Data Protection Weekly 8/2024

Mar 5, 2024

 European Union

EDPB: Launch of coordinated enforcement on the right of access

The European Data Protection Board (EDPB) initiated its 2024 Coordinated Enforcement Framework (CEF) action, engaging 31 Data Protection Authorities (DPAs) across the EEA to focus on the right of access, a core aspect of data protection law and a frequently exercised right. This initiative follows the EDPB’s 2023 guidelines aimed at aiding organisations in complying with access requests as per GDPR standards. The enforcement will involve distributing questionnaires, initiating formal investigations, and monitoring ongoing cases to evaluate adherence and uncover insights for future EU-level actions. The findings will culminate in a comprehensive EDPB report, reflecting on the collective enforcement experience and outcomes. This initiative follows previous CEF actions on use of cloud services by the public sector and designation and position of Data Protection Officers. You can read the press release here.

EDPS: Participation to the EDPB’s Coordinated Enforcement Action on the right of access

The European Data Protection Supervisor (EDPS) is collaborating with the European Data Protection Board (EDPB) and other Data Protection Authorities in a Coordinated Enforcement Action focusing on the right of access within EU institutions, bodies, offices, and agencies (EUIs). This action emphasises the significance of the right of access, a fundamental data protection right allowing individuals to verify the compliant processing of their data and enabling other rights, like rectification or erasure. EDPS Wojciech Wiewiórowski highlights the importance of this right as foundational to data protection in the EU. The EDPS will evaluate EUIs’ adherence to Regulation (EU) 2018/1725 concerning access requests, identify best and worst practices, and contribute to a collective analysis to guide future supervisory and enforcement actions. The EDPB plans to release a comprehensive report detailing the findings from this joint initiative. You can read the press release here.

European Parliament: MEPs back plans for an EU-wide digital wallet

The European Parliament has recently passed a regulation establishing an EU-wide digital wallet, aimed at providing EU citizens with a secure method to access public and private digital services across borders. This digital wallet, which is voluntary, allows users to authenticate themselves online, store, share, and e-sign documents, thereby reducing reliance on commercial providers and enhancing privacy and security. Key features include the provision of free “qualified electronic signatures” and wallet-to-wallet interactions to streamline digital exchanges. Importantly, the wallet will be open-source, promoting transparency and innovation while ensuring stringent oversight of associated entities. A privacy dashboard empowers users to manage their data, aligning with GDPR. The framework also ensures inclusivity, with safeguards to prevent discrimination against non-users. This initiative represents a significant step in the EU’s efforts to foster a secure and user-centric digital environment. You can read the press release here.

ENISA: Geopolitics accelerates need for stronger Cyber Crisis Management

In light of the evolving geopolitical landscape, ENISA has published a study highlighting best practices for cyber crisis management. This report, developed for the EU Cyber Crisis Liaison Organisation Network (CyCLONe), provides a comprehensive framework to enhance cyber crisis preparation, reflecting the priorities of the NIS2 Directive. By detailing practices across the cyber crisis management cycle’s four phases—prevention, preparedness, response, and recovery—the study aims to foster a more harmonised approach to cyber crisis within the EU. It underscores the importance of Member States sharing best practices and working collaboratively to strengthen their cyber crisis management and resilience, aligning with the NIS2 Directive’s objectives to improve cybersecurity across the EU. The document also highlights ENISA’s role in coordinating with various cybersecurity stakeholders to ensure effective crisis management and response. You can read the press release here and download the full study here.

National Authorities

France: CNIL reflects on the economic impact of the GDPR, 5 years on

The French data protection authority (CNIL) published a study titled ” Economic impact studies of the GDPR: the regulator’s vision,” analysing the economic repercussions of the GDPR five years after its implementation. This analysis reveals that while the focus has often been on compliance costs for businesses, the benefits, particularly in terms of trust and market stability, are significant yet less quantified. The GDPR has fostered a more transparent data economy, enhancing consumer trust and potentially enabling economic activities that hinge on data confidence. Despite methodological challenges in isolating the GDPR’s effects from broader economic dynamics, emerging studies suggest nuanced impacts across different sectors, with both constraints and opportunities noted. The GDPR is seen as an investment in compliance that yields economic returns, highlighting a nuanced perspective beyond mere cost assessment. This approach helps balance market operations and personal data protection, underpinning the digital economy’s growth while safeguarding individual rights. The CNIL’s study underscores the need for ongoing economic analysis to fully grasp the GDPR’s benefits and costs, aiming for a more comprehensive understanding of its societal value. You can read the press release here and the full study here (both in French).

UK: ICO reassures employers they can share staff data in a mental health emergency

The UK data protection authority (ICO) has recently issued guidance to assist employers in determining when it is appropriate to share employee personal data during mental health emergencies. This guidance aims to clarify the conditions under which personal information can be disclosed to prevent serious harm, emphasising the need for any shared data to be necessary and proportionate. Chris Hogan, the ICO’s Head of Regulatory Strategy, highlighted the importance of preparing in advance to make informed decisions promptly during emergencies. The document also features case studies demonstrating the application of data protection laws in such scenarios. By outlining clear parameters, the ICO seeks to facilitate responsible data sharing, balancing employee privacy with urgent health and safety considerations. This initiative complements the ICO’s broader efforts to provide resources on lawful information handling, including a dedicated data sharing hub. You can read the press release here and the full guidance here.

