPS: Supervisor discusses the inextricable link between cybersecurity and data protection

The European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, recently discussed the essential relationship between cybersecurity and data protection during the European Parliament’s Cyber Days. He underscored the importance for EDPS to take part in the EU’s Cybersecurity Month (ECSM) held each October. According to the EDPS, cybersecurity and data protection are “two sides of the same coin,” mutually reinforcing each other to protect individuals’ personal data and uphold EU values and democracy. His comments also explored practical ways of integrating data protection into cybersecurity management. Citing the new Directive on the security of network and information systems (NIS2) that took effect in January 2023, The EDPS emphasised the significance of harmonising cybersecurity practices across the EU. He also pointed to the necessity for strong collaboration between Data Protection Officers and IT Security Departments, and elaborated on the dual role Artificial Intelligence plays in both enhancing and compromising cybersecurity. You can read the full blog post here.

European Commission: Launch of DSA Transparency Database for content moderation decisions

The European Commission has initiated the Digital Services Act (DSA) Transparency Database, a pioneering move to improve transparency regarding content moderation by online platforms in the EU. The database will collect statements of reasons and aims to offer comprehensive information on why certain content has been removed or access restricted by online service providers. Only Very Large Online Platforms (VLOPs) are currently mandated to contribute data to this database in line with their DSA compliance. Starting 17 February 2024, all online platforms, excluding micro and small enterprises, will also be required to submit their content moderation data. This database, accessible to the public, marks a milestone in regulatory repository by collecting such data at an unprecedented scale. It aligns with Article 24(5) of the DSA and enables greater accountability for online platforms. Users can currently access summary statistics and search for specific reasons for content moderation, with further analytics and visualisation features to be added in upcoming months. You can read the press release here and access the Transparency Database here.

CJEU: Advocate General’s Opinion on IP address data retention in copyright cases

Advocate General Szpunar issued its Opinion on Case C470/21 stating that the retention of, and access to, civil identity data linked to the IP address should be allowed where those data are the only means of investigation that make it possible to identify the perpetrators of copyright infringements committed exclusively on the internet. The Opinion was delivered in the case of La Quadrature du Net and Others and pertains to the practices of Hadopi, the French administrative authority responsible for enforcing copyright. The Advocate General believes that this mechanism aligns with EU data protection laws. The data collected, according to him, do not enable the formation of a detailed profile on an individual’s private life. Rather, they serve as an essential tool for identifying copyright violators. This perspective doesn’t mark a shift but is a pragmatic development in existing case law, focusing on a balanced approach in accordance with the principle of proportionality in order to avoid a systemic impunity of offences committed exclusively online. You can read the press release here and the full Opinion here.

National Authorities

Norway: Datatilsynet requests EU-wide ban on Meta’s behavioural advertising

The Norwegian data protection authority (Datatilsynet) has requested a binding decision from the European Data Protection Board (EDPB) in the Meta case. After imposing a temporary ban on Meta for unlawful behavioural advertising practices on Facebook and Instagram, Datatilsynet is now seeking to make the ban permanent and extend it across the EU/EEA. This move aims to ensure consistent GDPR enforcement throughout Europe. Despite the Datatilsynet’s ruling, Meta has continued to engage in what the authority deems as unlawful data processing activities. Meta disagrees with the process, asserting that the Datatilsynet’s decision is invalid and that Datatilsynet does not have a legal basis to request a binding decision from the EDPB. Furthermore, Meta specifies that they plan to ask users for consent before using data for behavioural advertising. The EDPB must now assess the file’s completeness before proceeding, adding another layer of complexity to a landmark case concerning online privacy rights in Europe. You can read the press release here.

UK: ICO highlights risks to domestic abuse victims from data breaches

The UK data protection authority (ICO) urgently called upon organisations to enhance data protection practices to safeguard victims of domestic abuse. The ICO has, over the past 14 months, issued reprimands to seven organisations, including law firms, housing associations, and local councils, for data breaches affecting these victims. Such breaches often involved the release of sensitive information, like victims’ home addresses, to their abusers. Some breaches were so severe that immediate emergency action, such as relocation, was required. The ICO emphasised the crucial role of training and robust procedures to prevent similar incidents. Supported by organisations like Women’s Aid and the Domestic Abuse Commissioner for England and Wales, the ICO insists on thorough training, accurate record-keeping, and restricted access to sensitive information as basic measures to reduce risk. This intervention aligns with the ICO’s revised approach to public sector enforcement that aims for proactive compliance over punitive fines. You can read the full article here.

Denmark: Datatilsynet’s audit reveals mixed compliance in data breach management

Denmark’s data protection authority (Datatilsynet), recently concluded a series of 16 audits aimed at scrutinising data breach management within eight large municipalities and eight banks. The focus was primarily on the efficiency of procedures and security measures implemented to protect personal data. While the majority of institutions showed compliance with data protection rules, Roskilde and Frederikshavn municipalities drew criticism for lacking proper documentation of data breaches. These findings highlight the importance of not only implementing adequate security measures but also meticulously documenting any incidents to comply with GDPR guidelines. You can read the press release here (in Danish).

