Data Protection Weekly 47/2023

Nov 27, 2023

 European Union

ENISA: EU cybersecurity exercise to foster cooperation and promote free and fair EU elections

EU institutions have spearheaded a cybersecurity exercise in Brussels to reinforce the security of the upcoming 2024 European elections. National authorities alongside EU bodies, including the European Parliament and ENISA, participated in this critical initiative on 21 November 2023. This simulation was designed to test and refine EU crisis plans against potential cyber incidents that could impact election integrity. By sharing expertise and updating response strategies, the exercise aimed to enhance collective preparedness against cyber and hybrid threats. The collaboration extended to examining the effectiveness of current guidelines and practices for election technology cybersecurity. The exercise underscores the importance of situational awareness and the swift coordination of communication at both national and EU levels to protect the electoral process against diverse threats, including misinformation and infrastructure breaches. You can read the press release here.

Council and EU Parliament: Political agreement to advance police cooperation in Europe

The Spanish presidency of the Council of EU and the European Parliament have achieved a pivotal political agreement on 20 November 2023 to update an EU law that enhances automated data exchange for police cooperation. This deal, aimed at bolstering European security, will enable more efficient searches across law enforcement databases for DNA, fingerprints, and now, facial images and police records. Fernando Grande-Marlaska Gómez, acting Spanish Minister for the Interior, highlighted the deal’s significance in improving citizen safety by facilitating swift cross-border police cooperation. The updated framework, known as ‘Prüm II’, is set to modernise the technical infrastructure with a router provided by eu-LISA, streamlining data retrieval between member states and Europol. The agreement also expands Europol’s role, allowing it to search national databases using information from third countries. The provisional agreement will now be submitted to member states’ representatives (Coreper) for endorsement before formal adoption. You can read the press release here.

European Parliament: Adoption of negotiation mandate on child sexual abuse online regulation

The European Parliament has adopted its negotiation mandate for a new law on fighting and preventing child sexual abuse online. This approval occurred smoothly as no objections were made to the opening of negotiations based on the LIBE committee’s earlier vote. This marks a pivotal step forward, enabling the start of discussions on the law’s final structure as soon as the Council confirms its position. The mandate closely reflects the LIBE committee’s draft position, which seeks a careful balance between protecting children online and avoiding indiscriminate internet monitoring, with the proposal of targeted mitigation measures by service providers and the creation of an EU Centre for Child Protection. You can read the press release here and a summary of key points here.

National Authorities

Spain: AEPD explores AI algorithms in new blog post

The Spanish data protection authority (AEPD) sheds light on the complexities of artificial intelligence (AI), stressing the importance of evaluating all constituent algorithms for their impact on rights and freedoms. An AI system is not just a single algorithm but a fusion of many, each requiring scrutiny to ensure transparency and explainability, as emphasised by the EU’s proposed Artificial Intelligence Act (AIA). Neural networks, which form the backbone of many AI models, function through a web of nodes, each node’s behaviour dictated by a set of weights and thresholds. These weights are determined not manually by programmers but through automated learning processes involving multiple algorithms. The AEPD highlights the critical role of human oversight in this configuration process to avoid biases and maintain system integrity. As these systems evolve, the AEPD calls for a holistic assessment approach, looking beyond neural network evaluations to include algorithm interactions and human decision-making in the learning process. You can read the full blog post here (in Spanish).

France: CNIL releases guidance on API data sharing

The French data protection authority (CNIL) has provided a set of recommendations on the use of Application Programming Interfaces (APIs) for the sharing of personal data. These recommendations aim to aid organisations in utilising APIs effectively and safely. CNIL’s methodology includes best practices for designing, deploying, and operating APIs, with an emphasis on ensuring security, data minimisation, and proper access controls. The publication follows a public consultation and is intended for a broad audience, including both public and private sectors. It outlines the technical roles within data sharing via APIs and touches upon various data sharing contexts, from legal obligations to commercial purposes, without specifying the legal framework. The CNIL also provides practical tools and concrete examples to support organisations in implementing these recommendations. You can read the article here and the full recommendations here (both in French).

Spain: AEPD publishes biometric data guide for access control

The Spanish data protection authority (AEPD) has issued a guide detailing the criteria for using biometric data in presence and access control systems. The guide underscores the sensitivity of biometric data, considered a special category of high-risk personal data under the General Data Protection Regulation (GDPR). The AEPD mandates a stringent evaluation of suitability, necessity, and proportionality for biometric data processing, particularly when used for identification and authentication. In the workplace, the AEPD clarifies that, processing is permissible only under specific legal authorisation. This approach negates reliance on consent due to potential power imbalances. For non-employment-related access control, consent is similarly insufficient to lift the GDPR’s processing prohibition. The guide also mandates Data Protection Impact Assessment before initiation and concludes with GDPR compliance measures, including revocation of biometric identification and data encryption. You can read the press release here and the full guide here (in Spanish).

Italy: Garante opens investigation into web scraping to train algorithms

The Italian data protection authority (Garante) has initiated an exploratory investigation into the online collection of personal data used for training artificial intelligence (AI) algorithms. This move aims to ensure that both public and private websites are implementing sufficient security measures to prevent massive third-party data collection (webscraping) for AI algorithm training. The inquiry concerns all public and private entities, operating as data controllers, established in Italy or offering services there, which make personal data freely accessible online. Notably, AI platforms are known to scrape vast amounts of data, even personal, published online for various reasons, such as journalism or Open data policies. The Garante has called for input from relevant stakeholders on security measures currently in use and those that could be implemented. Submissions are invited within 60 days of the consultation notice’s publication. Following this investigative phase, the Garante may enact urgent measures if deemed necessary. You can read the press release here (in Italian).

