European Data Protection Board

During its May 4th plenary, the EDPB adopted:

• EDPB-EDPS Joint Opinion on the proposed Data Act

During its May 12th plenary, the EDPB adopted:

• Guidelines on the calculation of administrative fines
• Guidelines on the use of facial recognition technology in the area of law enforcement
• EDPB letter on the protection of personal data in the AML-CFT legislative proposals

• EDPB response to the joint payments industry regarding the Guidelines on the interplay of Second Payment Services Directive (PSD2) and GDPR

Background information

Date of final decision: 8 February 2022

Cross-border case or national case: National case

Controller: Budapest Bank Zrt.

Legal Reference: Lawfulness of Processing (Article 5(1)(a), Article 6(1), Article 6(4)), Purpose Limitation (Article 5(1)(b)) Transparency (Article 12(1), Article 13), Right to Object (Article 21(1), Article 21(2)), Appropriate Measures (Article 24(1)), Data protection by design and by default (Article 25(1), Article 25(2)

Decision: Infringement of Articles 5(1)(a), 6(1), 6(4), 5(1)(b), 12(1), 13, 21(1), 21(2), 24(1), 25(1), and 25(2) of the GDPR, Order to comply with the above Articles, Imposing administrative fine in connection with the above infringements

Key words: artificial intelligence, new technologies, analysis of phone audio recording, analysis of emotions, bank, legitimate interest assessment, transparent information, right to object, privacy by design and by default, administrative fine

  Summary of the Decision Origin of the case  

In another procedure, the Hungarian SA became aware of the fact that the data controller performs automated analysis on the customer service phone calls. Due to the fact that this data processing was not clearly specified in the information provided to data subjects, the Hungarian SA started an ex officio investigation against the data controller in 2021 to review the general data processing practice of data controller regarding the automated analysis.

Key Findings

The data controller records all customer service phone calls. Each night, a software automatically analyses all new audio recordings. The software uses artificial intelligence to find keywords, and guesses the emotional state of the client at the time of the call. The result of the analysis is stored connected to the phone call within the system of the software for 45 days, along with the voice call. The result of the analysis is a list of persons sorted by the likelihood of dissatisfaction, anger based on the audio recording of the customer service phone call. Based on the result of the analysis, designated employees mark clients to be called by customer service trying to assess their reasons for dissatisfaction. No information on this particular data processing was provided to data subjects and no right of objection is technically possible, and the data processing was planned and carried on aware of this.

The impact assessment of the data controller also confirmed that the reviewed data processing uses artificial intelligence and causes high risk to the fundamental rights of data subjects. Neither the impact assessment, nor the legitimate interest assessment provided any actual risk mitigation, and the measures only on paper (information, right of objection) were insufficient and non-existent. Artificial intelligence is by nature difficult to deploy in a transparent and safe manner, additional safeguards are necessary. Due to its internal working, it is difficult to confirm the results of personal data processing by artificial intelligence, and it may be biased.

Decision

The Hungarian SA determined the serious infringement of numerous articles of the GDPR for a long period, ordered the data controller to stop processing emotional state of the clients, only continue the data processing if made compliant with the GDPR, and issued an administrative fine in HUF equal to approximately EUR 650,000.

For further information: https://www.naih.hu/hatarozatok-vegzesek?download=517:mesterseges-intelligencia-alkalmazasanak-adatvedelmi-kerdesei

Brussels, 16 May - The EDPB adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised ‘starting points’ for the calculation of a fine. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.

EDPB Chair, Andrea Jelinek said: “From now on, DPAs across the EEA will follow the same methodology to calculate fines. This will boost further harmonisation and transparency of the fining practice of DPAs. The individual circumstances of a case must always be a determining factor and DPAs have an important role in ensuring that each fine is effective, proportionate and dissuasive.”

The guidelines set out a 5-step calculation methodology. First, DPAs have to establish whether the case at stake concerns one or more instances of sanctionable conduct and if they have led to one or multiple infringements. The purpose is to clarify if all the infringements or only some of them can be fined.

Second, DPAs have to rely on a starting point for the calculation of the fine for which the EDPB provides a harmonised method.

