Data Protection Weekly 49/2022

Dec 8, 2022

  European Union

European Data Protection Board: EDPB adopts Art. 65 dispute resolution binding decisions regarding Facebook, Instagram and WhatsApp

The EDPB adopted three dispute resolution decisions on the basis of Art. 65 GDPR concerning Meta Platforms Ireland Limited (Meta IE). The binding decisions address important legal issues arising from the draft decisions of the Irish SA as lead supervisory authority (LSA) regarding Meta IE platforms Facebook, Instagram and WhatsApp. The EDPB binding decisions play a key role in ensuring the correct and consistent application of the GDPR by the national Supervisory Authorities. Read press release here.


The EU Council: EU countries adopt a common position on Artificial Intelligence rulebook

EU ministers green-lighted a general approach to the AI Act at the Telecom Council meeting on Tuesday (6 December).The EU Council is the first co-legislator to finish the first step of the legislative process, with the European Parliament due to finalise its version around March next year.“The Czech presidency’s final compromise text takes into account the key concerns of the member states and preserves the delicate balance between the protection of fundamental rights and the promotion of uptake of AI technology,” said Ivan Bartoš, Czechia’s Deputy Prime Minister for Digitalisation.

EURACTIV reports on the main changes here.


Court of Justice of the European Union (CJEU): Right to be forgotten-search engines must dereference inaccurate information

Right to erasure (‘right to be forgotten’): the operator of a search engine must dereference information found in the referenced content where the person requesting dereferencing proves that such information is manifestly inaccurate. Read press release here.


General Court: WhatsApp annulment action inadmissible

The CJEU’s General Court has ruled to dismiss as inadmissible the action brought by WhatsApp against a decision of the European Data Protection Board. In this case, the General Court rules, for the first time, on an application for annulment of a binding decision of the EDPB, adopted on the basis of the GDPR. The EDPB welcomed the Court’s decision which confirms the EDPB position: namely that WhatsApp Ireland Ltd was not directly concerned by the EDPB decision. You can read the EDPB press release and court CJEU court ruling here.


National Authorities

France: CNIL issue a reminder on the rules surrounding the sale of customer records

The CNIL issue a reminder on the rules surrounding the sale of customer records. Such commercial transactions are not prohibited by the GDPR but must be done in compliance with certain specific obligations. The CNIL recalls the consent rules that a seller and a buyer must respect when selling a file for commercial ends, particularly with regard to the rights of individuals. The press release (in French) can be found here.


France: Remote monitoring of online examinations: opening of a public consultation on the draft recommendation of the CNIL

The CNIL announced a public consultation with respect to their draft guidance recommendation on the modalities for the implementation of remote monitoring devices for online exams. In particular, the CNIL highlighted that increased usage of remote monitoring of exams has become more commonplace. Previously, in a factsheet dating from May 2020, the CNIL had recommended that higher education institutions must not use monitoring systems that disproportionately infringe on the privacy of their students. With this new public consultation, the CNIL is seeking opinions from a broad spectrum of stakeholders involved in offering online examinations to consolidate its expertise and better understand the needs and degrees of acceptance and risk vis-à-vis new technological tools. The consultation runs till January 1 2023, the press release (in French) can be found here.


German: DSK publishes Minutes and Report of its 3rd interim conference

The German Data Protection Conference (‘DSK’) published, on 29 November 2022, the minutes of its 3rd interim conference, which took place in September 2022. In addition, they published a paper on key issues and on the DSK’s binding majority decisions. In particular, the minutes outline that the key topics discussed by DSK which included among other things:

  • How to determine the German lead supervisory authority via the Binding Corporate Rules (‘BCRs’) approval procedure in which a non-German supervisory authority is the lead authority;
  • Test schemes for the classification of video conferencing services;
  • The status of the proposal for further design, development, and institutionalisation of the DSK; and
  • the report of the dedicated DSK taskforce on Facebook fan pages.

The minutes (in German) are available here and the Report (in German) is available here.