Ireland: DPC outlines data protection guidance for Christmas season

The Irish data protection authority (DPC) has published a new blog post outlining key data protection considerations for the Christmas shopping season. The guidance focuses on the increased use of connected toys and smart devices, which may collect personal data, and the implications for privacy and consent, particularly in relation to children. It also covers best practices for retailers issuing e-receipts, emphasising the need for transparency and customer consent when using personal data for marketing. Furthermore, the DPC addresses the surge in direct marketing activities during this period, advising individuals on their rights and how to opt-out of unsolicited communications. Retailers are reminded of the legal penalties for non-compliance with data protection laws. You can read the full blog post here or listen to the accompanying podcast here.

UK: ICO warns UK’s top website to make cookie changes

The UK data protection authority (ICO) has issued a warning to prominent websites about possible enforcement action if they fail to align with data protection laws regarding cookies. This move targets sites that don’t offer fair options for users to decline tracking for personalised advertising. The ICO has been clear in its guidance that rejecting all advertising cookies should be as straightforward as accepting them. Although non-tailored advertisements can be shown even when tracking is rejected, they must not be personalised. The ICO has given these websites a 30-day compliance ultimatum. ICO Executive Director of Regulatory Risk, Stephen Almond, highlighted public concern over targeted advertising without consent, citing specific scenarios where such practices can be particularly intrusive. This enforcement is part of the ICO’s larger initiative to protect personal data within the online advertising sector, with an update on progress promised for January. You can read the full statement here.


Belgium investigates alleged criminal breach of data protection laws over London Ulez fines

Belgium’s Ministry for Transport is conducting an investigation into possible criminal breaches of data protection laws, following complaints from EU drivers who received unwarranted fines for London’s Ultra-Low Emissions Zone (Ulez) violations. Allegations have surfaced that a collections agent for Transport for London (TfL) unlawfully obtained personal details of over 20,000 EU vehicle owners for fine enforcement purposes post-Brexit, as UK authorities lack direct access to such data for non-criminal matters. The implicated Belgian court bailiff has been barred from the vehicle licensing database, and similar concerns have arisen in the Netherlands and France. TfL asserts it requires agents to comply with data protection laws and has ceased sharing Belgian data since it was deemed unlawful. The situation is under legal scrutiny with several EU countries challenging the fines and seeking reparations. You can read the full article here.

UK: New AI regulation Bill introduced to Parliament

A new Artificial Intelligence (Regulation) Bill has been introduced to the UK House of Lords. The Bill proposes the establishment of a new regulatory body, the AI Authority. This entity will be responsible for ensuring AI alignment across regulators, conducting legislative reviews, and monitoring the effectiveness of AI regulation. It proposes the creation of regulatory sandboxes to foster innovation, mandates AI responsible officers for businesses, and sets out specific transparency and intellectual property obligations. The Bill emphasises principles of safety, transparency and explainability, fairness, and accountability in AI regulation and stipulates that AI deployments must be inclusive and non-discriminatory. You can read the Bill here.


Spain: AEPD fines website operator for dark patterns in cookie consent banner

The Spanish data protection authority (AEPD) has levied a €12,000 fine on a website operator for infringing GDPR’s transparency requisites through ‘Dark Patterns’ in cookie banners. This interface prompted users to either instantly consent to cookies or endure a cumbersome process to refuse, a tactic deemed to manipulate user choices. The AEPD criticised the design for its ‘Overloading’ and ‘Skipping’ methods which discouraged informed user decisions, contravening Articles 5(1)(a) and 13 of the GDPR. The fine was distributed as €5,000 for the violation of Article 5(1)(a), with additional fines for minor breaches of the GDPR and Spanish law. The decision underscores the enforcement of user consent mechanisms that adhere to the principles of informed and voluntary user decisions. The complete ruling is available here (in Spanish).

Poland: UODO fines insurance company for1 failure to notify data breach

The Polish data protection authority (UODO) issued a penalty of approximately €23,000 (PLN 103,752) to Link4 Towarzystwo Ubezpieczeń S.A. for failing to report a personal data protection breach without undue delay. The Warsaw-based insurance firm did not inform the UODO of the breach within the required 72-hour period. An email containing personal and insurance-related details was mistakenly sent to an unauthorized party, a situation the company did not rectify promptly upon discovery. Despite the insurer’s admission of the oversight and their citation of human error, and even with a risk assessment indicating minimal risk, the UODO condemned the company’s lack of timely and appropriate response to the breach notification. The fine reflects several aggravating circumstances, including the duration of the breach and the firm’s previous data protection issues. This case underscores the critical importance of prompt breach reporting to protect individuals’ rights. You can read the press release here (in Polish).

Romania: ANSPDCP fines company over multiple GDPR violations

The Romanian data protection authority (ANSPDCP) has taken action against SC Sweat Concept One SA for contravening GDPR rules and national privacy laws. In November, the ANSPDCP concluded its investigation, finding breaches of Articles 5(1)(a)(b), 6(1), and the combination of Articles 17 and 12 of the GDPR. The company was fined 10,000 lei (approximately €2,000) for unlawfully storing information via cookies without prior consent. Additionally, it processed an individual’s email for marketing purposes without legal basis and neglected to respond to a data erasure request. SC Sweat Concept One SA must now align its data processing practices with GDPR articles 5, 6, and 7 and respect the right to data erasure. Furthermore, it is required to obtain valid user consent before storing cookies. You can read the press release here (in Romanian).