Data Protection Weekly 40/2023

Oct 9, 2023


APEP: AEPD partnership results in new ValidaCripto tool to help evaluate encryption systems

The Spanish data protection authority (AEPD) has launched a new web-based tool, ValidaCripto RGPD, designed to help evaluate encryption systems for compliance with data protection regulations. The tool is an extension of a methodology guidelines for the validation of cryptographic systems in data protection processing, developed earlier this year in collaboration with APEP, member of CEDPO and ISMS Forum. ValidaCripto operates locally in users’ browsers without sending or storing data to the AEPD’s servers. The tool provides step-by-step guidance on selecting the impact of encryption, categorising critical elements, reviewing suggested controls, and generating compliance documentation. The release highlights the growing emphasis on the role of encryption in safeguarding personal data, which is  currently used by two billion people every day, according to European Digital Rights 2023. You can read the press release here (in Spanish), the tool is available here and the guidelines for cryptographic systems validation here (both in English).

 European Union

European Commission: EU undertake large-scale cyber-attack simulation

This week, senior cybersecurity representatives from EU Member States, the Commission, and the EU Agency for Cybersecurity (ENISA) participated in a two-day ‘Blueprint Operational Level Exercise’ (Blue OLEx 2023) to test EU preparedness in the event of cyber-related crisis. Conducted under the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe), the simulation aims to fortify emergency response strategies for large-scale, cross-border cyber incidents. The exercise integrated both technical and political layers of crisis response, serving as a conduit for coordinated decision-making. Besides preparedness, participants also discussed the future framework for EU-level cyber crisis management. The EU CyCLONe network was formally established by NIS2 Directive. You can read the press release here.

EDPB: Chair Anu Talus addresses confidentiality in data protection procedures

In a letter to Sophie in ‘t Veld, Member of the European Parliament, Anu Talus, Chair of the European Data Protection Board (EDPB), elaborated on the board’s perspective regarding confidentiality in data protection investigations. This was in response to recent amendments by the Irish Parliament related to confidentiality in these procedures. Stressing the importance the EDPB places on procedural confidentiality, Talus referred to Guidelines 02/2022 that offer directions for Lead Supervisory Authorities (LSAs) and Concerned Supervisory Authorities (CSAs) to collaboratively find legal solutions for confidentiality constraints. She reminded that the EDPB has also communicated a ‘wish-list’ to the EU Commission, advocating for further harmonisation at the EU level, especially in the disclosure terms for controllers, processors, and complainants. Additionally, she discussed the European Commission’s Proposal issued on 4 July 2023, which aims to lay down additional procedural rules for GDPR enforcement. This proposal is designed to foster cooperation among supervisory authorities without impeding information exchange, while still maintaining the confidentiality of sensitive information. You can read the full letter here.

National Authorities

UK: ICO issues new guidance on workplace monitoring

The UK data protection authority (ICO) has recently published comprehensive guidance to inform employers on lawful, transparent, and fair monitoring of workers. With remote work becoming increasingly common, the guidelines come as a timely intervention. According to ICO-commissioned research, 70% of respondents find workplace monitoring intrusive, while only 19% would be comfortable with such monitoring in a new job. The new guidance applies to both the public and private sectors and clarifies not only the legal obligations but also suggests good practice measures to build trust between employers and employees. It details the steps an organisation must follow, such as making employees aware of the nature and reasons for monitoring and conducting a Data Protection Impact Assessment where required. Deputy Commissioner Emily Keaney emphasises that while data protection law doesn’t prevent monitoring, it must be “necessary, proportionate and respect the rights of workers.” You can read the press release here and the full guidance here.

Denmark: Datatilsynet releases AI guidance for public sector

On 5th October 2023, the Danish data protection authority (Datatilsynet), published a comprehensive guidance aimed at aiding public authorities in their development and use of artificial intelligence (AI). The guidance focuses on key considerations such as the basis for data processing, disclosure requirements, and impact assessments. Alongside the guidance, Datatilsynet also released a report mapping the current usage of AI across the public sector. The report reveals that while AI is not yet widely used, where it is applied, it often involves standard or specially developed solutions used by multiple agencies. The mapping also suggests that while public bodies generally establish a relevant basis for processing data, there is room for improvement in conducting timely impact assessments. This initiative not only emphasises the importance of data protection in AI but also aims to guide public bodies in navigating data protection challenges. You can read the press release here and the full guidance here (both in Danish).

Netherlands: AP raises concerns on Dutch bill to register sex workers

The Dutch data protection authority (AP) has raised concerns over a proposed law aimed at mandating the registration of sex workers by local municipalities. The intent behind the legislation is to better monitor the sex industry and combat human trafficking. However, the AP warns that the bill could inadvertently harm the vulnerable population it aims to protect by driving them into unregulated sectors due to fears of loss of privacy. Moreover, the proposal could lead to discrepancies in implementation across municipalities, increasing confusion. This marks the second time the AP has pointed out the potential adverse effects of legislations targeting sex workers. The AP advises a comprehensive review of the proposal to ensure alignment with EU Fundamental Rights and General Data Protection Regulation (GDPR) guidelines. You can read the press release here (in Dutch).

