Data Protection Weekly 42/2023

Oct 24, 2023

 European Union

European Commission: Recommendations for Member States to fast-track DSA governance to enhance incident response

The European Commission has published a set of recommendations urging Member States to prompt the implementation of the Digital Services Act (DSA) to better tackle illegal online content. This comes amid increasing conflict and instability affecting the European Union, including Russia’s aggression against Ukraine and terrorist attacks by Hamas on Israel. The Commission seeks swift coordination to enforce the DSA, which sets out obligations for Very Large Online Platforms and Search Engines to adopt measures mitigating systemic risks posed by their systems, including the dissemination of illegal content. The Commission is also encouraging Member States to designate an independent authority as part of a network of prospective Digital Services Coordinators, ahead of the legal deadline of 17 February 2024. The recommendations will remain in effect until that date, after which the DSA’s full enforcement framework will apply. You can read the press release here.

EDPB- EDPS: Joint Opinion on Digital euro proposal

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to offer an alternative means of payment alongside cash, both online and offline. Both bodies commend the proposed Regulation for considering many data protection aspects, such as minimising personal data processing through an offline modality. However, they also make several recommendations for enhanced data protection and privacy standards. Specifically, they call for clarity on how user identifiers will be processed and question the necessity of a single access point for holding limit verification. They also propose less intrusive alternatives to the current fraud detection and prevention mechanisms and recommend defining specific data protection responsibilities for the European Central Bank and payment service providers. The Joint Opinion aims to ensure robust data protection measures are embedded from the design phase of the digital euro. You can read the press release here and download the Joint Opinion here.

EDPB: 2024 Coordinated Enforcement Action selected

During its recent October plenary, the European Data Protection Board (EDPB) revealed the focus of its third coordinated enforcement action: the right of access by controllers. Scheduled for launch in 2024, the EDPB will now move forward to outline specific details. Coordinated actions are an essential part of the EDPB’s strategy, whereby data protection authorities (DPAs) concentrate on a topic at the national level. These efforts are then bundled and analysed to gain in-depth insights and facilitate targeted initiatives on both national and EU levels. Last year, the board chose the designation and role of data protection officers (DPOs). A report on the outcomes of the 2023 coordinated action is expected in the coming months. This action is part of the EDPB 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE) aimed to enhance enforcement and cooperation among DPAs. You can read the press release here.

ENISA: Publication of 11th Threat Landscape report

The European Union Agency for Cybersecurity (ENISA) has unveiled its 11th Threat Landscape report, which calls attention to the risks posed by AI-enabled information manipulation ahead of the 2024 European elections. The report, encompassing incidents from July 2022 to June 2023, noted 2,580 incidents, with 220 specifically targeting multiple EU Member States. While public administrations and the health sector were most targeted, accounting for 19% and 8% respectively, the disruptive impacts of AI chatbots and AI-enabled manipulation of information are highlighted as emerging concerns. ENISA’s Executive Director, Juhan Lepassaar, stressed the need for secure cyber infrastructures and trustworthy information to maintain faith in democratic processes. Amongst other threats, ransomware remains dominant, making up 34% of all incidents. You can read the press release here and download the full report here.

Council of Europe: Portugal and Hungary ratify Convention 108+

On 18 and 19 October 2023, Portugal and Hungary respectively ratified the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data , also known as Convention 108+. With these ratifications, they become the 29th and 30th State Parties to sign up to the updated Convention 108. Portugal has been a party to the original convention since 1994, while Hungary joined in 1998. These new commitments take the instrument closer to its entry into force, which requires a minimum of 38 ratifications. In 2023 alone, ten ratifications and two additional signatures have been secured. Convention 108+ remains the only international legally binding instrument dedicated to personal data protection and privacy, emphasising its importance in a digitalising world. You can read the respective press release here and here.

National Authorities

Germany: DSK raises concerns over EU regulation on chat scanning

The committee of Independent German Federal and State Data Protection Supervisory Authorities – in abbreviated form “Data Protection Conference” (German abbreviation “DSK”) has issued a statement warning against “disproportionate and indiscriminate mass surveillance” ahead of EU Council deliberations on the surveillance of electronic communications for the purpose of prosecuting child abuse online. While the committee agrees on the importance of protecting children, it has raised concerns about the proposed “chat scanning” regulation. The proposal, first introduced by the European Commission in May 2022, would require email, messenger, and chat service providers to detect and report instances of child sexual abuse material. The DSK claims that the proposal, if enacted, would subject all electronic communications to surveillance without discrimination and without reasonable suspicion. Furthermore, the need to break end-to-end encryption could jeopardise the security of electronic communications. The committee emphasises that this level of surveillance could infringe upon fundamental rights like privacy, confidentiality of communications, and data protection. You can read the full press release here.

Belgium: APD releases checklist for proper cookie usage

The Belgian data protection authority (APD) has released a checklist to guide organisations in ensuring their cookie practices align with existing regulations. Cookies have been announced as one of the APD’s priorities for the year 2023. This new tool offers a step-by-step guide on the “dos and don’ts” concerning cookies and similar tracking mechanisms. The checklist emphasises that only strictly necessary cookies are exempt from requiring user consent. Any other category of cookies may only be placed and read if the user has provided their consent in a manner that is clear, affirmative, specific, informed, and unambiguous. The checklist will be added to the APD’s existing toolbox for data controller, which already includes templates of record of processing activities, a DPO checklist, and a diagram of rights based on legal basis. You can read the press release here and find the checklist here (both in French or Dutch).