German: DSK publishes new version of guidance on Telemedia

Press release of the Conference of the Independent Data Protection Authorities of the Federation and the Länder of 07.12.2022

At its 104th conference, the Conference of Data Protection Supervisors adopted the amended version of the Orientation Guidance (OH) for Telemedia Providers 2021 Version 1.1. This has now been published together with a comprehensive evaluation report.

On the occasion of the entry into force of the Telecommunications Telemedia Data Protection Act (TTDSG) in December 2021, the DSK adopted the OH Telemedia 2021, which deals in detail with the requirements of the new law and the General Data Protection Regulation in the operation of websites and provides website operators, providers of Telemedia as well as users and legal practitioners with assistance for the data protection-compliant operation of their websites.

Read the Guidance (in German) here.


UK: ICO launches direct marketing guidance hub

The Information Commissioner’s Office (‘ICO’) announced, via LinkedIn, on 5 December 2022, that it had launched a new direct marketing hub aimed at organisations looking to plan and deliver effective direct marketing campaigns which respect people’s privacy and comply with applicable law. In particular, the ICO stated that the hub explains what organisations have to do to comply with the law and gives good practice recommendations to do so. Read here. 


Belgium: Draft law reforming the Data Protection Authority referred to the Council of State

It is being reported in the Belgian media that the bill to reform the Belgian DPA introduced by Secretary of State Mathieu Michel, has been referred to the Council of State at the request of opposition parties.

The opposition tabled new amendments and asked for their examination by the Council of State. This text, described by the Secretary of State as “necessary and important”, aims to strengthen the functioning of the APD, its independence and its capacity for expertise, according to the terms used by Mathieu Michel. It is part of a broader context of legislative reform aimed at ensuring a balance between innovation and privacy with “a supervisory authority capable of being respected”. You can find the press article (in French) here.


Hungary: Data misused for political campaigns

The Hungarian government’s misuse of personal data during the 2022 national elections campaign undermined privacy and further tilted an already uneven playing field in favor of the ruling party. Read article here.



Global cookie review

Bird & Bird release their Winter 2022 Global Cookie Review providing a global overview of the legal and regulatory landscape – for new developments and trends coupled with some territorial analysis please see the report here.


Apple announces new security and privacy measures amid surge in cyber-attacks

Apple announced a suite of security and privacy improvements on Wednesday that the company is pitching as a way to help people protect their data from hackers, including one that civil liberty and privacy advocates have long pushed for. Read article here. 

AWS KMS launches External Key Store

Recently Amazon AWS Key Management Service (AWS KMS) introduced the External Key Store (XKS), a new feature for customers who want to protect their data with encryption keys stored in an external key management system under their control. This capability brings new flexibility for customers to encrypt or decrypt data with cryptographic keys, independent authorization, and audit in an external key management system outside of AWS. In short, Amazon is now offering functionality to client organisations to store encrypted data on its infrastructure with the encryption key held outside of Amazon’s control. This means Amazon would not be able to provide those customers’ decrypted data over to prying government authorities. Those familiar with EDPB Supplementary Measures guidance will recall this was one of the supplementary measures proposed by the EDPB to enable personal data transfers to non-adequate countries. The full story is here.



Italy: Garante fines Clubhouse, the voice chat social EUR 2 million

The Italian DPA – the Garante – fined Alpha Exploration, owner of the social network Clubhouse, 2 million euros, and a series of compliance orders for violations of the GDPR. The Garante cited a lack of transparency around the use and processing of user data, users’ storing and sharing of content without appropriate consent, and sharing of account information without a legal basis and indefinite storage times for recordings. The Garante said Alpha Exploration will have implement measures to protect users and conduct an impact assessment on data processed through Clubhouse. Moreover, the DPA has ordered Alpha Exploration to indicate in its privacy notice the email address of the EU representative appointed in line with Art27 of the GDPR; the press release and decision (in Italian) can be found here.


Ireland: Meta faces record EU privacy fines

This Christmas is bound to be an expensive one for U.S. tech giant Meta. The Big Tech firm looks set to soon face a huge regulatory bill for all three of its social networks, Facebook, WhatsApp and Instagram.  Read article here.