Third, DPAs have to consider aggravating or mitigating factors that can increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.

The fourth step is to determine the legal maximums of fines as set out in Art. 83 (4)-(6) GDPR and to ensure that these amounts are not exceeded.

In the fifth and last step, DPAs need to analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality or whether further adjustments to the amount are necessary.

The guidelines are an important addition to the framework the EDPB is building for more efficient cooperation among DPAs on cross-border cases, a strategic priority for the EDPB.

The guidelines will be submitted for public consultation for a period of 6 weeks. Following public consultation, a final version of the guidelines will be adopted, taking into account stakeholder feedback, and will include a reference table with a range of starting points for the calculation of a fine, correlating the seriousness of an infringement with the turnover of an undertaking.

The EDPB also adopted Guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems.

EDPB Chair Andrea Jelinek said: “While modern technologies offer benefits to law enforcement, such as the swift identification of suspects of serious crimes, they have to satisfy the requirements of necessity and proportionality. Facial recognition technology is intrinsically linked to processing personal data, including biometric data, and poses serious risks to individual rights and freedoms.”

The EDPB stresses that facial recognition tools should only be used in strict compliance with the Law Enforcement Directive (LED). Moreover, such tools should only be used if necessary and proportionate, as laid down in the Charter of Fundamental Rights.

In the guidelines, the EDPB repeats its call for a ban on the use of facial recognition technology in certain cases, as it had requested in the EDPB-EDPS joint opinion on the proposal for an Artificial Intelligence Act. More specifically, the EDPB considers there should be a ban on:

• remote biometric identification of individuals in publicly accessible spaces;
• facial recognition systems categorising individuals based on their biometrics into clusters according to ethnicity, gender, as well as political or sexual orientation or other grounds for discrimination;
• facial recognition or similar technologies to infer emotions of a natural person;
• processing of personal data in a law enforcement context that would rely on a database populated by collection of personal data on a mass-scale and in an indiscriminate way, e.g. by "scraping" photographs and facial pictures accessible online.

The guidelines will be subject to public consultation for a period of 6 weeks.

 

EDPB_Press Release_2022_07

Today, Andrea Jelinek, Chair of the European Data Protection Board (EDPB) presented the EDPB Annual Report 2021. The report provides a detailed overview of the work carried out by the EDPB in the last year.

EDPB Chair, Andrea Jelinek said: "2021 was the EDPB’s fourth year of existence and the first year of implementation of the multiannual EDPB Strategy 2021-2023. It was a very productive year, in which we completed many key actions to reach the objectives set out in our Strategy. Although we continued working mostly remotely due to the continuing impact of the COVID-19 pandemic, we made significant progress on a number of important files. To make this possible, we held over 380 EDPB meetings, including plenaries and expert subgroup meetings.”

In early 2021, the EDPB adopted its two-year Work Programme for 2021-2022. The Work Programme follows the priorities set out in the Strategy for 2021-2023 and puts the EDPB’s strategic objectives into practice. The Work Programme and Strategy helped guide the EDPB’s work in 2021 and will continue to guide its work in the years to come.

Over the past year, the EDPB continued to pay a great deal of attention to international transfers of personal data. In 2021, the EDPB adopted its final version of the Recommendations on supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. In addition, the EDPB adopted opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive (LED), as well as its opinion on the draft adequacy decision for the Republic of Korea. The EDPB also adopted guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA.

A second area in which the EDPB carried out important work, was digital policy. Among others, the EDPB and EDPS adopted joint opinions on the proposal for a Data Governance Act (DGA) and the draft Artificial Intelligence Act. Furthermore, the Members of the Board adopted a statement on the Digital Service Package and Data Strategy.

Law Enforcement formed another priority area for the EDPB in 2021. Not only did the EDPB adopt its first opinion on an adequacy decision under the LED, the EDPB also adopted recommendations on the LED adequacy referential, aiming to standardise the adequacy procedure under the LED. In addition, the EDPB carried out an evaluation of the LED itself.

In 2021, the EDPB adopted 8 guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, as well as 6 guidelines and recommendations in their final version following public consultation.

