Data Protection Weekly 8/2023

Feb 23, 2023

 European Union

European Commission: Brussels sets out to fix the GDPR 

The European Commission will propose a new law (regulation) before the summer aimed at improving how EU member state data protection authorities enforce the GDPR in cross-border cases. A new notice page was published on its website. You cand read more in a POLITICO article here.

European Commission: DSA: Commission starts collecting platform’s user numbers and consults on its monitoring and investigatory procedures

Friday 17 February was the deadline set in the Digital Services Act (DSA) for all online platforms and online search engines (except micro and small enterprises) to publish their user numbers in the EU for the first time. The Commission is also launching a public consultation on DSA enforcement procedures. The consultation will last one month, until 16 March 2023, and will help shape the final Commission enforcement rules. The press release can be read here.

EDPB: One-Stop-Shop case digests

The EDPB has published a case digest with a selection of final One-Stop-Shop decisions related to the right to erasure and the right to object which showcases how DPAs work together to enforce the GDPR. They offer an opportunity to read final decisions taken by, and involving, different DPAs relating to specific data subject rights. You can read the case digests here.

EDPD: Boosting enforcement and cooperation – the EDPB work programme for 2023-2024 is adopted and published

The EDPB has adopted its new work programme, setting out its priorities and putting the Board’s strategic objectives into practice. The EDPB will continue to prioritise enforcement building on initiatives such as the Coordinated Enforcement Framework, cases of strategic importance, and the Support Pool of Experts. In addition, the EDPB will keep developing guidance to support and encourage DPAs to use of the full range of cooperation tools at their disposal, such as on the mutual assistance duty. The press release and access to the work programme can be read here.

National Authorities

Denmark: The Danish DPA takes case positions and issues Guidelines on the deployment of Cookie Walls.

The Danish Data Protection Agency has taken two fundamental decisions regarding the use of so-called ‘cookie walls’ on company websites based complaints received. Furthermore, the DPA has also published a set of general guidelines for the use of such consent solutions. As a starting point, the DPA has established a set of four criteria, which will form the basis for the authority’s assessment of procedures where a company conditions access to its content via the users’ consent. The press release (in Danish) can be read here and the guidelines here.  

Germany: BfDI prohibits operation of the Federal Government’s fan page

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber, has instructed the Federal Press Office (BPA) to stop operating the Facebook fan page of the Federal Government. The BfDI sent a letter to this effect at the beginning of the week. The BPA has four weeks from receipt of the notice to implement it.

The BfDI said: “I have long pointed out that the operation of a Facebook fan page is not possible in accordance with data protection. This is shown by our own investigations and the short assessment report undertaken by the data protection conference (DatenchutzKonferenz). All authorities have a responsibility to comply with the law in an exemplary manner. According to the results of my examinations, this is currently impossible when operating a fan page because of the extensive processing of personal data of the users. I think it is important that the state is accessible via social media and can share information. However, it may only do so if the fundamental rights of citizens are respected.”

[…] The BPA has the option of appealing against the BfDI’s decision within one month. The press release (in German) can be read here.

Germany: BfDI criticises illegal data processing and legislation

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber, has released a statement critical of EU member state legislators, as well as of German Federal and Ländes administration for continuously increasing their ability to collect new data sets, which the Commissioner says are too often unlawful initiatives. Kelber said “This must change urgently, otherwise there is a risk that citizens will lose confidence in legislation.” The press release (in German) can be read here.

Italy: The Italian DPA spells out its enforcement decision to Edison Energia spa

The Italian DPA – La Garante  – following a complex preliminary investigation, detected a number of GDPR infringements by Edison Energia spa against a significant number of users for unsolicited commercial calls. The Authority ordered the company to adopt a series of corrective measures to comply with the law and ordered it to pay a fine of 4,9 million Euros. A summary of the case (in Italian) can be found here and the full decision has now been published and can be read here.

Norway: The Norwegian DPA announces focus of supervisory activities for spring 2023

The Norwegian DPA announced that it will carry out inspections, in both the private and public sectors, focusing on key data protection areas. In particular, the DPA explained that the aim of the audits is to uncover vulnerabilities that could lead to compromise, alteration, or loss of citizens’ personal data. The DPA will prioritize the implementation of privacy principles in some cases, looking at privacy management and information security systems with a focus on organisational privacy by design and default protocols. The DPA has also said via its inspection efforts it will examine whether a DPO has been appointed where required by law. The press release (in Norwegian) can be read here.

UK: Tribunal rules on Experian appeal against ICO action

The First-Tier Tribunal (information Rights) has ruled on the ICO’s action to require Experian Limited to change how it handles people’s personal data. The Judgment supported aspects of the ICO’s decision, while allowing Experian’s appeal in other areas. While the tribunal found in support of the ICO that Experian had not processed personal data in a transparent, fair or lawful manner, it rejected the ICO view that Experian’s privacy notice was not transparent, and that using credit reference data for direct marketing purposes was unfair. The ICO press release can be read here.

