Data Protection Weekly 5/2024

Feb 16, 2024

CEDPO

15th Annual ADPO Conference opens to registration

ADPO, the Irish member of CEDPO, will organise its 15th annual conference on 9 May 2024 at the Radisson Blu Royal Hotel, Dublin. The conference, under the theme “GDPR: The Age of Maturity?”, will explore the evolving challenges and opportunities facing the General Data Protection Regulation (GDPR) as it moves beyond its initial years of application. Aimed at data protection professionals, the event promises insightful discussions with international experts and regulators on the strategic approaches required for navigating the GDPR’s future landscape. This gathering seeks to provide a comprehensive outlook on the regulation’s capacity to adapt and remain effective in an increasingly complex digital and regulatory environment. Registrations are currently open for those looking to engage in these critical conversations. You can read more here. 

 European Union

EDPB: Launch of new website auditing tool

The European Data Protection Board (EDPB) has introduced a new website auditing tool aimed at facilitating the analysis of website compliance with data protection laws. Developed within the framework of the EDPB Support Pool of Experts (SPE), this tool is designed for use by both legal and technical auditors at data protection authorities (DPAs) and by controllers and processors for self-assessment purposes. This innovative tool simplifies the audit process by enabling direct analysis of websites, offering compatibility with other auditing tools such as the EDPS website evidence collector, and the capability to generate comprehensive reports. Its development, supervised by the EDPB Secretariat and initially presented at the first EDPB Bootcamp in June 2023, responds to the need for an easy-to-use solution that supports national DPAs’ enforcement activities and assists controllers in ensuring compliance. A second version with new features is planned for later this year. Read the press release here.

EDPS: Opinion on ePrivacy Directive derogation extension to combat child sexual abuse online

The European Data Protection Supervisor (EDPS) has issued an Opinion on the proposed Regulation to extend the temporary derogation from certain provisions of the ePrivacy Directive, aimed at combating child sexual abuse online. The EDPS expresses concerns over the potential infringement on fundamental rights to privacy and the confidentiality of communications. The proposed Regulation would allow specific technologies to be applied to private communications to detect child sexual abuse material for an additional two years. The EDPS criticises the proposal for not adequately addressing the risks to individuals’ privacy and personal data, emphasising the lack of sufficient safeguards against general and indiscriminate monitoring. Despite acknowledging the importance of combating child sexual abuse, the EDPS argues that the proposed measures fail to strike an appropriate balance between this goal and protecting individuals’ fundamental rights, urging for the introduction of effective safeguards before its adoption. Read the press release here and download the full Opinion here.

CJEU: Indefinite storage of convict biometric and genetic data breaches EU law

The Court of Justice of the European Union (CJEU) has ruled in Case C-118/22, that the unlimited and general storage of biometric and genetic data of individuals convicted of crimes, until their death, is in violation of EU law. This decision came from a case in Bulgaria, where an individual, after being legally rehabilitated from a conviction and serving a suspended sentence, sought to have their personal data removed from police records. This request was refused due to national legislation permitting the lifelong retention of such data until the individual’s demise. The CJEU stressed that while the aim of such data storage might be to assist in the prevention and investigation of criminal activities, it necessitates periodic evaluations to determine its ongoing necessity and must allow for the possibility of data deletion upon request. It pointed out the importance of proportionality, observing that not all convicted persons present the same risk of committing further offences, making a blanket approach to data storage unjustifiable. Consequently, this judgment requires member states to ensure that their laws oblige data controllers to regularly review the need for retaining such data and to establish provisions for its erasure when no longer justified. Read the press release here and the full Decision here.

European Commission: First EU-wide cybersecurity certification scheme launched

The European Commission has adopted the first EU-wide cybersecurity certification scheme under the EU Cybersecurity Act, introducing a unified framework for certifying ICT products across their lifecycle. This move aims to increase trust in digital products among citizens, businesses, and public sectors, particularly in sensitive areas like routers and ID cards. Highlighted by Commissioner Thierry Breton, the scheme enhances the EU’s cyber resilience against a dynamic threat landscape and complements the Cyber Resilience Act by setting voluntary cybersecurity standards for hardware and software products. Set to be published in the Official Journal of the EU, the scheme will become effective 20 days later, marking a significant step towards Europe’s digital leadership and the implementation of the NIS2 Directive. Developed through collaboration between the European Union Agency for Cybersecurity (ENISA), industry experts, and member states, the scheme follows extensive consultations and aims to foster a secure digital environment within the EU. Read the press release here.

National Authorities

UK: ICO urges proactive compliance with advertising cookies

In a recent blog post, the UK data protection authority (ICO) has called on organisations to proactively ensure their advertising cookies are compliant with data protection laws, following a positive response to its November call to action. Last November, the ICO contacted 53 of the UK’s top 100 websites, warning of enforcement action if they failed to align their advertising cookies with legal standards. The initiative has yielded significant compliance improvements, with 38 organisations adjusting their cookie banners to comply, and four more pledging to do so within the next month. Additional entities are exploring compliant alternatives, such as contextual advertising and subscription models, with the ICO promising to provide further guidance. The ICO’s future plans include extending its oversight to more websites and developing an AI tool to identify non-compliant cookie banners. This proactive stance underscores the importance of compliance ahead of regulatory scrutiny and reflects the ICO’s commitment to ensuring user privacy and data protection across digital platforms. Read the press release here.

