Data Protection Weekly 50/2023

Dec 18, 2023

 European Union

EDPB: Application of the GDPR successful, but sufficient resources are necessary to tackle the challenges of the future

During its plenary last week, the EDPB adopted its contribution to the European Commission’s report on the application of the GDPR. The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. While a number of important challenges lie ahead, the EDPB considers it premature to revise the GDPR at this point in time and calls on the co-legislators to swiftly adopt the new Regulation laying down additional procedural rules relating to the cross-border enforcement of the GDPR. In addition, the EDPB stresses that the DPAs and the EDPB need sufficient resources to continue carrying out their tasks. EDPB Chair Anu Talus had this to say: “The GDPR has strengthened, modernised and harmonised data protection principles across the EU. The EDPB guidance played a key role in making individuals and businesses aware of their rights and responsibilities under the GDPR. We will keep on supporting the implementation of the GDPR in particular by SMEs, and more generally raising awareness of the GDPR. In addition, cooperation among DPAs and enforcement of the GDPR has gained momentum. More than ever, the EDPB is committed to ensure effective and consistent enforcement of the GDPR.” For the full press release you can read it here.

CJEU: Cybercrime – the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage

In a recent judgement, the Court of Justice of the European Union (CJEU) in Case C- C-340/21 was referred several questions by the Bulgarian Supreme Administrative Court for a preliminary ruling on the interpretation of the GDPR seeking clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals. In this particular case, the Bulgarian national revenue agency (NAP) – the data controller – was victim of a cyberattack resulting in the personal data of millions of data subjects being published online. Notably, many individuals brought legal actions against the NAP for compensation for non-material damage caused by the fear that their data might be misused. The CJEU concluded that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’. In addition the court ruled that an assessment should be established as to whether or not protective measures implemented by the data controller against cyberattacks were appropriate. You can read the CJEU press release detailing the court’s clarifications here.

European Parliament: MEPs support creating EU Health Data Space to boost access to data and research

Last Wednesday, MEPs adopted their position on creating a European Health Data Space to ease access to personal health data and boost secure sharing. The new European Health Data Space (EHDS) would empower citizens to control their personal healthcare data and facilitate secure sharing for research and altruistic (i.e. not-for-profit) purposes. MEPS would like to see the EHDS cater for better healthcare with portability rights, data sharing for the common good with safeguards and even stronger safeguards for sensitive data. The plenary adopted the report, which will serve as Parliament’s negotiating mandate in talks with Council on the final form of the legislation, with 516 votes in favour, 95 against, and 20 abstentions. The Parliamentary press release can be read here. 

European Parliament: New EU rules needed to address digital addiction

Parliament calls for the development of ethical digital products that do not rely on dark patterns and addictive designs. In a report adopted on Tuesday with 545 votes in favour, 12 against and 61 abstentions, MEPs warn of the addictive nature of online games, social media, streaming services, and online marketplaces, which exploit users’ vulnerabilities to capture their attention and monetise their data. They want to increase consumer protection through safer alternatives, even if these are not as profitable for social media platforms. Parliament has urged the European Commission to address existing legal gaps and introduce new legislation against addictive (product) design. You can read the Parliamentary press release here.

European Commission: publication of template for DMA gatekeepers for their reporting obligations on consumer profiling techniques

The European Commission published its templates for gatekeepers to report consumer profiling methods as well as the independent audit under the Digital Markets Act (DMA). Gatekeepers are obliged to submit the reports to the Commission as part of their obligations under Article 15 of the DMA. The reports on consumer profiling techniques must describe, in a detailed and transparent manner, all relevant information on all techniques used for profiling of consumers applied to or across any core platform services offered by gatekeepers. The gatekeepers designated on 5 September 2023 need to submit their first report as well as a non-confidential overview by 7 March 2024. The press release can be read here.

European Commission: The Commission publishes Q&A on regulating the use of Artificial Intelligence.

The AI Act and the Coordinated Plan on AI are part of the efforts of the European Union to be a global leader in the promotion of trustworthy AI at international level. This particular Q&A is designed to outline how the new legal framework will apply to both public and private players deploying AI systems both inside and outside the EU that impact EU citizens. The breadth of the Q&A covers areas such as what the European AI office will have as a mandate, when will the AI be fully applicable and what infringements and corresponding penalties look like. The full document can be read here.

National Authorities

France: The CNIL and the Competition Authority sign a joint declaration

The French DPA, the CNIL, and the national French Competition Authority published a joint declaration entitled “Data protection and competition: a common ambition”. With this declaration they confirm their desire to deepen their cooperation and review the methods for taking data protection and competition into account across their actions. The two regulatory authorities have decided to address these issues together and to deepen their already well-established cooperation, by mobilizing the synergies of their respective missions in the service of businesses and users. This cooperation will also provide the economic actors concerned with better predictability and enhanced legal certainty. You can read the press release and statement (in French) here.

