Data Protection Weekly 44/2023

Nov 6, 2023

CEDPO

ADPO: Upcoming webinar focuses on 2024 planning for DPOs

As the year-end approaches, Data Protection Officers (DPOs) are in the process of finalising their 2024 plans. The Association of Data Protection Officers (ADPO), Irish member of CEDPO, is hosting a webinar on 15th November 2023 at 12:00 PM CET aimed at assisting DPOs in this crucial task. The webinar will discuss current topics of interest within the Data Protection Commission and other EU data protection authorities that could impact organisations. It will also address what DPOs should consistently include in their annual plans, recommend metrics or key performance indicators for reporting, and suggest best practices for reporting and monitoring data protection plans to leadership. The webinar will feature Fintan Swanton, former ADPO chairman and leading data protection expert, who will share insights on what to consider for the year ahead. You can register here.

 European Union

EDPB: Urgent Binding Decision on processing of personal data for behavioural advertising by Meta

The European Data Protection Board (EDPB) has adopted an urgent binding decision directing the Irish Data Protection Authority (DPC) to take final measures against Meta Ireland Limited within two weeks. The decision mandates a ban on processing personal data for behavioural advertising based on contract and legitimate interest across the European Economic Area (EEA). This decision followed a request from the Norwegian data protection authority and aims to have an EEA-wide effect. The ban will come into effect one week after the final measures are notified by the DPC to Meta. The DPC has notified Meta on 31/10 about the EDPB urgent binding decision and is currently evaluating Meta’s proposed consent-based approach as a new legal basis for data processing with the Concerned Supervisory Authorities. EDPB Chair Anu Talus emphasised the urgent need for Meta to comply with data protection laws and cease unlawful processing activities. You can read the press release here.

European Commission: EU and Japan reach agreement on cross border data flows

The EU and Japan have finalised a landmark agreement to facilitate cross border data flows, aiming to make online business operations easier, less costly, and more efficient. The deal was announced at the EU-Japan High-Level Economic Dialogue, co-chaired by leaders including European Commission Executive Vice-President, Valdis Dombrovskis. This agreement is a crucial step in advancing digitalisation and is slated to be part of the EU-Japan Economic Partnership Agreement (EPA). It lays the groundwork for a unified approach to digital trade and opposes digital protectionism. The pact will benefit companies across various sectors, allowing for streamlined data management and a predictable legal environment. A noteworthy feature of the deal is the elimination of costly data localisation requirements, which will spare businesses the complexity and expense of local data storage. The agreement also reaffirms both regions’ commitment to a rules-based international trading system and the intention to shape global data flow rules that align with their values and regulations. You can read the press release here.

ECHR: Violation in injunction on Bild nightclub-arrest video

The European Court of Human Rights (ECHR) has delivered a nuanced verdict regarding a video published by German media outlet Bild, featuring a police officer’s face during a nightclub intervention in Bremen. The officer, identified as Officer P., obtained a German court injunction requiring that his face be blurred. While acknowledging the necessity to balance Officer P.’s privacy rights against public interest, the ECHR observed shortcomings in the German courts’ approach. In particular, the ECHR criticised that the German courts, without assessing the contribution to public debate, made a generalised statement that neutral coverage of police actions could not be considered a reflection of general societal aspects, making it unlawful. This rationale could result in an unjustifiable ban on future unedited footage of officers performing their duties. Consequently, the injunction was deemed overly broad and in violation of Article 10 of the European Convention on Human Rights. Bild was awarded 12,000 euros for costs and expenses. You can download the press release here.

