Data Protection Weekly 7/2024

Feb 26, 2024


CEDPO’s webinar on global approaches to AI regulation

On 18 January 2024, the Confederation of European Data Protection Organisations (CEDPO) conducted a webinar titled “One Technology, Many Perspectives: Global Approaches to AI Regulation”. The event brought together experts from the US, the UK, and the EU, such as Chris Eastham, John Ghose, and Dr. Maria Moloney, to discuss the diverse legal frameworks that govern artificial intelligence. It focused on how these differences impact data protection and explored what constitutes optimal AI regulation. This online seminar provided crucial insights into the complexities of AI regulation and its implications for data protection, offering a platform for a comparative analysis of global approaches. The recording of the webinar is accessible here.

 European Union

CJEU: Advocate General’s Opinion on database sale in enforcement proceedings

Advocate General Priit Pikamäe issued its Opinion on Case C-693/22 stating that databases containing personal data can be sold under enforcement proceedings without data subject consent if necessary and proportionate for civil law claim enforcement. This Opinion comes amid a Polish court case involving a dispute over a debt claim and the potential personal liability of a board member, whose company possesses user databases. These databases, not consented by users for third-party processing, are considered by the enforcement officer for sale to satisfy the claim. Pikamäe suggests such sales fall within GDPR scope, designating the enforcement officer as the data controller and deeming the processing lawful if it serves an objective of general interest, such as ensuring enforcement of civil law claims. The Polish court must balance the creditor’s right to property against data protection rights. You can read the press release here and the full Opinion here.

ECHR: Weakening end-to-end encryption disproportionately risks undermining human rights

In a landmark judgment, the European Court of Human Rights (ECHR) found Russia in violation of Article 8 of the European Convention on Human Rights, concerning the right to respect for private life. The case, Podchasov v. Russia, revolved around the Russian requirement for “Internet communication organisers” like Telegram to store communications data for one year and contents for six months, and to provide these data, along with decryption keys for encrypted messages, to law enforcement or security services. The applicant, a Telegram user, contested these obligations, arguing they breached privacy rights by potentially allowing authorities to decrypt and access all user communications without judicial authorisation. The ECHR concluded that the legislation requiring data retention of all users and decryption of encrypted communications, particularly affecting end-to-end encrypted communications, was not necessary in a democratic society, thus overstepping acceptable boundaries and violating the right to private life. You can read the decision here.

National Authorities

France: CNIL issues guidance on the collection of athletes ‘data

The French data protection authority (CNIL) has issued guidance on the collection of individual physical performance data in elite and professional sports. This practice must respect privacy laws, especially concerning health data. The guidance outlines the necessity of identifying the roles within the data ecosystem, including institutions, federations, clubs, and leagues, to ensure compliance with data protection regulations. Different roles such as data controller, joint controller, and processor are defined, each with specific responsibilities in data processing. The guidelines emphasise the importance of choosing an appropriate legal basis for data processing, minimising the data collected, and ensuring data is processed lawfully, fairly, and transparently. Special attention is given to the collection of health data, highlighting the need for strict adherence to legal requirements and the implementation of suitable security measures. These recommendations aim to balance the optimisation of athletic performance with the protection of privacy rights, illustrating the CNIL’s commitment to safeguarding personal data within the sports sector. The document is available here (in French).

UK: ICO issues guidance on content moderation and data protection

The UK data protection authority (ICO) has released its first guidance aimed at helping organisations understand their data protection obligations during content moderation processes. This move seeks to ensure that online platforms respect users’ information rights while making their spaces safer. The guidance clarifies how data protection laws apply to content moderation, highlighting the potential for harm if personal information is misused, leading to incorrect moderation decisions. It emphasises the importance of integrating data protection into these processes to maintain user confidence and provide means for redress in case of errors. This initiative is part of the ICO’s collaboration with Ofcom, supporting the Online Safety Act 2023’s goals and addressing the evolving technological landscape and online safety practices. You can read the press release here.

Poland: UODO raises concerns about proposed disclosure of spouses’ assets in public officials’ declarations

Mirosław Wróblewski, the President of the Polish data protection authority (UODO), has expressed concerns regarding the draft amendment to the Act on Restrictions on Conduct of Business Activities by Persons Performing Public Functions. The amendment proposes that public officials disclose assets owned separately by their spouses in their asset declarations. UODO highlights that this requirement might infringe on the privacy of officials’ spouses, as it makes their personal financial information public without demonstrating the necessity for such disclosure. UODO suggests that the amendment should adhere to the principles of data minimisation and privacy as outlined in the General Data Protection Regulation and the Polish Constitution. Furthermore, UODO recommends conducting a data protection impact assessment to evaluate the amendment’s impact on personal data protection, questioning the necessity and proportionality of disclosing such information. The UODO also submitted its comments related to the retention period of such data in the Public Information Bulletin. You can read the press release here (in Polish).