Estonia: The DPA announces genetic testing company data breach

The Estonian DPA recently reported that in mid-November, Asper Biogene OÜ  – a genetic testing company – informed the police, the State Information System Agency as well as the Data Protection Inspectorate (DPA) that the company databases had been illegally accessed and that a number of files had been downloaded. The police have since started a criminal investigation and the DPA has commenced supervisory proceedings against the data processor.

Approximately 100,000 copies of different files were downloaded from the database, which contain the personal and health information of approximately 10,000 people: These people are being notified personally. A number of the files contained the results of genetic tests that health care providers and individuals had ordered from the company. An audit is currently on-going to clarify the exact content and nature of the compromised data. Asper Biogene OÜ has cooperated with the police inquiry to clarify the circumstances of the breach. The DPA press release (in Estonian) can be read here.

Germany: DSK press release calls for clear accountability for manufacturers and operators on AI regulation

The Conference of Independent Data Protection Supervisory Authorities of the Federal and State Governments (DSK) has demanded that the intended European Act on Artificial Intelligence (AI Regulation) appropriately assign responsibilities along the entire AI value chain. It is the DSK position, that this is the only way to protect the fundamental rights of data subjects when their data is processed by an AI application. Any legal uncertainty in this area would be detrimental to citizens, but also to small and medium-sized enterprises in particular; as they will bear a high level of legal responsibility. Companies need clear rules to ensure that the risks of AI remain manageable. The DSK holds that the upcoming AI Regulation should therefore specify for all parties involved – including manufacturers and suppliers of basic models – what requirements they must meet. A unilateral shift of legal responsibility to the latter stages of the value chain would be the wrong approach in terms of data protection law and economic fairness. Only when a high level of process and trust is established will there be a high level of acceptance for the opportunities associated with AI. The full press release can be read (in German) here.

Germany: Automated (AI) decision-making must not play a decisive role – Hamburg DPA release statement

The impact and precedence now set by the ECJ SCHUFA judgment has consequences far beyond the scope of credit agencies, as its interpretation can be transferred or applied to the use of many AI systems. Thomas Fuchs, Hamburg’s Commissioner for Data Protection and Freedom of Information had this to say: “The ruling is of groundbreaking importance for the digital society. Those affected by non-transparent decisions, both by credit agencies and AI-based systems, are empowered. The Court has thus specified the rules of the game for the use of artificial intelligence. AI systems often resemble a black box in their decision-making and evaluate people in an incomprehensible way. The same applies to artificial intelligence as to credit agencies: you must not trust them blindly. People must always have the last word, and those affected can demand this. Decision-makers must actually be able to question an AI’s suggestions, and they must take into account the individual situation of those affected. This requires expertise, sufficient resources and insights into the decision-making processes within AI.” The full statement can be read (in German) here.

Germany: the Baden-Württemberg DPA releases discussion paper on legal basis in data protection and the use of Artificial Intelligence

The paper is intended to assist responsible bodies in Baden-Württemberg deal with the legal bases that data protection law provides for in the deployment of AI systems. The starting point is the applicable law, coupled with the requirements of the proposed AI Regulation laying down harmonised rules for artificial intelligence (of the European Union) which have yet to be finalised, and which are at best referenced. The designation as a discussion paper, is intended to underline that these are not final determinations – also with regard to individual points – and that the paper is intended to reflect a state of discussion. Together with an additional collection of sourced material, the discussion paper is ultimately to be understood as a working aid in order to be able to better identify specific applications and scenarios within the legal framework. Described as a ‘living document’ the DPA hopes to create added value for companies and associations (non-public bodies) as well as for authorities (public bodies) by explaining central terms, providing an overview of the legal bases in the GDPR, the Federal Data Protection Act (BDSG) and the State Data Protection Act Baden-Württemberg (LDSG BW) as well as a view on the legal assessment(s)  and questions to be undertaken and answered. The paper (in German/ English) can be read here. 

Italy: Italy’s DPA, the Garante, and the ACN join forces to publish Password Retention Guidelines for a safer digital environment

Passwords continue to play a vital role in protecting people’s lives in the digital world. It is with the aim of raising the level of security, both for digital service providers and software developers, that the National Cybersecurity Agency (ACN) and the Garante have developed specific guidelines on password storage while providing important indications on the technical measures to be adopted. The Guidelines are aimed at all companies and administrations that in their capacity as data controllers or data processors, store on their systems the passwords of their users, particularly with reference to the storage of large numbers of data subjects. Moreover, the Guidelines are designed to provide recommendations on the cryptographic functions currently considered the most secure for storing passwords. This with the objective  to prevent authentication credentials being breached for nefarious and criminal activity. You can read the full press release and guidelines (in Italian) here.

