Data Protection Weekly 6/2024

Feb 22, 2024

 European Union

EDPB: Statement on the EU Parliament’s CSAM regulation amendments

The European Data Protection Board (EDPB) has released a statement on the European Parliament’s amendments to the proposed regulation aimed at combating child sexual abuse material (CSAM) online. While the EDPB welcomes certain improvements, such as the exemption of end-to-end encrypted communications from detection orders, the EDPB criticises the amendments for potentially allowing general and indiscriminate monitoring and for not adequately addressing the risk of false positives in the detection of new CSAM. It highlights the importance of ensuring that any new legal measures are clear, targeted, and fully respectful of fundamental rights, including privacy and data protection. The EDPB’s response underscores the delicate balance required between protecting children online and safeguarding individual privacy rights. You can read the full statement here.

EDPB: Opinion on the notion of main establishment and the One-Stop-Shop mechanism

The European Data Protection Board (EDPB) adopted an Opinion on the notion of main establishment and on the criteria for the application of the One-Stop-Shop mechanism. This guidance comes in response to a request from the French data protection authority, under Article 64(2) of the GDPR, aiming to clarify the application of the One-Stop-Shop mechanism in scenarios where decisions regarding data processing are made outside the EU. The EDPB elaborated that a controller’s main establishment in the EU, as defined under Article 4(16)(a) GDPR, is recognised as such if it is the central place where decisions on the purposes and means of processing personal data are made and if it has the authority to implement these decisions. The document is available here.

National Authorities

France: CNIL publishes its 2023 enforcement activity report

The French data protection authority (CNIL) published its enforcement activity report for 2023, highlighting the handling of more than 16,000 complaints and the conduct of 340 investigations in 2023, significantly increasing its regulatory activity and issuing 42 sanctions totalling almost €90 million, as well as 168 enforcement notices and 33 warnings. This upsurge reflects CNIL’s strategic shift over the past five years towards prioritising compliance over punitive measures. Despite this approach, the number of sanctions grew, driven by the adoption of a simplified sanction procedure, a rise in complaints, and stronger European cooperation. Sanctions covered a broad spectrum of issues, from online advertising and data security to employee surveillance and health data processing, affecting a wide range of entities including small businesses, multinational corporations, and public sector organisations. Notably, six sanctions were issued in collaboration with European data protection authorities under the GDPR one-stop-shop mechanism. You can read the press release here (in French).

Ireland: DPC survey to examine sports clubs’ data protection awareness and understanding

The Irish data protection authority (DPC) announced it will conduct a survey across a broad spectrum of sports clubs, covering both voluntary and professional levels, to evaluate their awareness and understanding of data protection principles. Recognising the pivotal role sports play in Irish society, particularly for children, the survey aims to assist the sports sector in complying with data protection obligations and to enhance individuals’ understanding of their rights under the General Data Protection Regulation (GDPR). The survey will investigate how clubs use technology to collect and analyse player performance data, their awareness of data protection obligations, and how transparently this information is communicated to players, with a special focus on the information provided to children and young people. Targeting clubs affiliated with major sports associations such as the FAI, IRFU, GAA, and LGFA, the DPC’s initiative is designed to identify the sector’s needs for guidance and support, facilitating further engagement with stakeholders. You can read the press release here.

France: CNIL investigates data breach affecting over 33 million individuals

The French data protection authority (CNIL) has launched an investigation into a data breach involving Viamedis and Almerys, two third-party payment operators serving numerous health and mutual insurance companies. This breach, reported at the end of January, compromised data essential for their operations, affecting over 33 million people. The exposed data includes civil status, birth dates, social security numbers, health insurer names, and contract guarantees of the insured and their families. Importantly, banking information, medical data, health reimbursements, postal addresses, phone numbers, and email addresses were not part of the breach. The CNIL has reminded the affected companies to inform all impacted individuals directly and promptly, in line with GDPR requirements, and has advised those affected to remain vigilant against potential scams and to monitor their account activities closely. You can read the press release here (in French).

Netherlands: AP grants 500th licence to retailers who warn each other about shoplifters

The Dutch data protection authority (AP) has issued its 500th licence to retailers, enabling them to legally share information about shoplifters and nuisance-causers within a defined area, ensuring privacy safeguards are met. This milestone, celebrated at Utrecht’s Hoog Catharijne shopping centre, underscores the AP’s stance that security and privacy can coexist with proper regulation. Licensed shopkeepers can exchange names and photos of repeat offenders, under strict conditions including oversight by police or municipal authorities. The initiative requires a detailed protocol and risk analysis to be approved by the AP, emphasising careful data handling to prevent undue harm to individuals labelled as offenders. This approach aims to foster a safer shopping environment while respecting privacy rights. You can read the full article here (in Dutch).

