Data Protection Weekly 6/2023

Feb 10, 2023

 European Union

Court of Justice of the European Union: Ruling on dismissal and conflict of interests regarding DPOs

Thursday 9 February the CJEU handed down a ruling which confirmed two separate instances. On the question of dismissal, where Art38(3) of the GDPR provisions that DPOs may not be dismissed or penalised by the controller or processor for performing their tasks, the CJEU confirmed that this does not preclude national legislation providing for the dismissal of a DPO where there is just cause even where the dismissal is not related to performance of tasks, and in so far as the legislation does not interfere with achieving the objectives of the GDPR.

Secondly, in what concerns ‘conflicts of interest’, as per Art38(6) of the GDPR which specifies that a DPO may fulfil other tasks and duties, the controller or processor must ensure additional tasks must not result in a conflict of interest scenario, i.e. where the DPO is determining the methods and objectives of processing personal data on the part of the controller or processor. Assessment of such cases are a matter for national courts on a case by case basis. For the full judgement you can read it here.

ENISA: Protecting Data: Can we Engineer Data Sharing?

To celebrate the European Data Protection Day on 28 January 2023, ENISA – the European Union Agency for Cybersecurity – published a report on how cybersecurity technologies and techniques can support the implementation of the GDPR principles when sharing personal data. The objective of the report is to show how the data protection principles inscribed in the GDPR can be applied in practice by using technological solutions relying on advanced cryptographic techniques. The report also includes an analysis of how data is dealt with when the sharing is part of another process or service. You can access the press release and access to the report here.

National Authorities

Denmark: The Danish Data Protection Authority’s publishes its priorities for 2023

As in previous years, the Danish Data Protection Authority publishes an overview of the themes that will be the focus of the targeted supervisory activities. This year, the protection of children, TV surveillance, and the processing of data in pan-European systems are key areas. For the full list see the DPA, see the press release here.

France: Call for contributions: the CNIL will organize the second edition of its Privacy Research Day on June 14, 2023

As part of the organization of the second edition of Privacy Research Day , the CNIL invites the international scientific community to make presentations of academic publications and research projects in the field of privacy and personal data protection. You can read the press release here.

Germany: The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate reviews the new content on AI and ChatGPT

‘Chat robots, image generators and other AI systems have been unleashed from IT research labs onto internet users for a few weeks now. This is an occasion to take a closer look at data protection in artificial intelligence’.

Having your essay on Vincent van Gogh written with a few clicks instead of laboriously gathering various sources and constructing beautiful sentences is the promise of software that is currently enjoying great popularity among schoolchildren and students. For this year’s Safer Internet Day (SID), the Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information takes a look at the topic of artificial intelligence (AI).

[…] The problem is that in many of the systems, the algorithm that makes the decisions is a black box,” says State Data Protection Commissioner Prof. Dr. Dieter Kugelmann. “Whoever develops and controls the algorithm determines the results. This can quickly lead to questionable or false results, political influence or racial discrimination. Transparency of the algorithms and the possibility of having the systems checked by independent third parties are therefore the be-all and end-all before introducing corresponding AI systems, for example in the area of government action.” Read full article (in German) here.

Germany: Thuringian State Commissioner for Data Protection and Freedom of Information TLfDI updates its current guidance ‘handout’ on “Digital Self-Defence” online!

The focus of this year’s 20th Safer Internet Day (SID) 2023 is: How healthy is our digital everyday life and what skills do we need to use digital media in a conscious and balanced way?

It is no longer possible to imagine our everyday life without the internet and smartphones. Digitalisation and the fast-moving times associated with it demand a lot from us. We can’t start the day without checking emails and chats or quickly reading the news to keep up to date. But up to what point is media use still normal and healthy and where do the dangers to our privacy lurk and how can we protect ourselves and our family?

The TLfDI head, Dr Lutz Hasse advises: “Minimise your data on the net – your data is used to create profiles about you without you knowing it. And these profiles are in turn used to make statements or predictions about you. These do not have to be true, but they are used, nonetheless. By whom and for what purpose – unknown!” You can read the press release  (in German) here.

Germany: DSK resolution on the data protection assessment of access to personal data by public authorities of third countries 

The Conference of Independent Data Protection Authorities of the Federation and the States (DSK) evaluates access possibilities of third country public authorities to personal data processed within the EEA in accordance with Art. 28 GDPR as follows:

  • The risk alone that the third-country parent company of an EEA undertaking could instruct it – for example by means of rights to issue instructions under company law – or that public bodies of third countries could directly instruct EEA undertakings to transfer personal data to a third country is not sufficient to assume a transfer to a third country within the meaning of Art. 44 et seq. GDPR.
  • However, such a risk may result in processors subject to such legislation lacking reliability within the meaning of Article 28(1) of the GDPR, unless they – or the controller – have taken technical and/or organisational measures that provide sufficient guarantees that the processor will comply with its obligations.

Read more (in German) here.

Germany: New video conferencing system available for Schools in Hessen

In a press release from 9th January 2023, the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) welcomed the state-wide introduction of a data protection-compliant video conferencing system (VKS) for Hessian schools. With this, a full analysis and testing process which lasted almost three years was finally concluded to the satisfaction of the authority. Read the full press release (in German) here.

Germany: Relationship between data protection supervision and municipal supervision

The Bavarian State Commissioner for Data Protection (BayLfD) on 1 February 2023, released its latest issue of short information bulletins – Current Information Note 45: “Data Protection Supervision and Municipal Supervision”. The Bavarian State Commissioner for Data Protection is responsible for the supervision of data protection in Bavarian public bodies (cf. Art. 15 para. 1 Bavarian Data Protection Act – BayDSG). This also includes public bodies in the municipal sector, especially at the municipal level. At the same time, the municipalities are subject to general state supervision, which takes the form of legal supervision or technical supervision, depending on the area of responsibility. Irrespective of the differences in detail, both forms of supervision also aim to ensure that the supervised bodies are monitored with regard to the legality of their actions and – if necessary – “pointed in the right direction”. In this respect, ‘data protection supervision as well as legal and technical supervision are in a relationship of mutual effectiveness’. Read information document here.

