Data Protection Weekly 9/2023

Mar 2, 2023

 European Union

EDPB: EDPB welcomes improvements under the EU-U.S. Data Privacy Framework, however concerns remain

The EDPB adopted its opinion on the draft adequacy decision regarding the EU-U.S. Data Privacy Framework. The EDPB welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points. These relate, in particular, to (i) certain rights of data subjects, (ii) onward transfers, (iii) the scope of exemptions, (iv) temporary bulk collection of EU citizen personal data and (v) the practical functioning of the proposed redress mechanism.

The EDPB would welcome if not only the entry into force but also the adoption of the decision were conditional upon the adoption of updated policies and procedures to implement Executive Order 14086 by all U.S. intelligence agencies. The EDPB recommends the Commission to assess these updated policies and procedures and share its assessment with the EDPB. The full press release can be read here.

EDPB: EDPB publishes a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals

During its February plenary, the EDPB adopted a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals. This document is addressed to all applicants of certification criteria and aims to streamline and facilitate the adoption of EDPB Opinions on certification criteria by clarifying the approval process of national and EU-wide certification criteria, as well as criteria for certification meant as tools for international transfers. More information can be found in the press release here.

EDPB: Up-dated versions of guidelines published in the last week – post public consultation.

This last week, the EDPB has published a series of up-dated and final versions of 3 guidelines post public consultation. A summary abstract of each guideline can be found here.

  1. “Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them”. Version 2.0 can be read
  2. “Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”. Version 2.0 can be read
  3. “Guidelines 07/2022 on certification as a tool for transfers”. Version 2.0 can be read

European Parliament: MEPs and EDPB to discuss the adequacy of the EU-US Data Privacy Framework

Following a parliamentary announcement MEPs will debate a draft motion for a resolution on the Commission’s draft adequacy finding covering the EU-US Data Privacy Framework (DPF), as well as the relevant opinion of the EDPB. The Chair of the EDPB, Andrea Jelinek, will present the Board’s opinion on the new framework for MEPs to consider in their motion for a resolution. The European Parliament is then expected to adopt the non-binding resolution on the DPF in April 2023.

ENISA: Cyber Insurance – fitting the Needs of Operators of Essential Services?

The new report by the European Union Agency for Cybersecurity (ENISA) explores the challenges faced by Operators of Essential Services in the EU, when seeking to acquire cyber insurance. Focused on the potential challenges faced by Operators of Essential Services (OESs), the analysis performed also explores aspects of cyber insurance from a policy development perspective, and suggests recommendations to policymakers and to the community of OESs. The press release can be read here. The report entitled: ‘Demand side of Cyber Insurance in the EU” can be accessed here.

National Authorities

Czech Republic: The Czech DPA announces new process for DPIA

From April 1, a new amendment to the national government’s legislative rules will come into effect. It changes the rules for carrying out Data Protection Impact Assessments (DPIA) and will have a significant impact on the protection of personal data. At the request of the ‘Office for Personal Data Protection’ (the DPA), a precise structure for the processing of personal data protection impact assessments, the so-called ‘legislative DPIA’, will be introduced directly into the government’s legislative rules. A DPIA will now be required for every legislative proposal, including subsidiary regulations such as government decrees. The DPA will making an amendment to the exiting guidance which will be open to a public consultation. You can read (in Czech) the press release here and the DPIA guidance here.

Germany: HBDI welcomes opening of a Mastodon instance by the state government

The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) Prof. Dr. Alexander Roßnagel welcomes the opening of a Mastodon instance (community) by the Hessian state government: “By using the decentralised network Mastodon, the Hessian state government is taking an important step towards digital sovereignty. It shows how public authorities can communicate with citizens without violating data protection regulations”. The HBDI itself will soon open a Mastodon account on the instance of the state government and inform about its work there.

[…] Mastodon represents a much less objectionable alternative under data protection law to the usual social networks, against the use of which there are sometimes considerable reservations under data protection law. Particularly in the case of Facebook pages, both data protection supervisory authorities and courts have repeatedly made it clear in the past that public bodies cannot operate them in compliance with data protection law. Read press release here.

