Data Protection Weekly 49/2023

Dec 11, 2023

 European Union

CJEU: GDPR opposes two data processing practices by credit information agencies

In recent judgement, the Court of Justice of the European Union (CJEU) in Case C-634/21 and Joined Cases C-26/22 and C-64/22, has directly addressed GDPR implications in credit scoring and debt information practices. The CJEU determined that ‘scoring’, as utilised by SCHUFA, constitutes an ‘automated individual decision’ which is principally prohibited under GDPR when such scoring plays a determining role in credit decisions by SCHUFA’s clients, like banks. Further, the CJEU found that retaining information regarding discharge from remaining debts longer than the period kept in the public insolvency register is contrary to GDPR. It clarifies that unlawful retention beyond six months gives data subjects the right to have the data deleted, mandating immediate action by the agency. Regarding SCHUFA’s simultaneous six-month data storage, the CJEU has deferred to the Administrative Court for assessing its lawfulness. Lastly, the CJEU emphasises that national courts must have full capacity to review any binding decision of a supervisory authority. You can read the press release here.

CJEU: Only a wrongful infringement of the GDPR may result in an administrative fine being imposed

The Court of Justice of the European Union (CJEU) has provided clarification on the criteria for national supervisory authorities to impose administrative fines on one or more controllers for breaching the General Data Protection Regulation (GDPR). This was elucidated in cases C-683/21 (Nacionalinis visuomenės sveikatos centras) and C-807/21 (Deutsche Wohnen). The Court determined that imposing such a fine requires proof of wrongful conduct, meaning the infringement must have been committed either intentionally or due to negligence. Additionally, it was noted that when the entity subject to the fine is part of a larger group of companies, the fine’s calculation should reflect the turnover of the entire group, not just the individual company involved. You can read the press release here.

EDPB: Publication of urgent binding decision regarding Meta

On 7 December 2023, the European Data Protection Board (EDPB) published an urgent binding decision impacting Meta Ireland Limited (Meta IE). This action, following the Irish data protection authority’s final decision, bans Meta IE from processing personal data for behavioural advertising, citing contract and legitimate interest as inappropriate legal bases. The Norwegian data protection authority’s request triggered this decision, necessitating measures effective throughout the European Economic Area (EEA). The EDPB Chair highlighted Meta’s failure to comply with previous orders and the urgent need to protect data subjects’ rights. This development follows Norway’s temporary ban and subsequent appeal for EEA-wide measures. The EDPB found ongoing GDPR infringements and the immediate threat to data subjects, leading to this unprecedented action. You can read the press release here.

Artificial intelligence Act: The Council and Parliament strike a deal on the first rules for AI in the world

Following a 3-day ‘marathon’ of talks, the Council presidency and the European Parliament’s negotiators have reached a provisional agreement  on the artificial intelligence act, on the proposal on harmonised rules on AI. The draft regulation aims to ensure that AI systems placed on the European market and used in the EU are safe and respect democracy, fundamental rights, the rule of law and EU values. The rules establish obligations for AI based on its potential risks and level of impact. This landmark proposal also aims to stimulate investment and innovation on AI in Europe. Work will continue at technical level in the coming weeks to finalise the details of the new regulation. The entire text will need to be confirmed by both institutions and undergo legal-linguistic revision before formal adoption by the co-legislators. You can read the European Council of the EU press release here and the European Parliament’s press release here.

ENISA: EU and US intensify their cooperation on cybersecurity

The European Union Agency for Cybersecurity (ENISA) and the US Cybersecurity and Infrastructure Security Agency (CISA) have significantly enhanced their cooperation. Announced on December 07, 2023, during the EU-US Cyber Dialogue, this strategic cooperation, underpinned by a new Working Arrangement. This initiative is a direct response to escalating cyber threats influenced by geopolitical dynamics and the need for concerted action in securing digital infrastructures and information sharing. High EU representatives, including Josep Borrell and Thierry Breton, emphasised the urgency of international partnerships to combat borderless cyber threats and fortify collective resilience. The collaboration spans various domains, including cyber awareness, best practice exchanges in cyber legislation implementation, and increased situational awareness, respecting data protection requirements. You can read the press release here.

National Authorities

Denmark: The Danish DPA rules against Hospital using consent to publish photos of patients on Instagram

The Danish Data Protection Agency, through a self-initiated case, has ruled against the Central Denmark Region as data controller, which concerned Aarhus University Hospital’s use of Instagram to publish photos of patients. The background to the case was based on a request from a former patient at the hospital. After an investigation of the case, the regulatory agency found that the Central Denmark Region cannot use consent as a basis for treatment, as there is an unequal relationship between the patient and the region/hospital. Furthermore, the Agency found that the processing was not in accordance with the principles of Article 5(1) of the GDPR. The Central Denmark Region has been ordered to delete posts containing health information about patients from the Instagram account within four weeks. The press release and decision (in Danish) can be read here.

Denmark: The Danish DPA issues new guidance on rights management

The Danish Data Protection Agency has published new guideline on access rights, highlighting the control over users’ access as a significant factor in risk mitigation of potential personal data breaches. In this guidance the concept of rights management is used as a general concept, which includes controlling who has access to the organisation’s IT systems and premises, as well as what individual users can use their access for. The guideline seeks to shed light on the real threats known to the Danish Data Protection Agency via its own repository of complex cases. The press release and accompanying documents (in Danish) can be read here.