The Netherlands: Tesla makes camera settings more privacy-friendly following DPA investigation

The DPA conducted an investigation into the built in security Sentry Mode in Tesla vehicles. This is a feature intended to protect the vehicles against theft and vandalism, among other things. It does this by recording images using four external cameras on the vehicle. The DPA found that when the camera system was enabled, the cameras continuously filmed everything around the parked vehicle, and these images were saved for one hour. A number of software up-dates have now been implemented including a default disablement setting for Sentry Mode. It is now up to vehicle owner to switch the camera system ‘on/ off’, and now footage is only saved for 10 minutes. The full press release can be read here.

Global

Meta Shifts UK Users to US Agreements in Post-Brexit Move

Meta will begin moving its UK users away from the company’s Irish subsidiary and onto US agreements in a move the social-media giant flagged post-Brexit. This week the company updated the terms of service for UK Facebook, Instagram and WhatsApp users and customers will be notified in the coming weeks. Bloomberg Technology has the story here.

LockBit and Royal Mail Ransomware Negotiation Leaked

The LockBit ransomware group has published a log of conversations between its operators and a Royal Mail negotiator showing the group demanded £65.7m ($79.85m) to safely return the company’s stolen data following a January cyber-attack. After 3 weeks of negotiation and discussion with the group, Royal Mail did not pay the ransom, with the final deadline being February 9th. InfoSecurity have the full story here.

TikTok plans 2 more European Data Centers amid Privacy Fears

TikTok said it is planning two more European data centers to allay growing concerns about data privacy for its users in the West. The company’s general manager for European operations, Rich Waterworth, said in a blog post that it is “at an advanced stage of finalizing a plan” with a third-party provider for a second data center in Ireland. It announced its first center there last year. TikTok also is in talks to set up a third European data center, without specifying a location. The AP article can be read here.

European Commission bans TikTok from corporate devices

The EU executive’s IT service has asked all Commission employees to uninstall TikTok from their corporate devices, as well as the personal devices using corporate apps, citing data protection concerns. Commission staff have been asked to do so as soon as possible and no later than 15 March. For those who do not comply by the set deadline, the corporate apps like the Commission email and Skype for Business will no longer be available. The measure, justified on the grounds of data protection concerns related to the app, is aimed at protecting Commission data and systems from potential cybersecurity threats. The EURACTIV report can be read here.

Guidance on classification and conformity assessments for High-Risk AI Systems under EU AI Act

The debate continues in Brussels over which AI systems should be considered as “High Risk”, while the systems in Annex II of the EU AI Act have attracted less attention. In this article by Theodoros Karathanasis of the MIAI – Multidisciplinary Institute on Artificial Intelligence at the Université Grenoble Alpes, you will find a comprehensive guide (with infographics) on the classification of all “High Risk” systems in the AI Act, as well as the corresponding conformity assessment procedures. The article can be read here.

Fines

Germany: Higher Regional Court (OLG) Hamm: 100 euros compensation for pain and suffering for the incorrect dispatch of health data

In its judgment of 20.01.2023 (Case No. 11 U 88/22), the Higher Regional Court of Hamm ruled that a plaintiff was entitled to damages in the amount of 100 euros under Article 82 of the GDPR for the wrongful dispatch of an excel spreadsheet containing health data. The legal dispute was based on an incident at a vaccination centre. The centre had inadvertently sent an Excel spreadsheet containing the personal data of around 13,000 people to 1,200 recipients. In its ruling, the court concludes that the erroneous dispatch constitutes a breach of data protection law and, in addition to a breach of the principles of data processing, a breach of the protection of special categories of personal data pursuant to Art. 9 GDPR.

However, the OLG Hamm did not rule whether there was also a breach of the obligation to take technical and organisational measures for data security. The lower court had affirmed this. On the other hand, the court does not take into account the plaintiff’s purely speculative argument that his data could have fallen into the hands of militant opponents of vaccination.

What is particularly interesting is that while the OLG Hamm assumes that the unintentionally caused data protection breach, which already violates the principle of integrity and confidentiality provisioned by Art. 5 of the GDPR, in the opinion of the OLG it can remain an open question whether an instruction by the defendant to encrypt (Excel) files in principle is necessary. Rather, it is sufficient that the “[…] concrete data processing was not sufficiently secured […]”. Read judgment (in German) here.

UK: Former 111 call centre advisor fined for illegally accessing medical records

A former 111 call centre advisor has been found guilty and fined for illegally accessing the medical records of a child and his family. A complaint had been raised against the advisor, following a disagreement during a 111 call to a medical centre, prompting the advisor to access the records of the complainant, the complainant’s child and two other relatives. The advisor accessed personal records without consent or a legal reason to do so and produced screenshots of the child’s patient notes at an internal investigation meeting in June 2016. Following the internal investigation, he was dismissed for gross misconduct based on the overall evidence of the case.

Following the investigation from the Information Commissioner’s Office, the advisor pleaded guilty to five counts of unlawfully obtaining personal data in breach of Section 55 of the Data Protection Act. He was fined £630 with a victim surcharge and court costs totalling £1,093. A full account of the case can be read via the ICO press release here.