Norway: Norwegian DPA issues Notice of decision in the Google Analytics case

The Norwegian Data Protection Authority’s preliminary conclusion is that the use of Google Analytics breach the GDPR data transfer rules. The DPA reiterates its recommendation to Norwegian companies to explore alternatives to Google Analytics, stating that it will provide more detailed information about what applies, and what its expectations are for Norwegian websites when a final decision has been made. This can be expected at the end of April at the earliest. The press release (in Norwegian) can be read here.

UK: ICO publishes SME Data Essentials pilot evaluation report

The ICO has recently completed a pilot programme with up to 60 SMEs from across the UK, in which they have been trialling an e-learning and self-assessment programme. Named “SME Data Essentials”, it is aimed at empowering organisations to become better equipped to manage their own data compliance. This week the ICO published the pilot’s evaluation report. You can read the press release and report here.


UK: Inside Rishi Sunak’s fledgling science and tech department

Following Rishi Sunak’s announcement on the creation of a new Department for Science, Innovation and Technology (DSIT), one key consequence was the transfer of responsibility for digital and data policy from the Department for Culture, Media and Sport (DCMS) to the new DSIT. However, not all is going to plan. Nearly three weeks since its inception, the department still has no home, with officials spread across different (departmental) offices; funding, staffing, and policy priorities questions remain unresolved. According to POLITICO sources, the proposed Data Protection and Digital Information Bill is now likely to sit in the ‘long grass’ until the next parliamentary session. You can read the POLITICO article here.

Signal would ‘walk’ from UK if Online Safety Bill undermined encryption

If forced to weaken the privacy of its messaging system under the UK Online Safety Bill, the organisation “would absolutely, 100% walk” Signal president Meredith Whittaker told the BBC. She added: “Encryption is either protecting everyone or it is broken for everyone.” The bill, introduced by Boris Johnson, is currently going through Parliament. The BBC article can be read here.

TikTok to set one-hour daily screen time limit by default for users under 18

The social media company announced Wednesday that every user under 18 will soon have their accounts default to a one-hour daily screen time limit. This is one of the most aggressive moves yet by a social media company to prevent teens from endlessly scrolling.

Teenage TikTok users will be able to turn off this new default setting, which will roll out in the coming weeks: once the 60 minutes have elapsed, users will be prompted to make an active decision to extend their time engaged with the social app.The feature change could bolster the digital well-being of younger users by requiring them to opt out of stricter screen time limits rather than clearing the higher bar of opting-in to them. Read the CNN Business article here.

YouTube accused of collecting UK children’s data

YouTube has been accused of collecting the viewing data of children aged under 13, in breach of a UK data privacy code designed to protect children.

Campaigner Duncan McCann has lodged an official complaint with the Information Commissioner’s Office (ICO). He says the site is gathering data about the videos children watch, where they are watching and what device they are watching it on. His complaint is believed to be the first test of the ICO children’s code, which was introduced in 2020, when tech firms were given one year to comply with it. Read the BBC article here.

UNESCO’s first graphic novel on Artificial Intelligence

If you haven’t seen this innovative approach to awareness building it is well worth a look. In 2022 UNESCO published its first graphic novel entitled “Inside AI: an Algorithmic Adventure” aimed at providing an informative media to a broad audience of policymakers, adults and youths interested in learning about AI: Educational, creative, and fun all in one. Concepts treated include ethics, governance and data privacy among others. You can learn more and read the novel here.


Ireland: DPC fines Centric Health Ltd. Publication of decision following inquiry

The DPC inquiry was commenced following a ransomware attack affecting the patient data of 70,000 persons held on Centric Health’s patient administration system. The decision found that Centric Health had failed to ensure that the personal data was processed in a manner that ensured appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. A reprimand was issued along with administrative fines totaling €460,000. The decision can be read here.