Data Protection Weekly 4/2023

Jan 27, 2023

 European Union

EDPB: EDPB publishes Binding Decision concerning WhatsApp

Following the EDPB’s binding dispute resolution decision of December 5th, WhatsApp IE was issued a 5.5 million euro fine by the Irish Data Protection Authority (DPA). In its Binding Decision, the EDPB instructed the IE DPA to amend its draft decision with respect to the findings concerning lawfulness of the processing and the principle of fairness, and to the corrective measures envisaged. The EDPB press release and published decision found here.

European Council: Council confirms agreement with the European Parliament on new rules to improve cross-border access to e-evidence

It has been confirmed that agreement has been reached between the Council presidency and the European Parliament on the draft regulation and the draft directive on cross-border access to e-evidence. The agreed texts will make it possible for the relevant authorities to address judicial orders for electronic evidence directly to service providers in another member state. The regulation creates European production and preservation orders that can be issued by judicial authorities in order to obtain or preserve e-evidence regardless of the location of the data. These orders may cover any category of data, including subscriber, traffic and content data. The press release can be read here.

National Authorities

Denmark: DPA guidance on Storage of personal data for documentation purposes

The Danish Data Protection Authority has prepared guidance that deals with the storage of personal data with the aim of assisting data controllers to demonstrate that they comply with the data protection rules on consent. The press release (in Danish) can be read here.

France: The CNIL announce the creation of new AI service and launch of work program on machine learning

Coming on the heels of the Dutch DPA announcement last week, the CNIL announced this week it is launching its own AI service to augment its expertise on AI related systems and its understanding of the risks to privacy while preparing for the entry into application of the European regulation on AI. In addition, it will propose initial recommendations on the subject of learning databases in the coming weeks. The press release (in French) can be read here.

Germany: Extended competencies for the Hamburg DPA (HmbBfDI) – sanctioning options against tele-media providers in Hamburg.

The enforcement competences of the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) have been extended by the Hamburg Parliament in the application of the national Telecommunications Telemedia Data Protection Act (TTDSG). This puts the HmbBfDI in a position to issue remedial measures and fines to tele-media providers in Hamburg if for example they use cookies in an illegal manner. the DPA press release (in German) can be read here.

Italy:  The Garante launches an investigation into the use of AI to determine medical treatment waiting lists. 

The Italian DPA – the Garante – has sent a request to the Veneto Region health authorities in order to assess and verify that the planned deployment of an AI system to prioritize patient medical interventions complies with privacy law. The proposed automated system would determine the level of urgency for intervention and scheduling of treatments, general practitioners will no longer be able to prioritize patient treatment directly. Faced with possible large-scale processing of particularly delicate health data involving a significant number of patients, the Garante requested information on the legal provisions underlying the processing, the type of algorithm used, the databases and the types of information and clinical documents that would be processed. The press release (In Italian) can be read here.

United Kingdom: The ICO offers data protection advice to the UK’s five and a half million SMEs ahead of World Data Protection Day

Ahead of Data Protection Day (28 January), the Information Commissioner’s Office (ICO) is encouraging the UK’s 5,501,000 small-and-medium-sized businesses (SMEs) to check they have the right data protection and security practices in place to help sustain and develop their businesses. The UK regulator says getting good data practices in place from the start will save business owners time and money, and boost customer confidence. Supporting SMEs is a key priory reflected in the ICO’s 3 year strategic plan. The press release can be read here.


GDPR-like privacy regulation in Ukraine

Coming this summer, the Ukraine aims to adopt it’s Privacy Bill and would take effect on January 1, 2024. The new regulation is set to mirror the requirements found in the GDPR. This has been lauded as a sensible move as Ukrainian companies already aim to comply with the GDPR when conducting business. Read article here.

Swedish presidency tries to close in on the Data Act

On Wednesday evening (24 January), the Swedish presidency of the EU Council circulated a new compromise on the Data Act, touching on scope, trade secrets, business-to-government (B2G) data access, international transfers, and compensation for data sharing scenarios, among other things. The EURACTIV article can be read here.

FTC to Boost Efforts to Limit Junk Fees, Corporate Surveillance

The U.S. Federal Trade Commission plans to heighten its focus on junk fees, dark patterns, and consumer privacy violations through potential new rules and enforcement actions, a top agency official said. The Bloomberg article can be read here.

Comply with EU rules or face ban, Breton tells TikTok CEO

TikTok needs to bring its business in line with the EU’s Digital Services Act (DSA) well ahead of the deadline of Sept. 1, European Commissioner Thierry Breton tells TikTok CEO Shou Zi Chew. “We will not hesitate to adopt the full scope of sanctions to protect our citizens if audits do not show full compliance,” Breton said. TikTok said in response that it was committed to the DSA, and also outlined its efforts to comply with other EU legislation, such as GDPR data protections rules and a code of practice on disinformation. The Reuters article can be read here.

French privacy chief warns against using facial recognition for 2024 Olympics

The French data protection authority’s president Marie-Laure Denis warned Tuesday against using facial recognition as part of the 2024 Paris Summer Olympics security toolkit. The French government is seeking to ramp up France’s arsenal of surveillance powers to ensure the safety of the millions of tourists expected for the 2024 Paris Summer Olympics. The plans include AI-powered cameras for the first time — but the inclusion of facial recognition capability is not foreseen as present. French parliamentary debates on new surveillance powers are on-going. You can read the POLITICO article here.

LastPass owner GoTo says hackers stole customers’ backups

“LastPass” parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems. The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an ‘unauthorized party’ had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident.

Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including business communications tool Central; online meetings service; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.” Read the TechCrunch article here.

NIST AI Risk Management Framework Aims to Improve Trustworthiness

NIST today released its Artificial Intelligence Risk Management Framework (AI RMF 1.0), a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the risks of AI technologies. The Framework seeks to cultivate trust in AI technologies and promote AI innovation while mitigating risk. The full press release can be read here.

CIPL Publishes Discussion Paper on Digital Assets and Privacy

The Centre for Information Policy Leadership (CIPL) published “Digital Assets and Privacy,” a discussion paper compiling insights from workshops with CIPL member companies that explored the intersection of privacy and digital assets, with a particular focus on blockchain technology. The paper includes recommendations for developing coherent, tech-friendly, future-focused, and pragmatic regulations and policies. The press release and paper can be read here.


Norway: The Norwegian SA fines Recover AS for violation of privacy

The Norwegian SA has fined Recover AS EUR 20,000 for non-compliance. The matter concerns a credit rating performed without legal basis. The background to the fine is a complaint from a private individual who was subjected to a credit assessment without any form of customer relationship or other connection to the company Recover AS. Read article (in Norwegian) here.

Italy: The Garante sanctions three Friulian Local Health Authorities for use of the algorithm

The Garante has sanctioned three Friulian Local Health Authorities who, through the application of algorithms, pre-determined and classified patient risk levels of incurring secondary health complications in the event of a Covid-19 infection. The DPA’s investigation found that patient data had been processed in the absence of a suitable legal basis in relation to methodology and purpose of processing, and without a prior DPIA being carried out as required by EU data protection laws. the Garante ordered each of the three organisations to pay a fine of 55,000 euros and proceed with the deletion of the processed data. A summary of the actions (in Italian) taken can be read here.