Another key task of the EDPB is to ensure consistency in enforcement and cooperation between national authorities. In 2021, the EDPB adopted 35 Art. 64 GDPR consistency opinions. Most of these opinions concern binding corporate rules and accreditation requirements for certification bodies and code of conduct monitoring bodies.

In July 2021, the EDPB adopted its very first Art. 66 GDPR Urgent Binding Decision following a request from the Hamburg supervisory authority (SA), which had adopted provisional measures against Facebook Ireland ltd.

In the same month, the EDPB also adopted its second Art. 65 GDPR binding decision which sought to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA, acting as lead SA, regarding WhatsApp Ireland Ltd. and the subsequent objections expressed by a number of concerned supervisory authorities.

The GDPR requires the EEA SAs to cooperate closely to ensure the consistent application of the GDPR and protection of individuals’ data protection rights across the EEA.

• Between 1 January and 31 December 2021, there were 506* cross-border cases out of which 375 originated from a complaint, while 131 had other origins, such as investigations, legal obligations and/or media reports.
• The One-Stop-Shop mechanism demands cooperation between the LSA and the CSAs. The LSA leads the investigation and plays a key role in the process of reaching consensus between the CSAs, in addition to working towards reaching a coordinated decision about the data controller or processor. Between 1 January 2021 and 31 December 2021, there were 209 draft decisions, of which 141 resulted in final decisions.
• The mutual assistance procedure allows SAs to ask for information from other SAs or to request other measures for effective cooperation, such as prior authorisations or investigations. Between 1 January 2021 and 31 December 2021, SAs initiated 243 formal mutual assistance procedures. They initiated 2418 informal mutual assistance procedures. Mutual assistance is also used by the SAs requesting the competent SA to handle complaints they received which do not relate to cross-border processing as defined by the GDPR.

To read the EDPB Annual Report 2021, click here

Note to editors:

* References to case register entries in these statistics do not have a 1-to-1 correlation to the number of cross-border complaints handled per country as multiple complaints may be bundled in one case register entry which therefore can relate to multiple cross-border cases. Depending on the Member State legislation, supervisory authorities may have handled complaints outside of the Art. 60 procedure in accordance with their national law.

The European Data Protection Board (EDPB) is an independent European body, established by the General Data Protection Regulation (GDPR), which aims to ensure the consistent application of data protection rules across the European Economic Area (EEA). It achieves this aim by promoting cooperation between national Supervisory Authorities (SAs) and issuing general, EEA-wide guidance regarding the interpretation and application of data protection rules.

The EDPB comprises the Heads of the EU SAs and the European Data Protection Supervisor (EDPS). The European Commission has the right to participate in the activities and meetings of the EDPB without voting rights. The SAs of the EEA countries (Iceland, Liechtenstein and Norway) are also members of the EDPB, although they do not hold the right to vote.

 

EDPB_Press Release_Statement_04

Brussels, 5 May - The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published their Joint Opinion  on the proposed Data Act.

The EDPS and EDPB welcome the efforts made to ensure that the Data Act does not affect the current data protection framework. At the same time, since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects’ rights are duly protected. The access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles and rules. Moreover, products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy intrusive way possible.  

The Data Act aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants. The Data Act also aims to enhance data subjects’ right to data portability under Art. 20 of the General Data Protection Regulation.

Wojciech Wiewiórowski, EDPS, said: “Data must be processed according to European values if we aim to shape a safer digital future. As we move to create new opportunities for data use, we must ensure that the existing data protection framework remains fully intact. Access to data by public authorities should always be properly defined and limited to what is strictly necessary and proportionate, which is not the case under the draft Data Act.”

The EDPS and EDPB advise the co-legislators to provide limitations or restrictions on the use of data generated by the use of a product or service by any entity other than data subjects, in particular where the data at issue is likely to allow precise conclusions to be drawn concerning data subjects’ private lives, or would otherwise entail high risks for the rights and freedoms of data subjects. The EDPS and EDPB recommend introducing clear limitations regarding the use of the relevant data for purposes of direct marketing or advertising; employee monitoring; calculating, modifying insurance premiums; credit scoring. Limitations on the use of data should also be provided to protect vulnerable data subjects, in particular minors.

