Data Protection Weekly 5/2023

Feb 6, 2023

 European Union

The European Commission: DSA – Guidance on the requirement to publish user numbers

The European Commission has published non-binding guidance on how to account for the number of EU users for online platforms and search engines. For context, practical questions have been raised on the provisions of the DSA concerning the obligation to publish information on the number of users. The guidance document provides answers to a number of questions that the Commission services have received from providers of intermediary services in light of the deadline of 17 February 2023. The Q&A (in English/ French and German) can be read here.

European Commission Study on the impact of recent developments in digital advertising on privacy, publishers and advertisers

This EU has published a study that on balance indicates a strong case to reform digital advertising. It indicates that the status quo is unsustainable for individuals, publishers and advertisers. The report states that digital advertising that relies on the collection of personal data, tracking and massive-scale profiling can have unintended consequences on data protection rights, security, democracy and the environment. The study points to gaps in the regulatory framework which could enable many of the issues highlighted to persist. The report also advocates for the need to improve transparency and accountability, and the enhanced protection of  individual control over how personal data is used for digital advertising. The full report can be read here.

EDPB: Data Protection Day 2023

On the occasion of Data Privacy Day 2023, the EDPB released a video taking a look back at GDPR enforcement across the years and how the EDPB helps all the EEA DPAs act as one to make sure your rights are protected. The video can be seen here.

EDPS: Top 3 Consultations and Complaints of 2022

The EDPS published an infographic on the top 3 complaints and consultations dealt with in 2022, you can access the infographic here.

European Commission: EU and Singapore launch Digital Partnership

The EU and Singapore are strengthening their cooperation as strategic partners. Following the announcement of a new Digital Partnership between the EU and Singapore by President von der Leyen and Prime Minister Lee at the EU-ASEAN summit in December 2022, Commissioner for the Internal Market Thierry Breton and Singapore Minister of Industry and Trade S Iswaran signed a Digital Partnership that will strengthen cooperation between the EU and Singapore on digital technology areas. Both sides have agreed to work together on critical areas such as semiconductors, trusted data flows and data innovation, digital trust, standards, digital trade facilitation, digital skills for workers, and the digital transformation of businesses and public services. You can read the European Commission press release here.

National Authorities

France: The CNIL publishes its annual enforcement report for 2022

The CNIL report confirms that enforcement trends for 2022 were reinforced compared to 2021, both by the number of measures adopted (21 penalties and 147 formal notices) as well as by the cumulative amount of fines which once again exceeded 100 million euros. A detailed press release (in French) can be found here.

France: The CNIL publishes a guide for recruiters

In 2002, the CNIL published a recommendation “relating to the collection and processing of personal information during recruitment operations”. 20 years on with the rise of new technology multiplying recruitment channels and tools, the process and risks associated with personal data have evolved considerably. The CNIL now offers a new guide as well as a set of practical steps to support recruitment actors in their compliance efforts. The press release and documentation can be found here.

Sweden: Data protection officers’ point to problems applying GDPR

A survey by the Swedish DPA (IMY) notes that less than half of responding data protection officers (DPOs) are of the opinion that their own organisation works continually and systematically on data protection issues. The IMY has now published the report “Data Protection in Practice”, which is based on a survey of data protection officers in over 800 organisations. The report provides an indication of the conditions under which data protection is applied in organisations required to have DPOs. You can read the full press release and report (in English) here.

Slovenia: The new Personal Data Protection Act (ZVOP-2) enters into force

After a number of delays, on December 15, 2022, the Slovenian National Assembly finally adopted the Personal Data Protection ActZVOP-2 ) , which came into force on the 26 January introducing a number of innovations to the field of data protection, including additional conditions regarding authorized persons (DPOs) for the protection of personal data. The Information Commissioner has been updating the website and supporting materials (forms, templates, guidelines), to assist managers and processors of personal data. The press release (in Slovenian) can be read here.

UK: The ICO issue letter to Council for use of facial technology in Schools

The ICO issued a letter to North Ayrshire Council (NAC) following their use of Facial Recognition Technology (FRT) to manage ‘cashless catering’ in school canteens. The story was first brought to the ICO’s attention in October 2021 when NAC introduced FRT into nine of its schools. NAC stopped processing shortly after data protection concerns were raised with the authority. While facial recognition technology and other new technologies can offer benefits within an education setting, they process special category data and are not without risk. The ICO want to ensure that educational authorities can access the benefits of new technologies, whilst also protecting children’s data and safeguarding their rights. The statement and ICO letter outlining the possible UK GDPR infringements and recommendations can be read here.

UK: Former RAC employee fined for stealing data of victims of road traffic incidents

A former employee of the U.K road assistance services company RAC has plead guilty and been fined for stealing and selling the data of victims from road traffic accidents. the RAC had received 21 complaints from suspicious drivers who received calls from claims management companies following accidents in which the RAC had assisted. Following an internal RAC investigation, a search warrant was subsequently executed by the ICO that uncovered evidence leading to the guilty plea. The ICO press release can be read here.


