Data Protection Weekly 45/2023

Nov 13, 2023


ADPO: Upcoming webinar focuses on 2024 planning for DPOs

As the year-end approaches, Data Protection Officers (DPOs) are in the process of finalising their 2024 plans. The Association of Data Protection Officers (ADPO), Irish member of CEDPO, is hosting a webinar on 15th November 2023 at 12:00 pm CET aimed at assisting DPOs in this crucial task. The webinar will discuss current topics of interest within the Data Protection Commission and other EU data protection authorities that could impact organisations. It will also address what DPOs should consistently include in their annual plans, recommend metrics or key performance indicators for reporting, and suggest best practices for reporting and monitoring data protection plans to leadership. The webinar will feature Fintan Swanton, former ADPO chairman and leading data protection expert, who will share insights on what to consider for the year ahead. You can register here.

  European Union

EU Trilogue: Final agreement on the European Digital Identity Wallet regulation

On November 8, 2023, the European Parliament and the Council of the EU finalised an agreement on the Regulation for European Digital Identity Wallets. This agreement marks a significant milestone in the implementation of a secure and trusted digital identity framework for all Europeans, aligning with the Digital Decade 2030 targets for digitalising public services. The EU Digital Identity Wallet will enable EU citizens to securely access both public and private online services across Europe, enhancing personal data protection. It mandates Very Large Online Platforms under the Digital Services Act to accept the wallet for user authentication. The wallet allows for the storage of digital identity and functionalities such as opening bank accounts, making payments, and holding digital documents. It ensures user privacy, security certified to high standards, and open-source code to prevent misuse or illegal tracking. The wallet will also feature a dashboard for transaction monitoring and support data protection violation reporting. After formal approvals, the framework will be enforced 20 days post-publication in the Official Journal, with Member States providing the wallets within 24 months of adopting technical specifications. You can read the press release here.

EU Trilogue: Provisional agreement on political advertising regulation

On November 7, 2023, the Council presidency and European Parliament negotiators provisionally agreed on a new regulation for the transparency and targeting of political advertising. This measure addresses concerns about information manipulation and foreign interference in elections. It aims to empower citizens to recognise, understand, and make informed choices about political ads. The scope includes ads by political actors and those influencing voting behaviour, covering both paid and in-house political advertising, but excluding personal or editorial content. Stringent limits on using personal data for ad targeting are set, requiring explicit consent and banning profiling with sensitive data. Additionally, the regulation prohibits advertising services to third-country sponsors before elections and mandates a European public repository for online political ads. The rules will be effective 18 months after adoption. You can read the press release here.

European Parliament: Adoption of the Data Act

The European Parliament has approved the ‘Data Act’ by 481 votes to 31. This new legislation mandates clearer regulations for accessing and using data generated by connected products and services, including Internet of Things and industrial machinery. The Act is designed to stimulate the creation of new services, particularly in sectors such as artificial intelligence, where extensive data is essential for the training of algorithms. It also aims to decrease the cost of after-sales services and repairs for connected devices. In exceptional circumstances, it will allow public sector bodies to access and use data held by private sector. The legislation defines trade secrets to prevent unlawful data transfers and data leaks to countries with less stringent data protection laws. With this parliamentary vote, the Data Act moves closer to becoming law, pending the formal approval by the Council. You can read the press release here.

EDPS and ICO sign Memorandum of Understanding

The European Data Protection Supervisor (EDPS) and the UK’s data protection authority (ICO) have deepened their cooperative efforts in data protection with the signing of a new Memorandum of Understanding (MoU). This agreement solidifies their shared commitment to safeguarding individual data privacy and extends their collaborative work in international settings, including the Global Privacy Assembly and the G7 DPAs Roundtable. The MoU outlines plans for sharing experiences, joint project cooperation, intelligence exchange to bolster regulatory efforts, and fostering dialogue among data protection authorities. Both John Edwards, UK Information Commissioner, and Wojciech Wiewiórowski of the EDPS, emphasise this MoU as a step towards a unified approach in protecting privacy rights and adapting to the evolving digital landscape. This initiative marks a significant move in reinforcing data protection standards globally and reflects a concerted effort to prioritise individual rights in both the EU and UK. You can read the press release here and download the MoU here.

EDPS: Publication of a study on the essence of privacy and data protection rights

The European Data Protection Supervisor (EDPS) has sponsored a new background paper exploring the requirement of respecting the ‘essence’ of the rights to respect for private life and of right to the protection of personal data whenever these rights are limited under European Union (EU) law. The requirement is explicitly established in Article 52(1) of the Charter of Fundamental Rights of the EU, and currently also mentioned in EU secondary law. Through a thorough review of existing literature and case law, mainly from the Court of Justice of the EU and the European Court of Human Rights (ECHR), the paper acknowledges the limitations in current knowledge and pinpoints critical areas needing further exploration. Rather than attempting to define the essence of these rights abstractly, the paper proposes a practical approach, focusing on the circumstances under which a right’s limitation might violate the essence requirement. You can read the press release here.

CJEU: Car manufacturers must make VINs available to independent operators

The Court of Justice of the European Union (CJEU) in Case C-319/22, ruled on the disclosure of Vehicle Identification Numbers (VINs) by car manufacturers. The case, linking to Regulation (EU) 2018/858 and the GDPR, questioned if manufacturers must provide VINs to independent operators, considering VINs as potential personal data. The CJEU affirmed that such disclosure is a legal obligation under Regulation 2018/858 and is consistent with the GDPR. This judgment provides clarity on the balance between accessibility of vehicle information for market competition and adherence to data protection standards. You can read the press release here and the full decision here.