National Authorities

Spain: AEPD explores synthetic data in AI and privacy

In new blog post, the Spanish data protection authority (AEPD) highlights the role of synthetic data in advancing AI while preserving privacy. These datasets are designed to replicate the intrinsic characteristics of real data for specific AI applications, providing a solution for scenarios lacking sufficient data. The AEPD stresses that creating synthetic data from personal information should comply with GDPR principles, focusing on accountability and reidentification risks. The AEPD also explains the techniques for synthesising data, including deep learning and Generative Adversarial Networks (GANs)—where two neural networks work in tandem to produce data that maintains the statistical distribution of the original. This approach ensures that synthetic data not only serves its intended analytical purpose but also aligns with stringent data protection standards. Synthetic data is crucial for the data economy and protecting privacy; however, its suitability must be carefully weighed in each case. You can read the blog post here (in Spanish).

Ireland: DPC releases independent governance review

The Irish data protection authority (DPC) has published the findings of an independent review conducted by PWC on its governance structures, staffing, and processes. Commissioned by the Minister for Justice, the review aims to assess and strengthen the DPC’s capability to meet its increasing responsibilities. The report puts forth several governance models tailored to the DPC’s unique standing as one of Europe’s most impactful and scrutinised data supervisory authorities. Each model outlines associated risks, opportunities, and unique considerations. While the DPC retains complete independence in its governance decisions, the report serves to guide the commissioners in making effective choices to maintain agility and high standards in data protection. The document is available here.

Sweden: IMY’s opinion on proposed changes of legislation regarding data retention of electronic information

A government inquiry in Sweden has been tasked with reviewing legislation requiring providers of electronic communication services to store data for law enforcement purposes. The Swedish data protection authority (IMY), has now commented on the proposed changes. IMY endorses the proposal as an enhancement of the current legislation. The authority concurs with the need for law enforcement to access electronic information for preventing and investigating serious crime but emphasises the necessity to balance this against fundamental human rights as outlined by the European Convention on Human Rights and the EU Charter of Fundamental Rights. IMY, however, raises concerns over what it calls “geographically targeted retention,” i.e. the retention of internet traffic data of all individuals in a certain geographical area, saying it could be too broad and contravene the Court of Justice of the European Union’s (CJEU) decisions. The authority suggests that such sweeping data storage could risk being invalidated by the CJEU and offers suggestions to make the proposal more aligned with EU law. You can read the press release here and the full opinion here (both in Swedish).

Spain: AEPD launches new data protection chatbot

The Spanish data protection authority (AEPD) has introduced a virtual assistant to address common data protection and privacy questions. Designed to be user-friendly, the chatbot offers 11 thematic sections that cover the most relevant topics in straightforward language. It operates 24/7 and allows a direct connection with a live agent during working hours. Unlike traditional methods, it doesn’t require any electronic certification or user identification. The chatbot is seen as a supplemental aid to the existing channels for public queries and is also designed to assist those with hearing impairments. The interface is easily accessible from the AEPD’s homepage. You can read the press release here (in Spanish).

Netherlands: AP approves Code of Conduct for ISPS companies

The Dutch data protection authority (AP) has approved the Privacy Code of Conduct for Access Policy of ISPS companies created by Port Privacy B.V. ISPS companies are port enterprises that handle international shipping, and are obligated to implement an access policy for securing ships and port facilities, during which personal data is processed. While the AP has granted approval, it has attached a suspensive condition due to the absence of a required supervisory body. Any sector can request AP’s endorsement of its code of conduct, given it meets the standards and effectively operationalises GDPR. Moreover, stakeholders who failed to submit their views earlier without reasonable fault can still lodge an appeal against AP’s decision. The documents related to AP’s decision are publicly accessible as of 1st November 2023. You can read the press release here (in Dutch).

Global

US President issues comprehensive Executive Order on AI safety and security

President Biden has issued a comprehensive Executive Order focused on enhancing the safety, security, and responsible use of artificial intelligence (AI) in the United States. The initiative places a strong emphasis on accelerating the development of privacy-preserving technologies to safeguard Americans’ privacy. It assigns the National Institute of Standards and Technology with crafting new safety standards that will be implemented across multiple sectors by various departments. Significantly, the order mandates AI developers to disclose safety data and key information to the U.S. government. It also addresses equity, civil rights, and protections for consumers and workers, while setting guidelines to lessen AI’s negative impact on job displacement and workplace biases. Additionally, it pledges support to small AI developers and entrepreneurs, encouraging innovation. This marks a significant effort to comprehensively address the challenges and opportunities presented by AI. You can read the press release here and the Executive Order here.