Spain: AEPD approves revised Code of conduct for data processing in advertising

The Spanish data protection authority (AEPD) has approved a revision of the Code of Conduct for “Data processing in advertising activities”, an initiative led by the Association for the Self-Regulation of Commercial Communication (AUTOCONTROL). The principal changes arise from the need to align the Code with new regulations set forth by the General Telecommunications Law and the Data Protection Act, as well as provisions in AEPD Circular 1/2023. The Code outlines a process for extra-judicial resolution of conflicts between citizens and entities adhering to the Code, especially in advertising sector. It covers various aspects such as unsolicited advertising, use of cookies, and data profiling for advertising purposes. In the event of disputes, AUTOCONTROL is designated to initiate mediation procedures, thereby offering a more agile response for public complaints. This affords citizens a voluntary and free mediation channel to lodge grievances against companies that adhere to the code. You can read the press release here (in Spanish).

France: CNIL updates FAQ on EU-US adequacy decision

The French data protection authority (CNIL) has updated its FAQ concerning the European Commission’s recent decision on data adequacy between the EU and the US. Initially established on 10 July 2023, this decision recognises that the United States offers a substantially equivalent level of data protection as the European Union, thereby simplifying data transfers under specific conditions. The updated FAQ, released on 18 October 2023, brings modifications to questions 5 and 8. It aims to elucidate key aspects of this new framework, such as what organisations should do if their American counterpart isn’t listed by the US Department of Commerce and its implications for various data transfer tools. This updated document serves as an essential guide for professionals navigating EU-US data transfers. You can read the FAQ here (in French).

Norway: Datatilsynet prepares next round of applications for its regulatory sandbox

The Norwegian data protection authority (Datatilsynet) is preparing for the next round of applications for its regulatory sandbox. Aimed at fostering innovative projects in digitalisation and artificial intelligence, the sandbox offers in-depth guidance and creative collaboration beyond what is normally provided by regulatory oversight. The ultimate goal is to ensure robust data protection measures are implemented before a project’s completion. An informational meeting is scheduled for potential applicants on 25 October, to be held digitally but also accessible from the Nokios Conference venue. The application deadline for this new round is 1st November 2023. During the meeting, attendees can learn more about the application process and gain clarifications on project execution. You can read the press release here (in Norwegian).


UK: Clearview AI wins appeal against ICO fine

Controversial facial recognition company, Clearview AI, recently won an appeal against a penalty imposed by the UK data protection authority (ICO). The ICO had previously fined Clearview £7.5 million, citing multiple breaches of UK data protection laws, and mandated the deletion of data on UK citizens. However, the appeal succeeded based on jurisdictional grounds. The tribunal ascertained that the company’s activities were exempt from UK data protection law due to their exclusive service to non-UK/EU law enforcement and national security bodies. Essentially, Clearview’s operations were deemed to be outside the territorial and material scope of UK data protection law. You can read the full decision here.

France: CNIL fines GROUPE CANAL+ €600,000 over commercial prospecting and GDPR rights issues

The French data protection authority (CNIL) imposed a fine of 600,000 euros against GROUPE CANAL+ for failing to meet several obligations under the General Data Protection Regulation (GDPR) and the French Post and Electronic Communications Code (CPCE). The fine followed numerous complaints lodged against the company, which specialises in the distribution of pay television offers, for not adequately addressing individuals’ data rights. Among the breaches were the company’s failure to obtain valid consent for electronic commercial prospecting. They also failed to provide the requisite information during the data collection process. CNIL’s investigations also revealed that GROUPE CANAL+ did not have appropriate measures to ensure data security and failed to notify CNIL about a data breach. The amount of the fine took into account the company’s efforts to remedy its non-compliance during the investigation. You can read the press release here and the full decision here (in French).

Sweden: IMY fines H&M for  mishandling consumers’ right to object to direct marketing

The Swedish data protection authority (IMY) has found that retail giant H&M has not adequately handled requests from individuals wishing to opt-out of marketing communications. This investigation came about following six complaints lodged by residents of Poland, Italy, and Great Britain. IMY had jurisdiction over the matter because H&M’s headquarters are located in Sweden. IMY determined that H&M has contravened GDPR rules by failing to promptly stop the use of complainants’ personal data for direct marketing purposes. IMY stated that H&M lacked efficient systems to facilitate individuals’ rights to object to such communications. Therefore IMY has imposed an administrative fine of SEK 350,000 (equivalent to € 30,100) on H&M for its GDPR violations. You can read the press release here.

Poland: Warsaw court upholds UODO fine against Virgin Mobile

The Provincial Administrative Court in Warsaw has upheld a revised fine of PLN 1.6 million against P4 Sp. z o.o., the legal successor to Virgin Mobile Polska, for GDPR violations related to a data breach. The breach involved inadequate technical and organisational measures in IT systems used to register personal data of subscribers to prepaid service. The fine was initially set at PLN 1.9 million (equivalent to €426,000), but was later reduced by the Polish data protection authority (UODO). Initially, the court had found that the UODO had not sufficiently explained the amount of the fine, particularly in regard to Article 83 of the GDPR. Upon reconsideration, the UODO revised the fine and provided specific justifications, leading the court to uphold the adjusted fine this time around. The court also clarified that P4, which acquired Virgin Mobile Polska, is legally responsible for past administrative offences, including data protection violations. You can read the press release here (in Polish).