National Authorities

Iberian Data Protection Authorities Summit: AEPD and CNPD raise concerns over the surge in digital violence

The Spanish data protection authority (AEPD) and the Portuguese data protection authority (CNPD) have raised significant concerns over the surge in digital violence and its detrimental impact on mental and physical health, noting the irreversible harm in severe cases. At the recent ‘Iberian Data Protection Authorities Summit’, the two authorities resolved to enhance measures that could curtail the spread and damage of such violence, which often affects vulnerable groups like gender violence survivors and minors. They stressed the urgency of developing preventative actions and rapid response tools to stop the illegal spread of personal data online. Notably, they highlighted the AEPD’s ‘Priority Channel’, an awarded initiative for protecting individuals from digital violence. The summit also covered the importance of protecting minors from addictive or problematic digital device use and inappropriate content, advocating for immediate implementation of age verification systems that comply with data protection regulations. You can read the AEPD press release here (in Spanish) and the CNPD press release here (in Portuguese).

Norway: Datatilsynet releases report on inspections of municipalities

The Norwegian data protection authority’s (Datatilsynet) recent inspections of municipalities and county councils have culminated in a summary report detailing the state of personal data security. After initial letter checks and subsequent local inspections across 98 local entities, findings show a commitment to privacy despite resource constraints. Municipalities demonstrate strong privacy frameworks and technical safeguards, yet the report pinpoints a deficiency in overarching guidelines and specific procedures. The Datatilsynet calls for enhanced, comprehensive guidance to fortify privacy practices further. Emphasising the importance of privacy and information security, the report serves as both a commendation of efforts made and a directive for improvement. You can read the press release here and the full report here (both in Norwegian).

Norway: Datatilsynet examines Meta’s consent approach to behavioural marketing

As Meta introduces a choice between a paid, ad-free experience and a free, ad-supported version on Facebook and Instagram, the Norwegian data protection authority (Datatilsynet), is evaluating the compliance of this new consent model with the General Data Protection Regulation (GDPR). This scrutiny follows Meta’s shift in strategy after being instructed to halt behaviour-based marketing. Users are now greeted with a decision prompt upon logging in, raising doubts about the legitimacy of consent when it’s tied to financial incentives. Scepticism mounts, especially since declining “consent” to behaviour-based advertising leads to a fee-based service. Datatilsynet is actively involved in a Europe-wide assessment to determine the legality of Meta’s approach and is expected to provide further insights shortly. You can read the press release here (in Norwegian).

Italy: Garante endorses information system for addiction

The Italian data protection authority (Garante) has given its approval to the Health Ministry’s draft decree on the National Information System for Addiction (SIND), after a thorough dialogue ensuring compliance with data protection requirements. The Garante’s main conditions included the non-collection of prisoner status data and adherence to current legislation. It was also confirmed that HIV monitoring through SIND will be strictly based on aggregate data, with no personal details involved. The Garante has stipulated specific data retention periods, aligning with technical and scientific criteria. Additionally, the Garante reminded national statistical system members to follow the proper data processing regulations when utilising SIND for statistical analysis or research. You can read the press release here (in Italian).


France: CNIL issues ten new sanctions under its simplified procedure

The French data protection authority (CNIL), has enacted ten new sanctions via a streamlined procedure, addressing concerns over geolocation of company vehicles, employee video surveillance, data minimisation, and the right to object. This action comes in the wake of numerous complaints on these issues. Fines totalling 97,000 euros were imposed on various entities for failing to comply with several obligations, including responding to CNIL requests, data minimisation, and upholding individuals’ rights. Introduced in 2022, the simplified procedure allows for swift action in straightforward cases, with penalties up to 20,000 euros. This has bolstered the CNIL’s enforcement capacity in light of a 72% increase in complaints since the GDPR’s introduction in 2018. The CNIL emphasised the overreach in employee monitoring via geolocation and continuous video surveillance, deeming such practices excessive and disproportionate unless justified by exceptional circumstances. The CNIL aims to continue this efficient sanctioning method and will update the public via its website. You can read the full article here.

Sweden: IMY fines company SEK 500,000 for misdirected customer data email

The Swedish data protection authority (IMY) has imposed a sanction of SEK 500,000 (equivalent to €67,000) on a company for mistakenly sending an email with a file containing the financial details of thousands of other customers. The scrutiny began after a complaint about the advisory firm Indecap, which distributed an email to numerous clients with an attached file meant for internal reporting, disclosing personal data including customer’s name, social security number, bank, and investment choices. Although the file did not include sensitive details like account numbers or login details, it potentially affected over 52,000 customers. Upon discovery, the mailing was halted, with approximately 2,800 clients receiving the erroneous file. IMY highlighted that human error, a factor in 60% of last year’s reported data incidents, underscores the necessity of adequate security measures. IMY’s final assessment found the company’s data handling in violation of the GDPR, prompting the fine due to insufficient security measures relative to the processing risks. You can read the press release here and the full decision here (both in Swedish).

Italy: Garante fines company for unlawful telemarketing practices

A coffee producing company has been fined € 70,000 by the Italian data protection authority (Garante) for engaging in aggressive telemarketing tactics. This decision comes after multiple reports from individuals receiving unsolicited calls, even from spoofed numbers, particularly following the purchase of the company’s coffee products. The company’s use of personal data for marketing was conducted without proper consent and adequate information disclosure, in direct violation of privacy laws. Users’ data, often obtained through various channels, including third-party companies, was used for marketing without verifying the Public Registry of Oppositions (RPO) registration. The Garante’s investigation revealed that the company misinterpreted the act of purchasing as consent to marketing, neglecting necessary checks on data acquisition. Consequently, the company is now mandated to erase all illicitly obtained data and implement comprehensive measures to ensure future compliance with data protection regulations. You can read the press release here (in Italian).