Data Protection Weekly 7/2023

Feb 17, 2023

 European Union

European Parliament: LIBE Committee concludes that EU-US DPF fails to provide equivalent protection

On Tuesday 14 February, the LIBE Committee of the European Parliament released a draft motion for the resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework concluding that the EU-US Data Privacy Framework fails to provide equivalent protection. While there is recognition of efforts made within the framework of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO) to lay down limits, with particular reference to the principles of proportionality, necessity, and legitimate objectives; the draft motion clarifies that the principles as defined in the EO are not sufficiently in line with EU law and their interpretation by the CJEU. Amongst other mentions, the motion points out that decisions made by the Data Protection Review Court (‘DPRC’), will be classified and not made public or available to potential complainants. That the DPRC will be part of the executive branch, not the judiciary, and that the redress mechanism does not set up an obligation to notify the complainant that their personal data has been processed.

The draft motion concludes that the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection, and calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence. The draft motion can be read here.

EDPS: The European Data Protection Supervisor issues opinion on advanced passenger information legislative proposals

The EDPS has issued an Opinion on two legislative proposals on the collection and transfer of advance passenger information (API), which includes air passengers’ personal data included in their travel documents (passport or identity cards) that is collected during check-in. The EDPS Opinion focuses on whether it is necessary and proportional for individuals’ API data from intra-EU flights, meaning flights from one EU country to another EU country, to be collected and transferred to the competent national authorities for law enforcement purposes. In particular, the EDPS assesses whether such processing is compatible with the existing Passenger Name Record Directive (PNR) – which lays down the rules on the collection of passengers’ personal travel data to tackle cross-border crime and terrorism, and the recent ruling of the Court of Justice of the European Union (CJEU) in the Ligue des droits humains case. The press release and Opinion can be read here.

The European Commission to hold a series of Digital Market Act (DMA) Stakeholders Workshops

The Commission’s DG Competition will hold a two technical workshops with interested stakeholders to receive their views on specific issues and questions that may arise in relation to the specific implementing measures by gatekeepers that are to ensure effective compliance with the DMA. The workshops will take place during February and March following on from one held in December of 2022. The workshops will focus on the DMA and ‘app store related provisions’ as well as how the legislation interplays with ‘the interoperability between messaging services’. For more information please read here.


National Authorities

Belgium: Belgian DPA publishes a press release on the EDPB cookie Taskforce Report

In the press release published Friday 10 February, the Belgian DPA stressed that in their opinion, a “reject all” is required on the first layer of cookie banners. The Belgian DPA also stated that e-privacy rules don’t only apply to cookies but also to other technologies (and they refer notably to local storage). The press release (in French) can be read here.

France: CNIL publishes Economic Report on the Implementation of the (EU) Data Governance Act

With the DGA ready to enter into force on 24 September 2023, the French DPA published a new economic report as a contribution to the debate on the regulation of platforms. The CNIL offers an economic vision of the implementation of this new regulation, which will have to take into account a level of interaction and compliance with the GDPR in what concerns personal data. The press release and report can be read here.

France: The CNIL serve formal notice to two higher education establishments for GDPR non-compliance

The president of the CNIL recently put two higher education establishments on notice to comply with the GDPR concerning files used for administrative and educational management. The points of non-compliance relate in particular to the retention period of data, the information of the students and the security of the data. The press release can be read here.

Germany: Press release by the State Commissioner for Data Protection of Lower Saxony on the ruling on employee data collection at Amazon Winsen

In its session on 9th February, the Administrative Court of Hanover overturned the prohibition order issued by the Lower Saxony State Commissioner for Data Protection (LfD) against Amazon Logistik Winsen GmbH. Through this order, the LfD Lower Saxony had prohibited Amazon Logistik Winsen GmbH from continuously collecting and processing qualitative and quantitative performance data of its employees.

“The employees’ general right to privacy outweighs corporate interests and I am still of the opinion that the general personal rights of the employees prevails,” says the State Commissioner Barbara Thiel. “The pressure to adapt and perform resulting from the minute-by-minute collection of performance data as well as its further processing is, in my view, to be weighted higher than the economic interest of the company.” Read the press release (in German) here.

Germany: 45 years of the Federal Commissioner for Data Protection

For 45 years, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) has been monitoring whether the legal provisions on data protection are implemented and complied with. This has always been about protecting citizens’ privacy and their right to (informational) self-determination.

BfDI Professor Ulrich Kelber continues to stand by this claim, especially due to the massive technological and societal changes since 1978: “Today, globally operating companies and platforms, ‘Big Data’ and learning algorithms present us with new challenges. With the GDPR, we have managed, together with other countries, to counter these developments with a strong set of rules based on European values.”

With the advent of new legal acts on digitalisation, such as the Data Governance Act, the Digital Services Act, the Digital Markets Act and the Artificial Intelligence Acts, the European Union is taking the next step in its regulatory approach. From the BfDI’s point of view, this is long overdue: “We urgently need more transparency for algorithms, clear red lines for behavioural tracking and restrictions on manipulative designs. I am therefore glad that there are more and more data protection laws around the world based on the European model, for example in Japan or in Brazil. This shows how valuable the exchange is in the European Data Protection Board and in international formats such as the Global Privacy Assembly, the ‘Berlin Group’ or within the framework of the G7. The BfDI is consistently continuing on the path that was started 45 years ago.” Read press release (in German) here.

Germany: Supervision and awareness – data protection on the rise

The Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information (LfDI) has drawn up its action plan 2023. It focuses on creating and maintaining digital sovereignty with regard to technical developments, digitisation processes, and data flows.

