+40-31 437 80 13
office@simionbaciu.ro

PrivacyPulse. Outline of latest developments shaping data protection in Europe

February 2024

Welcome to PrivacyPulse!

This is a go-to resource for professionals keen to stay informed on the latest developments in data protection law.

PrivacyPulse is a monthly series available on the SIMION & BACIU website, designed to keep you up-to-date on everything you need to navigate the complex field of data privacy. It offers an insightful overview of the most recent decisions and advancements that shape the data protection landscape in Europe.

Our inaugural piece, which presents the 2024 January 2024 PrivacyPulse, is available below. Also, you can download it HERE.

Petrus Partene, authors and curates this valuable resource.


The January PrivacyPULSE comes from the European Data Protection Board (EDPB), which unveiled a suite of resources with focus on compliance efforts. Notably, the EDPB made available a website auditing tool and released a comprehensive report on the role and main challenges of Data Protection Officers.

We also explore enforcement actions across several EU member states, including Romania, France, Italy, the Netherlands, Belgium, and Denmark. From fines for GDPR violations to investigations into data breaches and unsolicited communications, each case underscores the critical importance of robust data protection measures.

This is what you need to know about the January PrivacyPulse:

European Data Protection Board (EDPB)

  1. EDPB launched a website auditing tool. The EDPB launched a user-friendly website auditing tool for legal and technical auditors, aiding compliance with data protection laws. It’s open source and integrates with other tools, enhancing enforcement capabilities. The tool is available for download on code.europa.eu. (direct link here)
  2. The EDPB released thematic one-stop-shop case digest on GDPR’s security of processing and data breach notification. It provides insights from DPAs’ decisions, aiding organizations in assessing and improving security measures. The case digest is available for download on edpb.europa.eu (direct link here).
  3. The EDPB released a report from its coordinated enforcement action focusing on Data Protection Officers (DPOs). Despite challenges, most DPOs feel equipped but improvements are needed. Recommendations include more resources and independence. The action aims to strengthen DPO roles and ensure GDPR compliance. Moving forward, the 2024 action will focus on implementing data controllers’ right of access. The report is available for download on edpb.europa.eu. (direct link here)

Romania

  1. Following a data breach notification, the Romanian DPA conducted an investigation where it found that personal data was disclosed in an unauthorized manner on the controller’s website (names, addresses, email addresses, company details, sales records, and subscription status). Besides the applied fine of EUR 3,000, the corrective measures of (i) implementing a regular system testing plan and (ii) enhancing password complexity procedures were applied. (press release available here, in Romanian)
  2. The Romanian DPA concluded an investigation where it found infringements of data protection regulations consisting in sending unsolicited electronic correspondence after clients requested their personal data to be deleted. The operator received a fine of EUR 17,000. The applied corrective measures include, among others, reconfiguration of the implemented systems and applications in order to align such with data protection principles. (press release available here, in Romanian)

France

  1. CNIL investigated one controller for data collection practices, imposing a EUR75,000 fine for GDPR violations. In the course of the investigations, the company presented two data collection forms to the CNIL. However, these forms did not facilitate free, informed, and unambiguous consent. The design highlighted the consent button, subtly encouraging users to agree to data transmission to partners. (press release available here, in English)
  2. CNIL sanctioned one controller due to employee monitoring practices carried out without observing the GDPR requirements. The CNIL found excessive monitoring measures such as (i) precise tracking of breaks, (ii) scanning speed, and (iii) disproportionate retention periods. While acknowledging operational needs, the CNIL fined EUR32 million for disproportionate surveillance, considering it gave the company a competitive edge. (press release available here, in English).
  3. One controller faced CNIL investigations due to 27 complaints about cookie consent issues. The CNIL found cookies deposited without consent and obstacles to withdrawing consent, impacting user privacy. The CNIL concluded that the controller failed to comply with obligations under the French Data Protection Act. Thus, the controller was sanctioned for violating consent rules and coercing users not to withdraw consent, affecting their access to services. The CNIL emphasized the significance of email addresses to users’ private lives, highlighting the impact of coercion on privacy rights. (press release available here, in English)

Italy

  1. Italian DPA notifies breaches to OpenAI following a temporary ban on processing imposed in March. OpenAI has 30 days to respond to alleged breaches. The Italian DPA will consider the EDPB’s task force findings in its final decision on the matter. (press release available here, in Italian)
  2. The Italian DPA sanctioned the Municipality of Trento for conducting two scientific research projects, violating data protection laws by using cameras, microphones, and social networks. The projects aimed to enhance safety in urban areas. The Marvel project analyzed video and audio data to detect public safety risks using AI. The Protector project monitored social media for hate speech targeting religious locations. The Italian DPA found multiple privacy law violations, including insufficient anonymization and transparency, and failure to conduct impact assessments. Despite recognizing mitigating factors, the Italian DPA condemned the invasive surveillance methods and emphasized compliance with privacy regulations for future AI initiatives. (link available here, in Italian)

Netherlands

  1. The Dutch DPA The imposed a fine of EUR10 million on a ride sharing company for alleged lack of transparency regarding data retention and international data transfers, as well as for purportedly complicating drivers’ privacy rights. Criticisms were directed at the company’s complex data access procedures and perceived inadequacies in its privacy policy. The AP acted upon complaints forwarded by a human rights group on behalf of French drivers. The Dutch DPA considered the seriousness of the alleged violations and the company’s corporate size when determining the fine. The sanctioned company has appealed the decision, while reportedly making improvements to its practices. The Dutch DPA underscores the importance of transparency and upholding privacy rights. (press release available here, in Dutch)
  2. The Dutch DPA fines a financial institution, with EUR 150,000 for processing personal data without conducting a legally required privacy risk analysis. It seems that the company digitally identified 1.5 million customers without prior Data Protection Impact Assessment (DPIA), a violation of GDPR. The identification process involved sensitive data such as names, addresses, and photos sent via mobile phones or webcams for comparison with ID copies. While financial institutions must verify customer identities, they must also prioritize data protection. The Dutch DPA emphasizes the importance of pre-assessing privacy risks to prevent identity fraud and protect individuals’ sensitive information. (press release available here, in Dutch).

Belgium

The Belgium DPA imposed a fine of EUR174,640 euros on a company for GDPR violations. The company processed personal data without transparently informing individuals and failed to conduct a legally required data protection impact assessment (DPIA). It seems that the company also retained data for 15 years without sufficient justification and processed personal data on a large scale observing the legal requirements, thus leading to potential privacy risks. Besides the fine, the Belgium DPA ordered corrective measures, including halting certain services until individuals are properly informed. The company also faces fines for improper data handling and incomplete responses to access requests. (press release available here, in French)


Denmark

The Danish DPA recommends a fine of EUR2 million for a company due to GDPR violations. The company failed to implement proper security measures during the development of its platform, allowing unauthorized access to users’ digital mail. Despite pre-launch tests, critical coding errors were missed. The Danish DPA stresses the importance of identifying and addressing high-risk scenarios before processing personal data, including conducting impact analyses. The DPA’s decision underscores the need for robust security measures, especially for solutions like the platform in the case at hand. The proposed fine is the largest yet by the DPA, reflecting the severity and impact of the breach. (press release available here, in Danish).


See you next month for the February PrivacyPULSE.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.