UK: ICO launches campaign to encourage safe data sharing for child protection

The UK data protection authority (ICO) has initiated a campaign, titled ‘Think. Check. Share.’, aimed at promoting the sharing of personal data to protect children from harm, in collaboration with various organisations in education, law enforcement, and social services. This initiative seeks to debunk myths surrounding data protection laws, demonstrating how these laws can facilitate the safe sharing of information to safeguard children and young people. The campaign includes a toolkit with free resources such as posters, videos, and social media content, designed to help frontline staff understand how to share data responsibly and lawfully. The ICO’s effort is supported by major organisations like the National Day Nurseries Association and the College of Policing, which are distributing campaign materials to their staff. A 10-step guide, published earlier by the ICO, provides practical advice on lawful information sharing to prevent harm to children, emphasising the importance of data sharing in child protection while adhering to data protection regulations. The ICO encourages more organisations to join this critical endeavour to ensure the safety of children. Read the press release here.

Spain: AEPD unveils strategy for minors’ digital health and privacy

The Spanish data protection authority (AEPD) launched its comprehensive strategy focused on enhancing the digital health and privacy of minors, illustrating its commitment to safeguarding children and teenagers in the digital realm. This strategy outlines 10 priority actions and 35 measures across three main areas: regulatory collaboration, strengthening rights protection for minors, and exercising investigatory and sanctioning powers against illegal and harmful practices. Key initiatives include the development of age verification systems, cooperation with national and international bodies, and the inspection of educational platforms to ensure data protection compliance. Additionally, the AEPD will collaborate with various stakeholders to improve digital education and well-being, addressing the vast exchange of personal information in digital services and the impact of internet misuse on minors’ health and neurological development. Read the press release here (in Spanish).

Italy: Garante notifies OpenAI that ChatGPT violates GDPR

The Italian data protection authority (Garante) notified OpenAI, the company behind ChatGPT’s AI platform, of breaches of data protection law. Following the Garante’s temporary ban on processing imposed on OpenAI on 30 March last year, and based on the outcome of its fact-finding activity, the Garante concluded that the available evidence pointed to the existence of breaches of the provisions contained in the GDPR. OpenAI may submit its counterclaims concerning the alleged breaches within 30 days. The Garante will take into account the ongoing work within the ad hoc task force set up by the European Data Protection Framework (EDPB), when making its final decision on the case. You can read more regarding this case here (in Italian).

Sanctions

Netherlands: AP fines Uber €10 million for multiple GDPR breaches

The Dutch data protection authority (AP), in collaboration with the French data protection authority (CNIL), imposed a €10 million fine on Uber B.V. and Uber Technologies Inc. for multiple breaches of the GDPR related to driver information and rights. This action followed a collective complaint from over 170 drivers, facilitated by La Ligue des droits de l’Homme, highlighting challenges in exercising their rights on the Uber platform. The investigation, led by the AP due to Uber’s main establishment being in the Netherlands, uncovered several violations. These included Uber’s failure to provide data in an accessible format, inadequacies in the online form for rights exercises within the driver app, incomplete privacy statement details regarding data transfers outside the EU and retention periods, and the omission of the right to data portability. This decision underscores the critical importance of transparent information provision and the protection of data subjects’ rights under GDPR. Read the press release here and download the full decision here (in Dutch).

France: CNIL fines Data broker TAGADAMEDIA €75,000 for unlawful data processing

The French data protection authority (CNIL) fined TAGADAMEDIA €75,000 for failing to obtain valid consent when collecting prospect data through its online competition and product testing websites. This action was part of CNIL’s 2022 priority investigation into commercial prospecting practices, particularly focusing on data brokers. TAGADAMEDIA was found to be in violation of the GDPR for not having a legal basis for data processing and for the misleading presentation of its consent forms, which did not allow for free, informed, and unambiguous consent. Additionally, the company breached GDPR requirements by not maintaining a clear record of processing activities, specifically failing to designate the data controller in shared record with a second company. The fine, which constitutes about 1.6% of the company’s turnover, reflects the severity of the breaches, the company’s cooperation, and its attempts to address some of the issues during the procedure. TAGADAMEDIA must now implement a GDPR-compliant data collection form within one month or face further fines. Read the press release here and the full decision here (in French).

France: CNIL fines PAP 100,000 euros over data retention and data security obligation failures

The French data protection authority (CNIL) fined the publisher of pap.fr, PAP, €100,000 for not adhering to the General Data Protection Regulation (GDPR) regarding data retention periods and data security. Following investigations in March and April 2022, CNIL identified multiple infringements, including excessive data retention periods for customer accounts, incomplete privacy policy information, inadequate legal framework in processor contracts, and poor data security practices, such as insufficient password complexity and unencrypted storage of sensitive information. This decision, made in collaboration with several European supervisory authorities under the one-stop shop mechanism, reflects the seriousness of the breaches, despite PAP’s cooperative actions and attempts to rectify certain violations during the proceedings. Read the press release here and the full decision here (in French).

Italy: Garante sanctions four municipalities for failing to disclose DPO details

The Italian data protection authority (Garante) has concluded the first phase of its investigation into local entities by issuing four sanctioning measures against municipalities for failing to comply with the obligation to notify the authority of the contact details of their Data Protection Officers (DPOs). This action concludes the first phase of an investigation aimed at ensuring compliance with the GDPR mandate for public entities, including municipalities, to appoint a DPO and communicate their contact details to the Garante. Three of the municipalities were fined €2,000 each for the non-disclosure of their DPO’s contact information, while the fourth faced a €5,000 fine due to the non-appointment of two DPOs. This development is part of the Garante’s broader initiative to enforce data protection compliance, with a new series of checks already underway targeting a larger group of municipalities that have yet to submit their DPOs’ contact details. The Garante’s actions highlight the critical role of the DPO as a liaison between the data controller (or processor) and the Authority, emphasising the importance of this compliance for facilitating direct and straightforward communication with the regulatory body. Read the press release here (in Italian).