Data Protection Weekly 46/2023

Nov 20, 2023

CEDPO

CNIL with the help of AFCDP releases retention guidelines for social and medico-social sectors

On 15th November 2023, the CNIL unveiled a “data retention” reference document and a practical guide, created in collaboration with a working group including the AFCDP, the French member of CEDPO. Aimed at professionals in the social and medico-social sectors, these resources seek to provide a practical framework for identifying and setting suitable data retention periods for common processing operations in these sectors. The reference document directs practitioners to both compulsory retention periods required by law, specifically referencing the Family and Social Action Code and the Public Health Code, as well as CNIL’s recommended durations that act as guidelines for establishing relevant retention periods. Although not comprehensive, the document addresses the most prevalent practices. This initiative is part of CNIL’s concerted effort, including a 2021 task force with sector representatives, to develop tools facilitating the implementation of personal data protection regulations for sector professionals. You can read the full article here and the full document here.

 European Union

EDPB: Adoption of guidelines on the technical scope of Art. 5 (3) of the ePrivacy Directive

The European Data Protection Board (EDPB) has recently adopted guidelines on the technical scope of Art. 5 (3) of the ePrivacy Directive. These guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals. EDPB Chair Anu Talus highlighted the privacy risks associated with user tracking online, emphasising that the guidelines address the use of advanced methods like tracking links, pixels, and unique identifiers to prevent bypassing consent requirements. The document delineates the definitions of key terms and presents practical cases of common tracking practices. However, it does not delve into consent acquisition or the exemptions set out in Article 5 (3). Stakeholders and the public are invited to contribute their views during a six-week consultation period. You can read the press release here and the full guidelines here.

CJEU: Decisions taken by a supervisory authority in the context of the indirect exercise of data subject rights are legally binding

The Court of Justice of the European Union (CJEU) in Case C-333/22  has reinforced the legal nature of decisions made by data supervisory authorities, underlining their obligation to provide data subjects with the ability to challenge these decisions judicially. This clarification came as a response to a Belgian case, where a citizen who was allegedly denied security clearance due to protest participation received minimal information after a supervisory review of his data processing. The CJEU decreed that a supervisory authority’s decision is binding and subject to court scrutiny, ensuring individuals can contest the assessment of data processing lawfulness. Moreover, the court must be able to investigate the supervisory authority’s decision-making evidence and rationale comprehensively, balancing public interest against individual procedural rights. This judgment emphasises the importance of transparency and the right to legal remedy in data protection disputes. You can read the press release here and the full decision here.

ENISA: New report highlights vulnerability management amid cybersecurity investment growth

The European Union Agency for Cybersecurity (ENISA) has released a report detailing the landscape of cybersecurity investment among EU operators subject to the NIS Directive. Despite a marginal increase in IT budgets allocated to cybersecurity, many organisations are not planning to expand their information security workforce, with 83% facing recruitment challenges. The report particularly highlights the transport sector, where a significant portion of organisations take an extended period to address critical vulnerabilities. ENISA’s Executive Director, Juhan Lepassaar, underscores the necessity of balancing investment in vulnerability management with secure-by-design practices. The report also examines the implementation of the NIS2 Directive, including the development of an EU-wide vulnerability database managed by ENISA. The full press release is available here.

CoE: 45th Plenary meeting of the Committee of Convention 108

A significant milestone was reached as San Marino deposited its ratification of the Protocol amending Convention 108, thereby becoming the 31st member to join the modernised Convention 108+. The session was notable for the adoption of the second module of the Model Contractual Clauses for data transfers from controllers to processors. The committee is also progressing on drafting guidelines for voter data processing as well as on interpreting Article 11 of the modernised Convention. Additionally, they have decided to start working on data protection within the field of neurosciences, following its 2022-2025 work programme. The meeting reached its conclusion with the election of Mrs Virpi Koivu to the Bureau for the term ending in November 2024. You can read the press release here.

National Authorities

UK: ICO seeks permission to appeal Clearview AI Inc ruling

The UK data protection authority (ICO) is seeking to appeal a Tribunal judgement concerning the US-based tech company Clearview AI Inc. The Tribunal had concurred with the ICO that Clearview’s mass collection and analysis of facial images for AI purposes constitutes personal data processing under UK data protection law. This affirms the ICO’s jurisdiction over non-UK companies that monitor UK residents. However, the ICO is contesting the Tribunal’s interpretation that Clearview’s service to foreign law enforcement exempts it from UK data protection law. Information Commissioner John Edwards stresses the importance of scrutinising businesses that potentially exploit UK individuals’ digital images, underscoring the ICO’s commitment to protecting privacy rights amid AI technological advancements. The ICO is now awaiting further judicial review to resolve these critical legal points. The full statement is available here.