Spain: AEPD publishes new blog post on PET in Data Spaces

A recent blog post from the Spanish data protection authority (AEPD)  highlights the dual roles of Privacy Enhancing Technologies (PETs) in Data Spaces. Published on 28th September 2023, the article emphasises the importance of treating data as a valuable asset. According to the AEPD, PETs not only serve to ensure compliance with GDPR but also for robust data governance. Data Spaces, as the article explains, are federated infrastructures that enable secure data sharing among a diverse range of stakeholders, such as public institutions, companies, and individuals. The blog post underscores the importance of involving Data Protection Designers (DPDs) from the outset to ensure the effective integration of PETs, thereby fostering trust and ensuring compliance. You can read the full blog post here (in Spanish).

Spain: AEPD endorses Family Digital Plan by Spanish Pediatric Association

The Spanish data protection authority (AEPD) has backed the Family Digital Plan by the Spanish Pediatric Association (AEP). This initiative aims to provide families and pediatricians with scientifically-backed guidelines to ensure the safe and beneficial use of technology by minors. The plan addresses various aspects such as setting time limits, establishing screen-free zones, and not using devices as a “babysitter”. It emphasises that the best example families can set is through responsible use of technology. The AEPD’s support for this plan aligns with its strategic focus on protecting minors on the internet, specifically aiming to prevent issues like internet addiction, sexting, and cyberbullying. The plan can be customised by families according to their specific needs and circumstances. You can read the full article here (in Spanish).

Global

Global experts and civil organisations call for halt on facial recognition surveillance

A coalition of 180 experts and civil society organisations has released a statement calling for an immediate cessation of facial recognition surveillance by police, state authorities, and private companies. The group, consisting of academics, technology advisors, lawyers, and human rights advocates, cites multiple concerns including the technology’s compatibility with human rights, its potential for discriminatory impact, and the lack of adequate legal and democratic oversight. Specifically, they express doubts over the technology’s necessity and proportionality and highlight the absence of safeguards. The statement serves as a unified call for greater scrutiny and governance over the use of facial recognition technology in public spaces and for individuals within migration or asylum contexts. This statement remains open for additional signatures, inviting like-minded individuals and organisations to join the call for stricter regulation and oversight. You can read the full statement here and add your signature here.

Sanctions

Norway: Record NOK 65 million fine against Grindr upheld by Privacy Appeals Board

The Norwegian data protection authority’s (Datatilsynet) record fine of NOK 65 million (equivalent to €5,681,000) against Grindr has been confirmed by the Privacy Appeals Board. The case started in 2020 when the Norwegian Consumer Council lodged a complaint against the dating app, stating it shared sensitive data with third parties for marketing purposes without valid consent. The information shared included users’ GPS location, IP address, mobile phone advertising ID, age, and gender. The fine is the largest ever imposed by Datatilsynet, reflecting the severe nature of the infringements, including the unlawful disclosure of special category personal data relating to sexual orientation. Grindr had appealed the original decision, but the Privacy Appeals Board agreed that the consents collected were neither voluntary, specific, nor informed. While Grindr can’t appeal this decision further, they can still bring legal action before the courts. The case underscores the importance of valid consent and data protection, especially for special categories of personal data. You can read the press release here.

France: CNIL fines SAF LOGISTICS for excessive data collection and lack of cooperation

On 18 September 2023, France’s data protection authority (CNIL), imposed a €200,000 fine on air freight company SAF LOGISTICS. The sanction comes after an employee alerted the CNIL about the company’s collection of excessive data during an internal recruitment process. Following an investigation, the CNIL identified multiple GDPR violations, including the gathering of unnecessary information about employees’ family members and sensitive personal data like blood type and political affiliations. Additionally, SAF LOGISTICS did not comply fully with the CNIL’s requests for information, providing incomplete translations of the form used for data collection, thus failing in their obligation to cooperate under Article 31 of the GDPR. The fine amount was determined based on the severity of the GDPR breaches, which violated key principles like data minimisation and the ban on processing sensitive data. You can read the press release here and the full decision here (in French).

Finland: The Office of the Data Protection Ombudsman lifts ban on Yango taxi service data transfer

The Finnish Data Protection Ombudsman, in cooperation with data protection authorities from the Netherlands and Norway, has lifted its earlier interim order to suspend Yango taxi service’s data transfers to Russia. Initiated in August, the temporary ban was based on new Russian taxi legislation that seemingly expanded the FSB’s access to customer data. Upon further review, it was determined that this Russian law doesn’t apply to Yango’s operations in Finland, leading to the revocation of the interim order. The Dutch data protection authority is leading the supervision of Yango’s data processing activities, as Ridetech International B.V., responsible for the data processing, is headquartered in the Netherlands. Both the Finnish and Norwegian data protection authorities will continue to collaborate closely with their Dutch counterpart for ongoing supervision. You can read the press release here and the full decision here (in Finnish).

Denmark: Danish Court fines hotel chain for data retention violations

On 20th September 2023, the Østre Landsret court in Denmark ruled against the Arp-Hansen Hotel Group, fining the company DKK 1 million (equivalent to €134,000) for breaching data protection rules on the storage of personal information. This decision aligns closely with the Danish data protection authority’s (Datatilsynet) original fine of DKK 1.1 million. The case sets a precedent in the assessment of fines for private companies in similar situations. The infraction involved the hotel chain failing to adhere to its own deadlines for data deletion, thus risking the misuse of approximately 500,000 customer profiles. The ruling comes amidst an increasing focus on standardising fine assessments, evident from guidance documents released both by the Datatilsynet and the European Data Protection Board since 2020. The decision, which essentially cannot be appealed, adds to the evolving landscape of data protection enforcement. You can read the press release here and the full decision here (both in Danish).