The EDPS and EDPB express their deep concerns about the lawfulness, necessity and proportionality of the obligation to make data available to EU Member States’ public sector bodies and to EU institutions, bodies, offices and agencies (EUIs) in case of “exceptional need”. In their Joint Opinion, the EDPS and EDPB stress that any limitation on the right to the protection of personal data requires a legal basis that is adequately accessible and foreseeable. The legal basis must also define the scope and manner of the exercise of powers by the competent authorities, and be accompanied by safeguards to protect data subjects against arbitrary interference. The EDPS and EDPB urge the co-legislators to define much more stringently the hypotheses of emergency or “exceptional need”, and which public sector bodies and EUIs should be able to request data.

As regards enforcement, the EDPS and EDPB welcome the designation of data protection supervisory authorities as competent authorities responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. The EDPS and EDPB ask the co-legislators to designate national data protection authorities as coordinating competent authorities under the Data Act.

Andrea Jelinek, EDPB Chair, said: “It is crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market. Not just for this proposal, but also concerning other legislative proposals, such as the Data Governance Act or the Digital Markets Act. A clear distribution of competences amongst the relevant regulators will need to be ensured, as well as efficient cooperation to avoid the risk of fragmented supervision, the establishment of a parallel set of rules and to ensure legal certainty for organisations and data subjects.”

 

Every year in early May we celebrate peace and unity in Europe through Europe Day, to commemorate the signing of the 'Schuman Declaration'. This year, on 7 May, the EU institutions invite you to a wide range of online and on-site activities across the EU Member States, as well as in the home of the EU institutions in Brussels, Luxembourg and Strasbourg. 

EDPB and EDPS will be both present with a common booth at the European Commission ’s headquarters – the Berlaymont building – from 10:00 to 18:00 on Saturday 7 May.

For more information about Europe Day 2022 visit: https://europeday.europa.eu/index_en

Vienna, 29 April - At a two-day high level meeting in Vienna, EDPB Members have agreed to further enhance cooperation on strategic cases and to diversify the range of cooperation methods used.

Andrea Jelinek, Chair of the European Data Protection Board, said: "In the past four years, we have invested a great deal of resources in the interpretation and consistent application of the GDPR by endorsing and adopting no less than 57 Guidelines and 6 Recommendations. Enforcement by the data protection authorities (DPAs) has ramped up with cumulative fines adding up to 1.55Bn€ at the end of 2021. More than ever, strong and swift enforcement is crucial for ensuring a consistent interpretation of the GDPR. To stay on top of this growing workload and make the most efficient use of the possibilities for cooperation foreseen in the GDPR, we will yearly identify a number of cross-border cases of strategic importance for which an action plan with a fixed timeline for cooperation will be set. All EDPB Members are committed to close cooperation and we focus on practical solutions to strengthen the capacity of DPAs to enforce.”

Groups of DPAs may decide to join forces on investigation and enforcement activities and DPAs may share the work within these groups. When needed, an EDPB task force can be created.

Furthermore, the DPAs commit to exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at EDPB level, which can be reflected in national enforcement programmes. DPAs can prepare a common enforcement framework, including common instruments for inspections.

Finally, the EDPB stresses the importance of further harmonisation of national procedural laws. Andrea Jelinek: “We will identify a list of administrative procedural aspects that could be further harmonised on EU level to maximise the positive impact of GDPR, and share this information with the European Commission. This will help bridge differences and ensure a more effective application of the GDPR.”

 

Full statement available here

 

EDPB_Press Release_Statement_03

Brussels, 7 April - The EDPB adopted a statement on the announcement of a new Trans-Atlantic Data Privacy Framework. The EDPB welcomes the commitments made by the U.S. to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA) when their data are transferred to the U.S. as a positive first step in the right direction.

The EDPB notes that this announcement does not constitute a legal framework on the basis of which EEA data exporters can transfer data to the U.S.. Data exporters must continue taking the necessary actions to comply with the case law of the Court of Justice of the European Union (CJEU), and in particular its Schrems II decision of 16 July 2020. The EDPB will pay special attention to how this political agreement is translated into concrete legal proposals.

