Data Protection Weekly 50/2022

Dec 16, 2022

European Union

European Commission: EU-U.S. Data Privacy Framework, draft adequacy decision

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (DPF), which will facilitate trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.

The draft adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to the US. This is based on an in-depth assessment of the Data Privacy Framework (DPF) itself and its obligations for companies, as well as the limitations and safeguards on access by US public authorities to data transferred to the US, in particular for criminal law enforcement and national security purposes.

As expected, the Commission draft confirms the concepts of necessity and proportionality as fundamental. Binding safeguards will limit access to personal data by US intelligence agencies to what is necessary and proportionate to protect national security. Moreover, US intelligence agencies will need to come up with internal procedures to ensure organisational compliance with these rules. A two-stage redress mechanism will be available to EU data subjects for complaint resolution involving a first port of call with a Civil Liberties Protection Officer, and a second level for complaints with a Review Data Protection Court with powers to issue binding decisions. Lastly, EU data subjects will have options for redress against certifying companies. Those companies that re-certify under Privacy Shield 2.0 will also have a number of privacy compliance obligations to adhere to such as the principle of purpose limitation.

The EU approval process to an eventual agreement is long, the European Commission expect a decision by summer of 2023.

Read the story here and the draft adequacy decision pdf here.


Europe: Leading MEPs exclude general purpose AI from high-risk categories for now

The European Parliament’s co-rapporteurs have circulated a new batch of compromise amendments to the AI Act on classifying high-risk AI systems, leaving out general-purpose AI for future discussions. In particular, with respect to high-risk categorisation, the text clarifies that an AI system is to be considered at high risk if its failure or malfunction could put the health, safety or fundamental rights of individuals at risk. The full story reported by EURACTIV can be read here.


Europe: Dark patterns, online ads will be potential target for the next Commission, Reynders says

Transparency in the online advertising market, dark patterns and ‘cookie fatigue’ are all topics on which the European Commission might regulate in the next mandate, according to Reynders the EU’s justice and consumer protection Commissioner. The full story reported by EURACTIV can be read here.


Europe: Landmark agreement adopted on safeguarding privacy in law enforcement and national security data access

OECD countries today adopted the first intergovernmental agreement on common approaches to safeguarding privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes. The OECD “Declaration on Government Access to Personal Data Held by Private Sector Entities” seeks to improve trust in cross-border data flows – which are central to the digital transformation of the global economy – by clarifying how national security and law enforcement agencies can access personal data under existing legal frameworks. It marks a major political commitment by the 38 OECD countries and the European Union that signed up to it during the OECD’s 2022 Digital Economy Ministerial Meeting. The Declaration is also open for adherence by other countries. The press release and link to the Declaration can be read here.


National Authorities

Germany: EDPB calls for implementation of PNR Directive ruling

The EDPB has called on EU Member States to implement the ECJ’s Passenger Name Records (PNR) ruling without delay in order to protect citizens’ fundamental rights. The Federal Office for Data Protection (BfDI), Professor Ulrich Kelber fully agrees with this demand. Germany should quickly adapt the Passenger Name Records Act in accordance with the ECJ ruling.

In this regard, the BfDI said: “The ECJ ruled in June that the directive on so-called Passenger Name Records or PNR data is still valid but must be interpreted in a much more restrictive way in the future. Since this landmark ruling, however, nothing has changed in Germany or in many Member States, as far as I know. My authority has been pointing out to the legislator for years that there is a considerable need for improvement in the national implementation. That is why my authority has taken a leading role in the EDPB’s joint opinion. Read (in German) here.


Slovenia: New infographic: drones and privacy

The Slovenian Information Commissioner published, on 1 December 2022, an infographic addressed to drone operators. In particular, the Commissioner explained that the use of drones equipped with cameras and other data capture and processing systems may lead to invasions of privacy and by extension infringements of fundamental rights. The Commissioner stated that the infographic aims to provide useful information on how to take into account the fundamental rights, personal data protection, and privacy when using drones. The press release and link to the infographic (in Slovenian) can be found here.