Poland: The Polish DPA, the UODO, has approved a Code of Conduct for the health care sector

The President of the UODO has approved a Code of Conduct for the health care sector prepared by the Polish Hospital Federation. The signed document is the first code in Europe covering public and private entities from the medical sector. The approved code is a comprehensive tool for administrators and entities processing personal data in the health care industry, which the data protection authority sees as consistent with the provisions of the GDPR, and which constitutes appropriate security provided for by the regulation. The supervisory authority has granted accreditation to KPMG Advisory sp. z o. o. sp. k., which will act as a monitoring entity of the application of the code among its members emanating from the private sector. For more information on the code and documentation, you can read the press release (in Polish) here.

Poland: The Polish DPA, the UODO, has approved a GDPR compliance certification framework

The UODO has approved additional requirements for the accreditation of certifying entities. Based on said requirements, the accreditation of certifying entities will facilitate the verification of the compliance of personal data processing operations with the GDPR carried out by controllers and processors. The certification scheme aims to increase transparency and improve compliance with personal data protection standards. Certification mechanisms, including certification criteria, may be developed by entities wishing to obtain certification in accordance with requirements specific to particular industries. Certification criteria are subject to approval by the relevant supervisory authority or the European Data Protection Board (where the criteria are approved by the EDPB, this may result in joint certification, the European Data Protection Seal). The certification entities will award certificates to companies applying from different sectors. Possessing a certificate will be on a voluntary basis, with the purpose of confirming the highest standards of compliance with the applicable personal data protection regulations. The certification will be performed by certifying entities accredited by the Polish Center for Accreditation (PCA). You can read the press release (in Polish) here.

Spain: The AEPD participates in the European Blockchain Sandbox, a European Commission project to offer legal security

It was announced that the Spanish Data Protection Agency (AEPD) will participate in the European Blockchain Sandbox, an initiative of the European Commission that aims to provide a framework for regulators, supervisory authorities and entrepreneurs with projects that use blockchain to participate in a regulatory dialogue. The sandbox will also serve to identify obstacles collectively and increase the legal security of these innovative technological solutions, while offering guidance in a safe and confidential environment. A ‘good practices’ report will be published at the conclusion of the initiative. The press release (in Spanish) can be read here.

United Kingdom: The ICO has published two new employment guidance pieces out for consultation

The ICO is producing some topic specific guidance on employment practices and data protection. Two new pieces of guidance are now out for public consultation. One on keeping employment records, the other on recruitment and selection. Both consultations close on the 5th of March 2024. For more information on how to respond to each consultation, please read the press release here.

Global

Threads: Meta’s rival to Elon Musk’s X launches in the EU

Meta’s social media app ‘Threads’ has launched in the European Union, five months after its release in other parts of the world. The company delayed its launch in EU countries to fully assess the impact of the recently introduced Digital Services Act which has tightened the rules around data and big tech. The introduction of the digital Markets Act has also added to the complexity around Meta’s designation as a ‘tech gatekeeper’. A Meta spokesperson said the platform had undergone “significant improvements” since its launch in other countries in July. EU service users can choose to create a Threads profile that is connected to their Instagram account – which means they get the same experience as everyone else around the world – or use Threads without a profile. You can read more here and the Meta announcement here.

NOYB: GDPR complaint against X (formerly Twitter) over illegal micro-targeting for chat control ads

NOYB has filed a complaint with the Dutch DPA against X (formerly Twitter) for unlawfully processing  the political views and religious beliefs of its users for targeted advertising purposes. It is alleged that the company used this special category protected (sensitive) data to determine whether users should see an ad campaign by the EU Commission’s Directorate General for Migration and Home Affairs, which tried to rally support for the proposed EU “chat control” regulation in the Netherlands. In November, this alleged unlawful use of micro-targeting already prompted NOYB to file a complaint against the EU Commission. Now, NOYB has followed up with the present complaint against X, which holds that by enabling this practice in the first place, the company violated both the GDPR and the DSA. You can read the press release and complaint here.

Sanctions

Norway: The Norwegian DPA imposes fine on SATS for violating several provisions of the GDPR

Norway’s data protection authority, Datatilsynet, announced it has imposed an NOK10 million (approx. EUR 850.000) fine against fitness club SATS for allegedly violating the GDPR. The Norwegian authority received several complaints about SATS during the period 2018 to 2021. The complaints concerned alleged infringements of the complainants’ rights under the GDPR as customers of the fitness chain, concerning the company’s failure to comply with access and erasure requests. As the complaints against SATS were similar in many respects, the Norwegian SA chose to consider all the complaints together as one case. You can read more on the case and decision (in English) here.