Data Protection Weekly 48/2023

Dec 4, 2023

 European Union

European Commission: Launch of new database to track digital services terms and conditions

The European Commission has launched the Digital Services Terms and Conditions Database. This new resource aligns with the Digital Services Act (DSA), focusing on the transparency of terms and conditions of online platforms such as social media and app stores. The database, featuring over 790 terms and conditions, is updated multiple times daily using an automated system. It’s an initiative developed with Open Terms Archive’s open-source software, supported by France’s digital affairs ambassador and the Commission’s Internet programme. This tool is designed to assist regulators in overseeing legal compliance and to provide researchers with up-to-date information on the terms and conditions of digital services. The database is part of numerous DSA transparency requirements, including mandatory monthly active user disclosures and transparency reports by online platforms. Additionally, the Commission is responsible for maintaining a Transparency Database, as mandated by the DSA. You can read the press release here.

Council of the EU: Adoption of Data Act

The Council of the European Union has adopted the Data Act aimed at establishing harmonised rules for fair access to and use of data. This new law  introduces obligations for manufacturers and service providers to allow users to access and reuse data generated from various products and services, ranging from everyday appliances to industrial machines. This initiative also includes provisions for data portability, safeguarding against unlawful data transfers, and developing interoperability standards for cross-sector data reuse. The new law addresses the distribution of data value, encourages data-driven innovation, and strives to make data more accessible across all sectors. It also aims to ease the switching between data processing service providers, while ensuring fair compensation for data sharing. The regulation is expected to be published in the EU’s official journal in the new year and will become enforceable 20 months after its entry into force. You can read the press release here.

European Parliament: The Environment and Civil Liberties committees adopted their position on creating a European Health Data Space

The European Parliament’s Environment and Civil Liberties committees adopted their position on creating the European Health Data Space (EHDS), a significant move towards improving the portability and secure sharing of personal health data across EU nations. This initiative, aimed at empowering citizens, will allow seamless access to personal health information like prescriptions, medical imagery, and lab tests across EU borders. The EHDS will also enable the sharing of aggregated health data for research, such as in cancer and rare disease studies, while ensuring strong privacy protections. The law will facilitate patient access to their data across different EU healthcare systems and establish national health data access services. It also introduces safeguards against data misuse, like banning its use for advertising or excluding people from benefits. Further, it necessitates explicit patient permission for secondary sensitive health data use, with provisions for opting out. This proposal, which is set to be voted on by the full European Parliament in December, marks a critical step in enhancing healthcare quality and fostering healthcare innovation in the EU. You can read the press release here.

National Authorities

Italy: Next G7 DPA conference in Rome

From 9th to 11th October 2024, Rome will host the G7 Data Protection Authorities (DPA) Conference, an event organised by the Italian DPA (Garante). This significant gathering will focus on “Privacy in the age of data,” addressing pivotal challenges in data protection amidst today’s rapidly evolving technological landscape. The conference aims to facilitate discussions among authorities from the G7 nations (Canada, France, Germany, Japan, the UK, and the United States), alongside the Chair of the European Data Protection Board and the European Data Protection Supervisor. Central themes include fostering data free flows with trust, aligning emerging technologies and AI with individual freedom, and enhancing global cooperation for effective data protection regulation enforcement. Pasquale Stanzione, President of the Italian DPA, emphasised the importance of establishing new global rules for sustainable and equitable innovation in this data-driven age. The conference is a key component of the G7 2024 Italy agenda, highlighting the critical role of international collaboration in shaping the future of data protection. You can read the press release here.

Sweden: Digg and IMY release joint guide on data protection and innovation

The Swedish Agency for Digital Government (Digg) and the Swedish data protection authority (IMY) have released a joint methodological guide focusing on data protection and privacy in innovation. This guide, targeting public actors, aims to foster sustainable digitalisation that balances innovative advancement with privacy and welfare needs. The guide addresses the complexities and challenges surrounding data protection, providing practical advice for integrating privacy considerations into innovative processes. Acting Director General of IMY, Karin Lönnheden, stresses the importance of privacy and data protection for maintaining public trust in services. The guide includes organisational strategies and GDPR-related guidance, offering valuable resources for driving forward effective and legally compliant innovation initiatives. You can read the press release here and the full guide here (both in Swedish).

Denmark: Datatilsynet unveils security measure catalogue

The Danish data protection authority (Datatilsynet) has released a comprehensive catalogue of security measures, designed to assist companies and authorities in implementing appropriate security measures. This new tool, available on the Datatilsynet’s website, aims to simplify risk management and ensure compliance with GDPR requirements. The catalogue offers a variety of technical and organisational measures, each capable of being utilised independently. While many measures currently focus on future rights management guide, the catalogue is expected to expand to cover a wider range of topics. Ditte Yde Amsnæs, Head of Office at the Datatilsynet, highlights the catalogue’s potential as a crucial resource, making the GDPR requirements more concrete and applicable. The measures are enriched with concrete examples drawn from the Datatilsynet’s inspections, data breach reports, EDPB guidelines, and ISO standards. Additionally, each measure includes references to relevant legal decisions, providing a comprehensive guide for both legal and IT security professionals. You can read the press release here and the catalogue here (both in Danish).