Poland: UODO to investigate data disclosure incidents leading to suicides

The Polish data protection authority (UODO), has initiated investigations into two high-profile cases where the disclosure of personal information led to suicides. In one case, media reports enabled the identification of a child victimised by a paedophile, leading to the child’s suicide. Wróblewski has requested information from the District Prosecutor’s Office in Szczecin on their findings regarding the suicide. Additionally, he has contacted a radio station seeking details on their data protection measures and any internal inquiry related to the publication that disclosed excessive personal details. Another case under scrutiny involves the social media disclosure of a priest’s data following an arrest for an alleged indecent act, which preceded the individual’s suicide. UODO has also approached the Szczecin Prosecutor’s Office for details on this case, to consider supervisory actions in the context of personal data protection. The move underscores UODO’s commitment to examining the impact of information disclosure on individual tragedies. You can read the press release here (in Polish).

Denmark: Datatilsynet releases new theme page on consent

The Danish data protection authority (Datatilsynet) has launched a new theme page aimed at helping citizens understand their rights regarding consent. This initiative addresses common queries on whether organisations can process personal data without consent and the possibility of having data deleted. The page clarifies that consent is just one of the legal bases for data processing. It offers insights into the reasons behind data handling by public and private entities, a glossary of data protection terms, and answers to frequently asked questions about consent, data deletion, and modification. This resource is designed to empower individuals with knowledge about their data protection rights and the mechanisms in place for their enforcement. You can read the press release here and the page here (both in Danish).

Spain: AEPD releases blog post on the risks of digitalisation for older adults

The Spanish data protection authority (AEPD) has released a blog post highlighting the unintended consequences of digitalisation, particularly its role in excluding older adults from essential services. This shift towards exclusive digital offerings places older individuals in vulnerable positions as they struggle with access and usability, potentially violating their rights to non-discrimination and autonomy. The AEPD underscores that while digitalisation brings about efficiencies in data processing, it should not come at the cost of eliminating non-digital alternatives, ensuring inclusivity for all citizens. The Spain Digital 2026 agenda, within the broader European Digital Programme, seeks to balance digital advancement with economic growth and social cohesion. However, the AEPD stresses the importance of maintaining non-digital options to prevent the marginalisation of older adults and other vulnerable groups, in line with the GDPR’s mandates. Offering such alternatives is essential for a fair digital transformation that respects and protects the fundamental rights of every individual. You can read the full blog post here (in Spanish).

Sweden: IMY forms reference groups for DPOs

The Swedish data protection authority (IMY) is setting up two reference groups this spring, targeting data protection officers (DPOs) from both the private and public sectors. These groups aim to facilitate dialogue, gather feedback, and test ideas to enhance the support and guidance IMY provides. Activities may include soliciting opinions on priority areas, gathering feedback on draft guidance documents, such as impact assessments, or identifying new guidance needs. Interested DPOs can apply by emailing with the subject “Intresseanmälan referensgrupper,” including contact details, the name of their organisation, and specifying whether it operates in the public or private sector. To ensure wide geographical representation, meetings will be held digitally or in a hybrid format. The application deadline is March 8, 2024. You can read the press release here (in Swedish).

Sweden: IMY publishes its 2023 annual report

The Swedish data protection authority (IMY) has published its annual report for 2023, detailing its continued support for innovation, particularly in artificial intelligence (AI), and its enhanced focus on complaint management and supervision. The report highlights IMY’s initiatives, including a regulatory “sandbox” for projects on federated machine learning in healthcare and alternative surveillance technologies. The IMY has also adapted to significant legal developments affecting complaint and supervision processes, notably with court rulings that allow for appeals against IMY’s decisions. Over 200 supervisory cases were initiated in 2023, marking a substantial increase from the previous year, with sanctions exceeding SEK 120 million (approximately €11 million). Additionally, IMY has prioritised contributing to legislation against organised crime and gun violence, advocating for a comprehensive privacy impact analysis of legislative proposals and the introduction of temporary laws for subsequent evaluation. You can read the press release here and the full report here (both in Swedish).


US: Justice Department appoints first Chief AI Officer

Attorney General Merrick B. Garland has appointed Jonathan Mayer as the Justice Department’s first Chief Science and Technology Advisor and Chief Artificial Intelligence (AI) Officer. This significant move underscores the Department’s commitment to staying abreast of scientific and technological advancements, crucial for upholding the rule of law, national safety, and civil rights protection. Mayer’s role includes advising on complex tech-related issues, spearheading technological capacity-building, and leading the Department’s Emerging Technology Board. His appointment aligns with the President’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Mayer, an assistant professor at Princeton University with expertise in the intersection of technology, policy and law, brings a strong background in computer science and law to his new roles. You can read the press release here.


UK: ICO orders Serco Leisure to stop using FRT to monitor employee attendance

The UK data protection authority (ICO) has mandated Serco Leisure, Serco Jersey, and seven associated community leisure trusts to cease their use of facial recognition technology (FRT) and fingerprint scanning for employee attendance monitoring. The ICO’s investigation revealed that over 2,000 employees at 38 facilities were subject to unlawful biometric data processing for attendance and payment purposes without a necessary or proportionate rationale. Alternatives such as ID cards were not adequately offered, highlighting a significant power imbalance and lack of consent. Serco Leisure and the trusts are now required to halt all biometric data processing for attendance monitoring and delete any retained biometric data within three months. This enforcement aligns with the ICO’s new guidance on lawful biometric data processing and emphasises the need for organisations to consider privacy risks and employee consent when implementing biometric technologies. You can read the press release here.