Overarching themes will be the creation and preservation of digital sovereignty and, related to this, the handling of software applications from certain providers with a monopolistic or oligopolistic  character. In addition, the LfDI is again planning to carry out more on-site inspections and investigations, e.g. in local authorities that use the EfA services approach (One for All) in accordance with the OZG (Online Access Act). Moreover, in the aftermath of the Corona pandemic, it is advisable to check the deletion of medical records in particular, for example in schools or at employers; in this context planned spot checks are to be seen as a “tidying up” exercise following the pandemic. Read press release (in German) here.

Germany: Baden-Württemberg State Commissioner for Data Protection and Information Security releases its 38th Data Protection Activity Report for 2022

In 2022, one of the LfDI key priorities was to pay particular attention to the question of how scientific research can be supported more efficiently while at the same time enabling adequate protection of the personal data required by researchers. In this regard the LfDI  paid particular attention to research in the  health data space.

To that end and in order to strengthen the trust of citizens in the handling of their data by researchers, and at the same time to enable high levels of research, the LfDI focused on detailed  advice and guidance throughout the year. For example, it supported university hospitals in corona research.

In the coming year, the state parliament in Baden-Württemberg will focus on artificial intelligence as a topic for the future which has resulted in an increased the number of staff in the area of artificial intelligence at the Land Commissioner’s Office. This means that start-ups in the economy and actors in the health, social and education sectors can expect to be effectively advised and supported in what concerns the use of emerging technologies. You can download the activity report (in German) here.

UK: Top tips for games designers – how to comply with the Children’s code

The ICO has developed a series of recommendation to assist games designers understand exactly how to apply the Children’s code. Whether re-designing classic arcade style games or using the latest VR, the ICO guidance lists practical steps to ensure compliance with Children’s code. You can find the guidance here.



EDPB reportedly ready to rule on the Meta data transfer case by April 14

According to POLITICO the EDPB will issue a binding decision on the case scrutinizing Meta’s data transfers by April 14. While a new transatlantic data deal is being finalized and is expected to come before the summer that could be too late, as it would leave Meta without a proper legal basis to transfers data it holds on Europeans in between the regulators’ decision and the new deal coming into effect. The POLITICO article can be read here.

German Constitutional Court strikes down predictive algorithms for policing

The German Federal Constitutional Court declared the use of Palantir surveillance software by police in Hesse and Hamburg unconstitutional in a landmark ruling on Thursday (16 February). The ruling concludes a case brought by the German Society for Civil Rights (GFF) last year, hearings began in December 2022. The plaintiffs argued that the software could be used for predictive policing, raising the risk of mistakes and discrimination by law enforcement. The EURACTIV story can be read here. The Court press release and decision can be read here.

The FPF publishes its Report on the European data protection authorities enforcement strategies for 2023

The Future of Privacy Forum (FPF) report analyses the annual reports and strategic documents published by the national DPA. The report describes where different DPAs’ priorities have common trends or notable deviations. The report also contains links to and translated summaries of strategic documents from nine EU member state DPAs. The press release and report can be read here.

UN Guide on PETs for Official Statistics

The UN has published a guide on methodologies and approaches to mitigating privacy risks when using sensitive or confidential data. The guide is designed to assist national statistics offices with best practices and recommendations as they apply privacy enhancing technologies in the processing of data. The guide can be read here. 

IAB Europe Seeks Court Decision on Validation Of The Action Plan as it Moves Forward With TCF Evolutions

IAB Europe has confirmed that it has lodged a formal request for interim measures with the Belgian Market Court in the Transparency and Consent (TCF) case. This follows the decision by the Belgian Data Protection Authority (APD) to validate the action plan, submitted by IAB Europe on 1st April 2022 as one of the obligations under the Authority’s February 2022 decision. The IAB Europe press release can be read here.

Health info for 1 million patients stolen using critical GoAnywhere vulnerability

One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere.

Community Health Systems of Franklin, Tennessee, stated in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product licensed by Fortra (the cybersecurity firm) to large organizations. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information. The Arstechnica article can be read here.

Cookie pop-ups without a disagree button? How some publishers have found a way to be EU compliant

“[…] Following a precedent-setting case by the Austrian DPA, websites with digital subscriptions have found a way to save a large portion of their advertising revenue while providing readers with a fair no-tracking alternative. This model is already well established on Austrian, French and German markets.

Long story short, if you provide visitors with an alternative access to the content, without tracking and for a fair price, the cookie banner can be used in the form of a Cookie wall, preventing access to the content and thus limiting the offer to the visitor/ user to only 2 options ‘Consent or Pay’. You might have heard of the ‘PUR model’, which is how Western European publishers refer to this solution.

[…] Validity of this implementation is backed by the German State Commissioner for Data Protection Lower Saxony: ‘It is not a violation against voluntariness if, in addition to the consent, the alternative is offered to bring about the visibility of the content through an appropriate payment.'” Read full article here.



Italy: The Civil Court in Rome overturns an enforcement action by the Italian DPA

La Garante had imposed an enforcement penalty of approximately €27 million on Enel Energia for alleged GDPR infringements for unlawful processing of users’ personal data related to their telemarketing activities. This decision was subsequently overturned on appeal. The full decision of the Court is not yet available. You can read more (in Italian) here.

Italy: The court in Udine blocks the Italian DPA imposing a fine on the Health Authorities

The Court of Udine has blocked an order imposed by the Italian DPA. On the 15 December 2022 the Garante had sanctioned the Friuli Centrale University Health Authority (in addition to the health authorities of Asfo and Asugi) 55,000 Euros each for the deployment of an algorithm which was deemed as ‘invasive’. The use of the AI application identified a list of ‘susceptible’ patients with particular health profiles which was then submitted to GPs so that the patients could be invited to receive influenza and anti-pneumococcal vaccinations. The press article (in Italian) can be read here.