Netherlands: AP releases blogpost on effective password strategies

The Dutch data protection authority (AP) recently released a blogpost, focusing on the practicalities of creating strong yet manageable passwords. The post underscores the importance of password strength, which hinges on the difficulty and resource investment required for a cybercriminal to decipher it. A key factor in this strength is the combination of password length and randomness, which proves more effective than merely adding special characters. Introducing the ‘diceware’ method, the blog suggests forming passwords from words, not just characters, leveraging vast word lists to enhance security while ensuring ease of recall. It also explores the use of password phrases and addresses the challenges in remembering complex character combinations. Furthermore, the article points out the utility of password managers for securely storing various robust passwords. Finally, it emphasises the added security layer that comes from combining passwords with other forms of authentication, a topic set for further exploration in their subsequent blog post. You can read the full article here (in Dutch).


BEUC challenges Meta’s pay-or-consent model

The European Consumer Organisation (BEUC), alongside 19 member organisations, has lodged a formal complaint against Meta’s new pay-or-consent policy in the EU for Facebook and Instagram users. This policy forces users to choose between consenting to data processing for advertising or paying to avoid ads. The complaint, filed with the network of consumer protection authorities (CPC), argues that Meta’s approach breaches EU consumer law and potentially violates GDPR. BEUC’s Deputy Director General, Ursula Pachl, condemns Meta for unfair, deceptive, and aggressive tactics, such as partial service blocking and presenting misleading information. This policy leaves users with no real choice, as opting out of the services would mean losing connections and interactions built over years. Additionally, the high cost of the ad-free subscription further limits consumer options, questioning Meta’s compliance with GDPR and consumer rights. You can read the press release here.

LEGO’s innovative approach to privacy policy aimed at young audience sets an innovative example in the realm of online privacy policies with their unique approach aimed at young audiences. Recognising the importance of data protection awareness among children, has augmented its privacy policy with an engaging and educational video. This innovative tool simplifies complex data privacy concepts, making them accessible and understandable for children. The initiative reflects LEGO’s commitment to responsible data handling and educating the younger generation about the significance of personal data protection. By tailoring their communication to be kid-friendly, not only adheres to legal requirements but also goes a step further in fostering an environment of trust and safety for its younger users. This approach highlights the growing need for inclusive and educational methods in presenting privacy policies, especially on platforms frequented by children. LEGO’s initiative could inspire other companies to adopt similar strategies, enhancing data protection awareness at an early age. You can see the video and read the privacy policy here.


Norway: Datatilsynet notifies an infringement fee of NOK 20 million to Norwegian Labour and Welfare Administration

The Norwegian data protection authority (Datatilsynet) has notified NAV, the Norwegian Labour and Welfare Administration, of a proposed infringement fee of NOK 20 million (approximately €2 million) and several compliance orders. This action follows an audit identifying severe shortcomings in NAV’s data protection practices, especially in managing sensitive personal data. The audit highlighted inadequate management systems and insufficient confidentiality safeguards in IT systems. Notably, the extensive access granted to employees, without adequate oversight, raises concerns about the over-reliance on trust. As a crucial component of Norway’s welfare system, NAV’s handling of vast amounts of personal data is under strict examination, with 12 GDPR breaches identified. The notification includes orders for comprehensive organisational measures and improved access management. NAV has been given a three-week period to respond to this notification, after which Datatilsynet will make a final decision on the matter. You can read the press release here (in Norwegian).

UK: ICO reprimands council for disclosing domestic abuse victim’s details to ex-partner

The UK data protection authority (ICO) has reprimanded Charnwood Borough Council for a severe breach of data protection. This incident involved the council inadvertently disclosing the address of a domestic abuse victim to her ex-partner. Highlighting a significant lapse in data handling, the ICO emphasised the need for robust processes and staff training. Essential measures include alerts on files for vulnerable service users, established process for address changes, and regular data protection training. In this case, the council’s inadequate address updating process led to the ex-partner accessing sensitive information, potentially endangering the victim. The ICO’s Head of Investigations, Natasha Longson, stressed the importance of public sector organisations in protecting sensitive details, urging others to learn from this failure. You can read the press release here.

Sweden: IMY fines Östersund municipality for failing to conduct a DPIA

The Swedish data protection authority (IMY) has imposed a fine of SEK 300,000 (equivalent to €26,500) on the Children and Education Board of Östersund municipality for failing to conduct a data protection impact assessment (DPIA) before implementing Google Workspace in 24 municipal schools. This digital platform, used since autumn 2020, involves processing the personal data of nearly 6,000 students and 1,300 employees. IMY’s decision highlights the board’s oversight in not evaluating the potential risks and necessary protective measures associated with such extensive processing of children’s personal data. Nina Hellgren, a lawyer at IMY, emphasises the importance of impact assessments in identifying and managing risks to individuals’ rights and freedoms when handling personal data. This administrative fine serves as a reminder of the critical need for thorough data protection assessments in educational settings, especially when dealing with minors’ data. You can read the press release here and the full decision here (both in Swedish).

UK: ICO urges hospitals to improve data protection standards following incident at NHS Fife

The UK data protection authority (ICO) has issued a reprimand to NHS Fife following a serious data breach, where an unauthorised individual accessed personal data of 14 patients. In February 2023, this person, without proper checks, entered a ward, was mistakenly given sensitive documents, and even assisted in patient care. The data, taken off-site, remains unrecovered, exacerbated by a deactivated CCTV system. This incident highlighted NHS Fife’s inadequate security measures and staff training in handling personal data. This incident led to NHS Fife implementing new security measures, including a sign-in/out system for documents and improved identification processes. ICO’s Head of Investigations, Natasha Longson, emphasised the critical need for healthcare organisations to ensure data security and trust. She urged other healthcare bodies to learn from this incident and review their security checks and authorised access policies. NHS Fife has been instructed to report on the actions taken within six months. You can read the press release here.