G7 Leaders approve Hiroshima AI Process Guiding Principles and Code of Conduct for Advanced AI

Leaders of the Group of Seven (G7) have released a statement strongly endorsing the Hiroshima AI Process. This initiative aims to guide the ethical and practical aspects of advanced Artificial Intelligence (AI) systems, specifically focusing on foundation models and generative AI. The statement emphasises the importance of human-centric values and democratic norms. The G7 welcomed the Hiroshima Process International Guiding Principles and International Code of Conduct for Organisations Developing Advanced AI Systems. These documents are intended to be updated regularly to stay relevant to the swiftly evolving AI landscape. The leaders also instructed their ministers to develop a Comprehensive Policy Framework by the end of the year. This framework will be developed in cooperation with the Global Partnership for Artificial Intelligence (GPAI) and the OECD, and aims for global outreach that includes developing and emerging economies. You can find G7 Leaders’ statement here, the Hiroshima Process Guiding Principles here and the International Code of Conduct here.

Facebook and Instagram to offer ad-free subscription in Europe

In a significant shift, Meta will offer an ad-free experience on Facebook and Instagram for a subscription fee in the EU, EEA, and Switzerland, while maintaining the traditional ad-supported model as an alternative. This initiative, starting in November, aligns with the latest European regulatory requirements including recent ruling by the Court of Justice of the European Union and the imminent entry into force of the Digital Markets Act. Users can subscribe for €9.99/month via the web or €12.99/month on mobile platforms, reflecting additional fees from app stores. From March 2024, extra charges will apply for each linked account. Meta upholds its belief in an ad-supported internet’s value for users and small businesses but acknowledges the need for compliance and user choice under GDPR. Advertisers will continue to reach non-subscribers, ensuring the sustainability of personalised advertising. This new model is considered in Meta’s financial forecasting. You can read the press release here.

Sanctions

UK: ICO issues Reprimand to Derby and Burton NHS Trust for mishandling patient referrals

The UK’s data protection authority (ICO) has issued a reprimand to the Derby and Burton NHS Foundation Trust (UHDB) for the loss of patient referrals. A computer system glitch resulted in some referrals being delayed or completely lost. The problem was first noted at The Florence Nightingale Community Hospital in Derby and came to light when a patient complaint was filed in January 2023. Investigations revealed that UHDB failed to maintain adequate security measures or formal processes for managing referrals, affecting nearly 5,000 patients. Over 4,100 patients faced delays, while 569 lost their referrals entirely. Some patients had to wait more than two years for medical treatment. The ICO has recommended remedial actions, including support for affected patients and instituting procedures to prevent future mishaps. You can read the press release here.

UK: ICO fines three companies for illegal direct marketing

The UK data protection authority (ICO) has imposed fines amounting to £170,000 on three financial service companies for breaches of the Privacy and Electronic Communications Regulations (PECR). Digivo Media Ltd, trading as Rid My Debt, incurred a £50,000 penalty for distributing over 415,000 unsolicited text messages without proper consent. Meanwhile, MCP Online Ltd faced a £55,000 fine for making nearly 21,000 unauthorised calls to individuals registered with the Telephone Preference Service. Additionally, Argentum Data Solutions Ltd was charged £65,000 for sending and facilitating the dispatch of over 2.3 million marketing texts, also without valid consent. These messages not only lacked consent but failed to provide sender identification or an opt-out mechanism, compounding their legal infractions. The ICO has expressed a commitment to combating such invasive practices, particularly those targeting vulnerable populations, and supports governmental initiatives to ban cold calling in consumer financial services. You can read the press release here.