Denmark: Datatilsynet clarifies colocation providers role

In response to an inquiry from Region Midtjylland, the Danish data protection authority (Datatilsynet), has clarified its stance on whether providers of colocation services should be considered data processors. According to Datatilsynet, a company, authority, or organisation offering colocation services should not necessarily be viewed as a data processor for the organisations to which the service is provided, especially if the colocation provider doesn’t have access to the personal data stored on the servers. Datatilsynet notes that colocation primarily involves providing physical facilities along with internet and power supply rather than the processing of personal data. However, the authority also points out that there are certain circumstances under which a colocation provider could be considered a data processor. You can read the press release here and the full response here (both in Danish).

Italy: Garante issues new guide on School privacy

The Italian data protection authority (Garante) has released an updated version of its vademecum titled “La scuola a prova di privacy” (The School Privacy- Proofed). This guide aims to provide schools, teachers, students, and families with comprehensive guidelines for protecting personal data within the educational environment. The manual covers various aspects such as the use of smartphones in classrooms, video surveillance, and digital attendance records. Notably, the guide offers advice on the lawful use of emerging technologies in education, such as distance learning and digital lesson recording. It also addresses concerning issues like cyberbullying, revenge porn, and sexting while highlighting best practices for digital education. This comes as technology increasingly integrates into school life, making data protection more critical than ever. You can read the press release here and download the full guide here (both in Italian).

Luxembourg: CNPD publishes its 2022 Annual Activity Report

The Luxembourg data protection authority (CNPD) recently published its annual report highlighting key achievements and initiatives of 2022. Celebrating its 20th anniversary last December, the CNPD reiterated its commitment to safeguarding individual privacy rights. As part of its efforts to adapt to the digital age, the CNPD launched a groundbreaking certification scheme, GDPR-CARPA, in May 2022. This scheme allows organisations in Luxembourg to demonstrate compliance with GDPR requirements, making it the first of its kind at both national and European levels. Besides this, the CNPD was recognised as the competent authority for the EU’s first-ever data protection label, further solidifying its leadership in the field. Last year, the commission also issued 32 opinions on various legislative proposals and responded to 482 complaints primarily concerning non-compliance with data protection rights. You can read the press release here and the full report here (in French).


ICCL calls for transparent selection process for new Irish DPC leadership

The Irish Council for Civil Liberties (ICCL) has urged the Government to adopt a transparent and independent approach in selecting new leadership for the Irish Data Protection Commission (DPC). After years of advocating for reforms, ICCL welcomed the advertisement of two new Commissioner roles within the DPC. To ensure impartiality and prevent conflicts of interest, especially given the DPC’s responsibilities towards regulating public bodies and major tech firms, ICCL suggests a robust appointment process managed by the Top Level Appointments Committee. Specific measures, like delegating the shortlisting process to an independent board and involving human rights experts, have been recommended. ICCL also emphasises the need for incoming Commissioners to possess expertise in procedural law and enforcement experience in complex domains, supporting the Oireachtas Justice Committee’s previous recommendations. The roles were officially advertised on 28th September 2023, more than a year after the Government announced plans for the appointment. You can read ICCL statement here.


Croatia: AZOP fines debt collection agency for multiple GDPR violations

On 5 October 2023, the Croatian Data Protection Authority (AZOP), imposed its largest fine ever of €5.47 million on debt collection agency EOS for numerous violations of the General Data Protection Regulation (GDPR). The case originated from an anonymous petition filed in March 2023, providing evidence of unauthorised data processing affecting more than 180,000 individuals. Among the key findings were insufficient technical measures for identifying abnormal activities in the agency’s main database, which contained data on approximately 370,000 subjects. AZOP also noted that EOS Matrix processed data of non-debtors and legal representatives without a legal basis. Additionally, the agency was found to have recorded health-related information on debtors, without legal basis and contrary to what was stated in their policy. You can read the press release here and further information here.

UK: ICO issues preliminary enforcement notice against Snap

The UK data protection authority (ICO) has issued a preliminary enforcement notice to Snap, Inc and Snap Group Limited over its AI chatbot feature ‘My AI’. The notice warns that Snap may have failed to adequately assess the privacy risks of its technology, particularly to children aged 13 to 17. Launched in February 2023 for UK Snapchat+ subscribers and subsequently rolled out to a wider UK audience in April, ‘My AI’ uses OpenAI’s GPT technology. The ICO’s investigation provisionally concluded that Snap’s risk assessment was lacking, especially given the innovative technology and the processing of personal data of children. If the final enforcement notice is adopted, Snap could be barred from processing data connected to ‘My AI’ for UK users until a sufficient risk assessment is conducted. The ICO will consider any response from Snap before making a final decision. You can read the press release here.

Sweden: IMY imposes fine on Swedish school over CCTV use

The Swedish data protection authority (IMY) has reviewed the use of CCTV cameras at Aspudden School in Stockholm and found both justifications and concerns. Initiated due to complaints about the extensive camera surveillance, the investigation revealed that the school had about 50 fixed cameras monitoring various areas, including toilets, 24/7. The IMY conceded that daytime surveillance at specific locations could be justified to tackle issues of deliberate fires, a serious risk to life and health. However, they criticised the school for excessive surveillance and lack of information to guardians and students. Consequently, the IMY has imposed an administrative fine of SEK 800,000 (equivalent to €69,000) on the Stockholm Education Committee and urged the school to limit daytime surveillance to problematic areas and improve communication about it. You can read the press release here and the full decision here (both in Swedish).