Czechia: UOOU releases new guidance on camera systems

The Czech data protection authority (UOOU) has released new guidance on the design and operation of camera systems in relation to personal data processing and protection. This non-binding document aims to help data controllers and processors, including camera system suppliers, better understand their obligations. It covers both recorded and online camera systems involved in personal data processing. While not legally mandatory, adherence to this guidance should ensure compliance with the General Data Protection Regulation (GDPR) and the European Data Protection Board (EDPB) Guidelines No. 3/2019. The guidance proposes categorising camera systems into four classes, suggesting minimum technical and organisational measures and examples for conducting a balance test. It is designed to ease the compliance burden for small data controllers, especially for common camera systems, and can be supplemented with procedures from relevant ministries for specific applications. You can read the press release here and the UOOU methodology here (both in Czech).

Poland: UODO announces sectoral investigation plan for 2024

The Polish data protection authority (UODO) has announced its sectoral investigation plan for 2024, targeting entities processing personal data within the Schengen Information System (SIS) and Visa Information System (VIS), and the respect of the information obligation by private entities. The investigations will also continue to focus on the security and sharing of personal data processed by web applications, a continuation from 2023, and will scrutinise the correct implementation of the information obligation as outlined in Articles 13 and 14 of the General Data Protection Regulation (GDPR). This initiative comes in response to the increasing threats to personal data protection compliance and significant public interest in these areas. You can read the press release here (in Polish).


Civil rights groups oppose Meta’s “Pay or Okay” model amid EDPB review

28 civil rights organisations, including noyb, Wikimedia Europe, and the Norwegian Consumer Council, have urged the European Data Protection Board (EDPB) to reject Meta’s “Pay or Okay” scheme. This model, introduced by Meta in November 2023, forces users to choose between paying a €251.88 annual privacy fee or consenting to online tracking for targeted advertising. The initiative has sparked controversy and debate over the future of online consent and privacy rights in Europe. Data protection authorities from the Netherlands, Norway, and Hamburg have sought a binding opinion from the EDPB on this matter. Critics argue that legitimising such a model could undermine the principle of genuine consent, as outlined in the GDPR, and pave the way for widespread adoption of similar practices across various industries, thus potentially eroding the foundational right to data protection. You can read the press release here and the joint letter here.


Italy: Garante fines online dating site  €200,000 for multiple GDPR violations

The Italian data protection authority (Garante) has imposed a €200,000 fine on a popular online dating site for violating the personal data of approximately 1 million subscribers. This marks the first occasion the Garante has taken action against a dating site. The fine was the result of a detailed investigation, including an on-site inspection, which found unlawful processing of user data, such as sexual preferences and orientations. The site, with around five million subscribers globally, failed to provide adequate information on data use and did not inform users of their rights under GDPR. Additionally, the site lacked a specific privacy policy for data retention, a record of processing activities, a Data Protection Officer (DPO), and a required Privacy Impact Assessment (PIA). Alongside the fine, corrective measures have been mandated to align the site’s data processing with data protection laws. You can read the press release here (in Italian).

Italy: Garante fines Doctor €20,000 for leaving prescriptions outside clinic

A doctor was fined €20,000 by the Italian data protection authority (Garante) for leaving patient prescriptions in a container on the external wall of his medical office, unprotected and accessible to anyone. This breach was discovered following an investigation initiated by reports and testimonies collected by the Police, including from patients who had retrieved their prescriptions from the container. The doctor justified the practice as a COVID-era measure, continued for months with patient consent, to facilitate prescription collection and reduce clinic visits. However, the Garante stressed that health information could only be shared under legal basis or written consent, and never publicly disclosed. Leaving unsecured prescriptions accessible violates patient privacy by exposing health data. The fine considered the number of patients affected, the duration of the violation (about two months), and the doctor’s lack of cooperation during the investigation. You can read the press release here (in Italian).

Italy: Garante fines aesthetic medicine centre €8,000 for privacy breach

The Italian data protection authority (Garante) imposed an €8,000 fine on an aesthetic medicine centre for unlawfully processing health data after a patient recognised himself in a video on the centre’s social media profile. The video showed the patient’s identifiable face for over 30 seconds without his specific consent for filming and distribution. The footage remained online for 45 days before being removed following the patient’s request for deletion. The Garante emphasised the importance of ensuring patients are informed and have given explicit consent, or that their data is anonymised, before disseminating images or information about clinical cases. The Garante reiterated that the distribution of any health information without patient consent is prohibited, resulting in the €8,000 fine for unlawful health data processing. Additionally, the Garante mandated the medical centre to adopt corrective measures to align its practices with data protection laws. You can read the press release here (in Italian).