The Netherlands: DPA blog post: “Concerns about generative AI”

The Dutch Data Protection Authority supervises all types of processing of personal data. This also applies to algorithms and AI in which personal data is processed. Since the beginning of 2023, the agency has intensified its supervision of algorithms and AI. The DPA has planned through a series of blog posts, to publish and discuss the social, legal and technological aspects concerning the use of algorithms and AI. The inaugural post by Cecile Schut, Director of System Supervision, Security and Technology can be read (in Dutch) here.

UK: ICO’s insights on data protection in housing

In a recent ICO blog post, Helen Raftery, Head of Data Protection Complaints, discusses the crucial role of data protection in the housing sector. She underscores how mishandling personal data can lead to significant risks for residents, including distress, identity theft, and even physical harm. The blog highlights cases where poor data protection practices have had real-life negative impacts. Raftery emphasises the need for housing organisations to better understand and implement data protection laws to prevent such issues, particularly for vulnerable residents. She suggests key steps for improvement, such as thorough staff training, proper records management, and clear communication about data usage. The blog aims to strengthen compliance and build resident trust in data handling within the housing sector. You can read the full blog post here.

Poland: UODO approves new data protection certification criteria

The Polish data protection authority (UODO), has recently approved new criteria for the accreditation of certification bodies in data protection. This move paves the way for industry-specific certifications in compliance with GDPR. Certification bodies, accredited by the Polish Centre for Accreditation (PCA) under ISO/IEC 17065/2012 standards, will assess companies’ adherence to these new data protection standards. While obtaining certification is voluntary, it signifies a company’s commitment to the highest data protection standards. Jakub Groszkowski, Deputy President of UODO, highlighted the importance of tailoring data protection guidelines to industry specifics, beyond general principles. Although certification signals compliance, Monika Krasińska of the Department of Jurisprudence and Legislation at the UODO clarified that certified entities will not be exempt from standard control procedures in the event of personal data breach. You can read the press release here (in Polish).

UK: ICO warns against 2024 becoming the year people lose trust in AI

In a recent keynote address at TechUK’s Digital Ethics Summit 2023, UK Information Commissioner John Edwards cautioned that 2024 might be the year when public trust in Artificial Intelligence (AI) could significantly wane. Edwards highlighted the increasing anxiety among people towards AI and urged tech developers to prioritise privacy from the outset. He emphasised the ICO’s support for businesses employing smart technology, warning that non-compliance with data protection laws is inexcusable. Acknowledging AI’s benefits for business innovation and customer service, Edwards stressed that these should not compromise user privacy. He also warned of firm regulatory actions against “bad actors” who misuse AI for competitive gains. Edwards concluded by underscoring the inseparability of privacy and AI, affirming the ICO’s commitment to assisting businesses in aligning AI usage with data protection laws. You can read the press release here.


Google launches Gemini AI model

Google recently introduced Gemini, a new artificial intelligence model described as its most sophisticated and adaptable to date. This announcement was made public by Sundar Pichai and Demis Hassabis on December 6, 2023. Created by Google DeepMind, Gemini is a multimodal AI, capable of processing different types of data including text, audio, and images. It is offered in three different versions – Ultra, Pro, and Nano – each tailored for specific levels of complexity and usage. The Ultra version, in particular, is noted for its advanced performance in complex language processing and multimodal tasks, reportedly exceeding human levels of expertise in these areas. Gemini’s release marks a significant advancement in AI technology, with implications for a wide range of industries. It is anticipated to offer new problem-solving tools and innovative approaches, highlighting Google’s role in the ongoing development and application of AI technologies. More information on Gemini can be found here.


Luxembourg: CNPD’s decisions on DPO designation by municipalities

The Luxembourg data protection authority (CNPD), in its recent rulings, addressed investigations into the designation of Data Protection Officers (DPOs) by municipalities. Initiated in 2022, these investigations led to six decisions. In four cases, the CNPD found violations of Article 37.1(a) of the GDPR, which mandates the appointment of a DPO, and Article 37.7, requiring the communication of the DPO’s contact details to the relevant authority. One additional decision noted a sole violation of Article 37.7. However, in the final decision, no GDPR or relevant law violations were found. In response, the CNPD issued reminders and published these decisions on its website, with no administrative fines due to legislative constraints. Notably, subsequent to a CNPD awareness campaign in August 2022, all municipalities have now complied with DPO designation requirements. These decisions are accessible on the CNPD website under the “Decisions” section. You can read the press release here (in French). 

Romania: Sanction for multiple infringements of GDPR

In November, the National Supervisory Authority completed an investigation into the operator Hora Credit IFN SA, in which it found multiple violations of the GDPR in what concerns their data procession operations. The operator was sanctioned with fines amounting to RON 119,296.8, the equivalent of € 24,000. Moreover, the authority imposed a number of corrective measures on the company.

The enforcement action was carried out as a result of a complaint received that the operator Hora Credit IFN SA had sent by email to the complainant documents containing the personal data of another person, a client of the operator. Although the complainant notified the operator of this error, Hora Credit IFN SA continued to send similar messages to his e-mail address. The authority’s investigation found that Hora Credit IFN SA did not deploy sufficient personal data security measures, so as to prevent unauthorized and accessible disclosure of personal data to third parties. It was also found that the operator did not notify the Supervisory Authority of the security incident in sufficient time when brought to its attention. A full read of the case (in Romanian) can be read here.