Ireland: Data Protection Commission welcomes latest successful prosecution of Marketing Offences

The Data Protection Commission (‘DPC’) announced, on 5 December 2022, the decision of Naas District Court to fine Guerin Media Ltd. €6,000 for sending unsolicited marketing communications, pursuant to Regulation 13 of Statutory Instrument 336 of 2011. In particular, the DPC noted that Guerin Media, a publishing company, sent unsolicited marketing emails to two individuals without their consent. You can read the press release on DPC website here.


UK: ICO fines two lead generation companies

The UK data protection authority (ICO) announced on its LinkedIn page that it has fined two lead generation companies 195,000 pounds for their involvement in sending unsolicited marketing messages to people without their consent.

Ryan Hill Partners was fined £70,000 pounds for sending 400,000 texts, whilst Monetise Media Ltd was fined £125,000 pounds for sending over 3 million texts and emails to people who had not subscribed to their service. Decision documents can be found here.


 France: Data security and individual rights: FREE fined EUR 300,000

French phone provider, FREE, was fined 300,000 euros by France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL). The CNIL found FREE in violation of several GDPR provisions, among others, subjects’ right to access their data, right to erasure, failure to ensure the protection of data and failure to document data breaches. Read article here.


France: Apple should face EUR 6 million fine, adviser to French privacy watchdog says

Francois Pellegrini, rapporteur and top advisor to the CNIL’s sanction body, has recommended that Apple should face a €6 million fine for breach of privacy rules. His recommendation comes after an investigation by the authority, itself triggered by a complaint filed last year by lobby group France Digitale. The full story reported by Reuters can be read here.


Spain: Spanish data protection authority (AEPD) publishes decision in which it imposed a fine on Vodafone España

The Spanish data protection authority (AEPD) published, on 12 December 2022, its decision in proceeding No. 00296/2022, in which it imposed a fine of €70,000, subsequently reduced to €56,000, to Vodafone España, S.A.U. for violation of Article 6(1) GDPR following a complaint for processing personal data without a legal basis. In particular, the AEPD highlighted that the complaining party alleged that Vodafone España had transferred its personal data to a third party by providing a duplicate SIM card to it. By not sufficiently verifying the identity of the third party, Vodafone España failed to take the necessary precautions to ensure that the transfer did not occur. The details of the decision can be read (in Spanish) here.


Poland: Polish data protection authority fines Virgin Mobile EUR 341,000

The Polish data protection authority (UODO) published, on 9 December 2022, its decision in Case no. DKN.5112.1.2020, as issued on 16 November 2022, in which it fined Virgin Mobile Poland Spz o.o PLN 1.6 million (approx. €341,176), for violations of multiple articles of the GDPR, following a data breach notification to the UODO. The UODO found that Virgin Mobile’s violation of the confidentiality principle as well as its lack of appropriate technical and organisational measures had contributed to the occurrence of a personal data breach concerning subscribers’ personal data. You can find the UODO press release (in Polish) and link to the full decision here.


Portugal: Portuguese data protection authority publishes decision to impose EUR 4.3 million on National Institute of Statistics

The Portuguese data protection authority (CNPD) published, on 12 December 2022, its decision in case No. 2022/1072, in which it imposed €4.3 million on the National Institute of Statistics, for violations of multiple articles of the GDPR related to 2021 Census, following an investigation. More specifically, the CNPD stated that the National Institute, while processing special data relating to health and religion, did not provide clear and complete information on the optional nature to provide such information to citizens, and did not sufficiently explain that several of the questions were optional. Other irregularities related to the appropriate application of SCCs in relation to the subcontracting in relation to the Census exercise, and a failure to carry out a DPIA relating to the processing. The CNDP press release and link to the decision (in Portuguese) can be found here.