EU Commission preps national authorities on Digital Services Act implementation

The EU executive delivered a presentation, to the competent national authorities that will enforce the Digital Services Act (DSA) on the designation of very large online platforms, the governance architecture and an information-sharing system. The EU executive will be the primary enforcer on large online platforms. In contrast, smaller actors will be the competence of the Digital Services Coordinator, that will also coordinate with other national competent authorities as relevant. The full EURACTIV story can be read here.

Europe-wide large scale GDPR case monitoring triggered by ICCL

Following action by the Irish Council for Civil Liberties (ICCL), the European Commission will start regularly checking the progress of all “large-scale” GDPR cases across the EU. The European Commission has now committed to examining every large-scale GDPR case, everywhere in Europe. It will measure how long each procedural step in a case is taking, and what the relevant data protection authorities are doing to progress the case. The Commission will conduct the checks six times per year. The ICCL press release can be found here.

ISO publishes 31700-1 and 31700-2 standards on consumer protection and Privacy by Design for consumer goods and services

The International Standards Organization (ISO) has published its standards ISO 31700-1 and ISO/TR 31700-2 on consumer protection and Privacy by Design for consumer goods and services, after approval of the project in 2019. In summary, the ISO 31700-1 provides high level requirements for Privacy by Design to protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer. You can read more on the ISO 31700-1 here. The ISO/TR31700-2 which provides illustrative use cases, with associated analysis to assist in understanding the requirements of 31700-1 can be read here.

European Parliament readies position on the Data Act

EURACTIV provides an overview of the main changes EU lawmakers introduced to the new data law ahead of the EU Parliament’s key votes. In the European Parliament, lawmakers of the Industry committee who have been leading the work on the Data Act and are set to adopt their report on 9 February. The European Parliament’s position is set to be confirmed in a plenary vote in March. You can read the full article here.

Industry associations ask EU policy makers to pull the breaks on Data Act

“In a joint statement published Wednesday 1 February, 30 trade associations urged the Data Act’s co-legislators to avoid ‘a leap into the unknown’ with the new law.

[…] However, for industry organisations like Digital Europe, Business Europe and the European Tech Alliance, the co-legislators are progressing too quickly without giving enough consideration to the potential impact the regulation might have on European companies’ data-driven business model.” You can read the full article here.

MEPs to discuss regulatory dialogue on high-risk AI classification

MEPs were due to deliberate this week on how artificial intelligence (AI) systems should be classified in terms of the actual or potential risks they pose under the AI Act. The agenda includes a potential compromise by the co-rapporteurs Brando Benifei and Dragos Tudorache. At the same meeting, lawmakers were expected to formally endorse the compromises on the requirements for high-risk AI systems and measures to favour innovation. The EURACTIV story can be read here.

Shoshana Zuboff: ‘Privacy has been extinguished. It is now a zombie’.

Shoshana Zuboff, a professor emerita at Harvard Business School, who published the best seller The Age of Surveillance Capitalism in 2019 gave an interview to the Financial Times (FT) on the challenges of reigning in the technology (and firms) that continues to undermine privacy to the detriment of society. She remarks: “We have fantastic scholars, researchers, advocates who are focused on privacy, others who are focused on disinformation, others who are focused on the nexus with democracy. This ‘Balkanisation’ reduces the ability to pinpoint the actual source of harm”. The full FT interview can be read here.

JD Sports says 10 million customers hit by cyber-attack

JD Sports has confirmed that a cyber-attack that hit the company between 2018 and 2020 may have resulted in the data leak of 10 million customers. The company said information that “may have been accessed” by hackers included names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards. The data related to online orders between November 2018 and October 2020. JD Sports said it was contacting affected customers. The BBC article can be read here.

Google Fi says hackers accessed customers’ information

Google’s cell network provider Google FI has confirmed a data breach, likely related to the recent security incident at T-Mobile, which allowed hackers to steal millions of customers’ information. In recent communications Google said that the primary network provider (T-Mobile) for Google Fi recently informed the company that there had been suspicious activity relating to a third-party support system containing a “limited amount” of Google Fi customer data. You can read the TechCrunch story here.


Finland: Finnish Administrative fine imposed on company for processing health information without the appropriate consent

The Office of the Data Protection Ombudsman for Finland imposed an administrative fine of €122,000 on an unnamed company for multiple GDPR violations for not having asked sought user specific consent of its services for the processing of health-related personal data. Moreover, the processing of health data is core to the company’s business. In addition, the Data Protection Ombudsman ordered the company to rectify its practices for requesting consent. The Office of the Data Protection Ombudsman investigated the company’s practices based on complaints made in 2018–2019. The company’s services are also available in other EU and EEA member states, so the matter was processed in cooperation with their supervisory authorities. One of the complaints had been filed in another member state. You can read the Ombudsman press release (in English) and the published decision (in Finish) here.