Italy: Artificial intelligence: italian SA clamps down on ‘Replika’ chatbot

The Italian DPA – La Garante – clamps down on ‘Replika’. The AI-powered chatbot, which generates a ‘virtual friend’ using text and video interfaces, will not be able to process personal data of Italian users for the time being. The DPA concluded that the app poses a risk to minors and emotionally vulnerable individuals. Provisional limitation on data processing were also imposed by the Italian Garante on the US-based company that has developed and operates the app; the limitation will take effect immediately. The Garante press release (in Italian and English) can be read here.

Portugal: The Portuguese DPA – the CNPD – has released guidance on technical and organisational measures on the processing of personal data.

The CNPD has issued guidelines for organizations on security measures that must be adopted to minimize the consequences for people’s rights when there are attacks on information systems.

On January 10, the CNPD approved its Directive/2023/1 on organizational and security measures applicable to the processing of personal data, aimed at data controllers and subcontractors, intending to make them aware of their legal obligations in the field of security treatments and the need to invest more in this area. The press release (in Portuguese) can be found here.

Switzerland: Nothing neutral about the new Swiss Federal Act on data protection

“Switzerland is implementing new legislation to better protect its citizens’ data (revFADP), replacing the longstanding Federal Act on Data Protection from 1992. The revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the General Data Protection Regulation (GPDR) and UK GDPR. This important legislative change also comes with a number of increased obligations for companies doing business in Switzerland. Companies must quickly get up to speed on the revFADP requirements because the Act takes effect on September 1, 2023. Companies should not assume that compliance with the GDPR and UK GDPR equals compliance under the revFADP. While this revised legislation has many similarities to the GDPR, there are a few stark differences companies should be aware of. Here is the breakdown of what companies should know.” Read full article here.

UK: ICO’s Age-appropriate design: a code of practice for online services

The children’s code (or Age appropriate design code) is a data protection code of practice for online services, such as apps, online games, and web and social media sites likely to be accessed by children. You can read more and find the Age appropriate design code and pdf here.



What is synthetic data and how it could change our idea of privacy

To train artificial intelligence systems, synthesis datasets are increasingly used that replicate the characteristics of real ones. The editorial article in the Sunday edition of the Italian newspaper La Repubblica technology section examines synthetic data as a technology, how it is being used, and why is it trending in privacy circles. The article (in Italian) can be read here.

Microsoft launches the new Bing, with ChatGPT built in

In an effort to continue to compete with Google, Microsoft announced its integration of OpenAI’s GPT-4 model into Bing which would provide a ChatGPT-like experience within the search engine. The company made the announcement on Tuesday at an event at its headquarters in Redmond in the US state of Washington. In addition, the chatbot technology is to be integrated into Microsoft’s Edge browser. Read the TechCrunch article here.

Could Israel’s EU adequacy status be under threat?

The impending judicial reforms and change in legal frameworks in Israel may cause the European Commission to rethink whether Israel has ‘adequate’ laws in place to protect the personal data of citizens. According to Tobias Judin, Head of the International Section at the Norwegian Data Protection Authority, Israel runs the risk of having its EU ‘adequacy’ status revoked if it cannot prove that Israeli judges meet the European standard of being sufficiently independent, to guarantee citizen’s rights to data protection. The article by CTech can be read here.

Rising Global Regulation for Artificial Intelligence

Jones Day the international law firm has published a white paper on the rise in global regulation to tackle Artificial Intelligence (AI) outlining key regulatory issues and questions: “Across multiple continents and industries, AI is a topic of intense focus by governments, research institutions, investors, and corporations—from start-ups to well-established industry players. As technology and regulatory frameworks continue to evolve rapidly, AI legal issues are emerging as a key topic in a transactional, litigation, and regulatory compliance context”. The Jones Day white paper can be downloaded here.

ChatGPT is a data privacy nightmare. If you’ve ever posted online you ought to be concerned

ChatGPT has taken the world by storm. Within two months of its release it reached 100 million active users, making it the fastest-growing consumer application ever launched.   […] The problem is that it is fuelled by our personal data. It is underpinned by a large language model that requires massive amounts of data to function and improve. 300 billion words. How many are yours? Read full article here.



US Federal Trade Commission fines GoodRX $1.5 million dollars for sharing data including health data to Facebook, Google and other third-party firms for advertising

GoodRx is a widely used health app that seeks out coupons and discounts for medications. However, it seems consumers may have been paying more than meets the eye. The company admits no wrongdoing in the settlement, claiming that the health data it shared could not identify an individual user’s health condition. However some users received ads for their particular conditions on Facebook and Instagram while logged into their personal accounts, including sensitive conditions such as certain sexually transmitted diseases. Read full article here.

The Netherlands: DPA fine Police for failing to conduct a risk analysis before using camera cars in Rotterdam

The Dutch Data Protection Authority (DPA) has imposed a fine of €50,000 on the police for using camera cars in Rotterdam to monitor compliance with coronavirus measures without first assessing the privacy risks this might entail. As the cars drove around they collected and saved detailed images of people. The DPA investigation showed that too many images were collected unnecessarily, however the DPA cannot impose a fine for this violation. The fine was imposed for failure to conduct a DPIA to establish an analysis of the possible risks this action entail in terms of privacy. The DPA press release can be read here.