Spain: AEPD publishes a blog post on enhancing child safety online through DNS configuration

The Spanish data protection authority (AEPD) recently published a blog post emphasising the importance of configuring DNS settings in home Wi-Fi routers or personal devices as a crucial step to protect children in the digital environment. This strategy is presented as an adjunct and alternative to age verification processes, necessitating active involvement from families. The AEPD advises that internet service providers should offer clear guidance and support to families, ensuring these configurations respect data protection and privacy regulations. By adjusting the DNS (Domain Name System), which translates website names to IP addresses, inappropriate content can be filtered, using servers that provide family-oriented filters. The AEPD notes that while some ISP-provided routers may not allow DNS customisation, alternative devices are available that do. Moreover, modifying DNS settings on individual devices can extend protective measures beyond the home network. The AEPD underscores the need for technical awareness and privacy consideration in implementing these measures, recommending professional advice if necessary. You can read the full blog post here (in Spanish).

Denmark: The Datatilsynet investigates Netcompany’s potential data leak

The Danish Data Protection Authority (Datatilsynet) is investigating a potential data leak at Netcompany to determine compliance with data protection laws. Triggered by media revelations regarding a suspected source code leak at Netcompany, which serves numerous entities, Datatilsynet has yet to receive any breach notifications from Netcompany or the affected bodies. The authority is inquiring about the presence of personal data in the leaked files, the impacted systems and stakeholders, Netcompany’s communication with data controllers about potential risks, and the possibility of the leaked data enabling access to personal data. Datatilsynet expects Netcompany’s response by March 6, 2024. You can read the press release here (in Danish).

Global

US: President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data

On February 28, 2024, President Joe Biden signed an Executive Order to safeguard Americans’ sensitive personal data from exploitation, particularly by countries of concern. This landmark initiative authorises the Attorney General to block substantial data transfers to such nations and introduces measures against potential exploitative activities. It targets critical data types, including genomic, biometric, health, geolocation, financial data, and specific personal identifiers, addressing risks like intrusive surveillance, scams, blackmail, and other violations of privacy. The order mandates the Department of Justice and other agencies to establish stringent data protections, preventing misuse by foreign entities and ensuring national security. Additionally, it emphasises collaboration among federal departments and reinforces ongoing commitments to data privacy and open internet principles, urging legislative support for comprehensive privacy laws. You can read the press release here.

Sanctions

Italy: Garante fines Enel Energia €79 million for failing to protect databases from unauthorised access

The Italian data protection (Garante) has imposed a substantial fine of over €79 million on Enel Energia for failing to safeguard its customer databases against unauthorised access, particularly in relation to telemarketing. This action followed an investigation by the Guardia di Finanza, which initially led to €1.8 million in fines for four other companies and the seizure of databases linked to unlawful activities. Further investigations revealed Enel Energia’s acquisition of numerous contracts through these entities, despite not being part of its official sales network. Inspections also uncovered significant security weaknesses in Enel’s customer management and service activation systems, allowing unauthorised agents to exploit these vulnerabilities for unlawful telemarketing, including nuisance calls and unbeneficial contract signings. Consequently, for these breaches which over time involved the activation of at least 9,300 contracts, the Garante has levied its largest penalty to date on Enel Energia. You can read the press release here.

UK: ICO reprimands West Midlands Police for data protection failure

The UK data protection authority (ICO) has reprimanded West Midlands Police for their failure to distinguish between the records of two individuals sharing the same name and date of birth, leading to numerous data protection breaches between 2020 and 2022. This confusion resulted in serious operational mistakes, including police attending incorrect addresses and schools due to the mismanagement of victim and suspect information. Acknowledging the force’s inadequate response to correct and prevent the recurrence of these errors, the ICO emphasised the necessity of regular data protection training and proper information handling. Following the reprimand, West Midlands Police have initiated a ‘Think before you link’ campaign and a new data quality policy to improve accuracy, measures that the ICO has commended. These steps aim to reinforce the importance of meticulous data management and the need for continuous training to uphold public trust in police data handling practices. You can read the press release here.

UK: ICO finds the Home Office’s pilot of GPS electronic monitoring of migrants breached UK data protection law

The UK data protection authority (ICO) has found the Home Office in violation of UK data protection laws during its GPS monitoring pilot, which tracked migrants without adequately assessing privacy risks or informing participants about data usage. The Home Office’s failure to assess the scheme’s privacy intrusion and its impact on vulnerable individuals led to an enforcement notice and a formal warning. The ICO emphasised the necessity of proving the necessity and proportionality of such surveillance, especially considering potential risks and vulnerabilities. Despite the pilot’s end in December 2023, concerns remain over the retained data’s accessibility and future use, prompting the ICO to demand policy and privacy information updates to prevent further breaches. The Home Office is now under scrutiny to align its data processing activities with legal standards, ensuring respect for individual information rights. You can read the press release here.