Switzerland: FDPIC points out that current data protection legislation is directly applicable to AI

The Swiss data protection authority (FDPIC) has reiterated that the new Federal Data Protection Act (FADP), effective from September 2023, is fully applicable to AI-based data processing. Amid global moves towards AI regulation, including the US executive order and the EU’s ongoing legislative efforts, FDPIC emphasises the current law’s relevance to AI technologies. The FADP mandates transparency in AI system operations, ensuring data subjects are informed about automated processing and can request human review of automated decisions. Moreover, it calls for transparency in applications that could falsifies faces, images or voice messages of identifiable persons, with potential criminal law implications. High-risk AI data processing is conditionally permissible, subject to stringent impact assessments. The FDPIC warns against privacy-invasive practices seen in authoritarian regimes, asserting such methods violate the FADP’s principles. The full statement is available here.

UK: ICO assesses UK tracing agents’ data protection practices in new blog post

The UK data protection authority (ICO) releases new blog assessing data protection practices of UK tracing agents. The ICO’s investigation prompted by a domestic abuse case, involved dialogues with tracing companies, professional bodies, support groups, and official authorities, evaluating the sector’s adherence to data protection law. While no direct misuse by tracing agents was found, the ICO discovered that abusers often exploit technology, such as air tags and smart devices, to track victims. The ICO has issued reminders to the sector about their responsibilities and recommended regular Data Protection Impact Assessments, adherence to safeguarding information rights of the person, and an audit of data protection practices. The ICO vows to rigorously enforce compliance and support victims in collaboration with charities combating tech abuse. You can read the full blog post here.

Global

Noyb files complaint against EU commission over targeted advertising campaign based on sensitive data

The non-profit organisation noyb has filed a formal complaint with the European Data Protection Supervisor (EDPS) against the EU Commission for an alleged breach of the General Data Protection Regulation (GDPR). The complaint arises from the Commission’s use of targeted advertising campaign on X (formerly Twitter), which selectively omitted users with certain political and religious affiliations. This act of micro-targeting, as noyb underscores, exploited sensitive data categories expressly protected under the GDPR. The contentious campaign aimed to bolster support for the disputed chat control legislation, provoking widespread criticism from various sectors for potentially paving the way to mass surveillance. noyb emphasises that the EU Commission, in seeking to expedite the legislative process, may have compromised democratic principles and misled the public with skewed opinion polls. Further, noyb’s stance is echoed by the X’s own policies, which prohibit such use of personal data. noyb is currently assessing whether to lodge a complaint against X for enabling the illegal use of sensitive data for political micro-targeting. You can read the press release here.

Sanctions

France: CNIL reprimands Ministries for misuse of public servants’ data

The French data protection authority (CNIL) has issued a formal reprimand to the Ministry of Transformation and Public Service and the Ministry of Economy, Finance, and Industrial and Digital Sovereignty. This action was taken in response to the ministries’ use of the personal email addresses of public servants to disseminate information on the proposed pension reform. This communication included an email and video message from the Minister, which was deemed to be political in nature rather than purely administrative. The CNIL’s restricted committee, responsible for imposing sanctions, highlighted that the dissemination method contravened the decree governing the ENSAP platform, which is intended only for administrative exchange and personalised services, not for political communication. By employing the ENSAP file for such purposes, the ministries had used this personal data in a way that was incompatible with the purpose of the file. You can read the press release here and the full decision here (both in French).

Romania: ANSPDCP fines Rompetrol Downstream SRL for violating Article 32 of the GDPR

Romania’s data protection authority (ANSPDCP) fines Rompetrol Downstream SRL 546,073 lei (approximately €110,000) for violating Article 32 of the GDPR. This fines follows an investigation sparked by multiple personal data breach notifications from the company between July 2021 and February 2022. The inquiry uncovered repeated unauthorised internal access and use of customer data within the company’s software systems, as well as unlawful sharing of customer data with non-bank financial entities for loan acquisitions. This breach involved sensitive information, including identity card details and salary data. The ANSPDCP concluded that Rompetrol failed to restrict data processing to authorised personnel and lacked sufficient security measures relative to the processing risks. You can read the press release here (in Romanian).

Denmark: Datatilsynet reprimands Danish Agency for violating data minimisation principle

The Danish data protection authority (Datatilsynet) has reprimanded the Danish Agency for Digitisation for excessive personal data processing. This comes after it was revealed that while only 1.7 million citizens use the digital driving licence application, data on almost 4 million licence holders was stored. The Datatilsynet has highlighted the violation of the GDPR’s data minimisation principle, which stipulates that only necessary data should be processed. As a result, the Agency for Digitisation has been ordered to stop processing the data of those not registered for the digital licence and to review its practices within four weeks. You can read the press release here and the full decision here (both in Danish).