The EDPB looks forward to assessing carefully the improvements that the new framework may bring in light of EU law, CJEU case law and previous recommendations of the Board, once the EDPB receives all supporting documents from the European Commission. In particular, the EDPB will analyse whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPB will examine how the announced independent redress mechanism respects EEA individuals’ right to an effective remedy and to a fair trial. More specifically, the EDPB will look into whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction.

The EDPB reiterates that it remains committed to playing a constructive role in securing transatlantic transfers of personal data that benefit EEA individuals and organisations.

Next, the EDPB adopted a letter expressing concerns about the recent legislative developments in Belgium aimed at reforming the law establishing the Belgian Supervisory Authority (BE SA),as it may negatively impact the stability and the independent functioning of the Belgian authority.

The EDPB stresses that independent supervision, which it fears is impacted by the proposed reforms, is essential to the fundamental right to data protection and for this reason is protected by the Charter and the EU Treaty. It is also the cornerstone of effective enforcement under the GDPR and effective cooperation among SAs. Furthermore, the EDPB is concerned about the proposals’ alignment with the GDPR and strict CJEU case law. In particular, the EDPB pointed out as issues the interruption of the current mandate of the BE SA’s external members and the added grounds of dismissal of members. The EDPB also questions how the various proposals leading to increased parliamentary oversight may relate to the requirement for SAs to “remain free from external influence” in accordance with Art. 52(2) GDPR. In addition, the EDPB states that the legislative proposal to make the use of a shared service centre mandatory may conflict with the SA’s freedom to choose and have its own staff (Art. 52(5) GDPR), which may result in indirect external influence on the stability and functioning of the BE SA.

Finally, the EDPB agreed to request observer status within the Spring Conference of European Data Protection Authorities. The Spring Conference provides a platform for dialogue for data protection authorities all over Europe, including non-EEA countries. This request forms part of the EDPB Strategy 2021-2023 to strengthen engagement with the international community and to facilitate cooperation between EDPB members and the data protection authorities of third countries. 

EDPB Deputy Chair Aleid Wolfsen said: “International cooperation is vital to upholding data protection rights in the EEA and beyond. This is another important step forward in reinforcing our engagement with the international community to promote EU data protection standards and to ensure effective protection of personal data beyond EU borders.”

 

EDPB_Press Release_2022_05

Background information

Date of final decision: 08/11/2021
National Case            
Controller: TELEFÓNICA MÓVILES ESPAÑA, S.A.U.          
Legal Reference: Confidentiality (Article 5.1.f)
Decision:  Imposition of a fine of 900,000 euros.
Key words:  Loss of confidentiality.

 

Summary of the Decision Origin of the case

Various claims are filed as a result of the issuance of duplicate SIM cards to third parties other than subscribers. As a result of the above, the holders of the telephone line are not only left without service, but the third parties access their bank accounts.

We find an assumption of using fraudulent practices based on the generation of duplicates of SIM cards without the consent of their legitimate holders in order to access confidential information for criminal purposes (known as "SIM Swapping").

Key Findings

Spanish DPA carries out research actions to analyze the procedures followed to manage SIM change requests by TELEFÓNICA MÓVILES ESPAÑA, S.A.U., identifying the vulnerabilities that may exist in the implemented operating procedures, to detect the causes for which these cases could be occurring, as well as to find points of non-compliance, improvement or adjustment, to determine responsibilities, reduce risks and increase security in the processing of personal data of affected persons.

The data that is processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module), which unequivocally identifies the subscriber on the network, are personal data, and their treatment must be subject to data protection regulations.

It has been verified that the measures implemented by TELEFÓNICA MÓVILES ESPAÑA, S.A.U. were insufficient, so they generated a loss of confidentiality and the transfer of personal data to a third party.

Decision

The AEPD imposes a total fine of 900,000 euros for the infringement consisting of a lack of confidenciality.

 

For further information: https://www.aepd.es/es/documento/ps-00021-2021.pdf

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned

 

During its March plenary, the EDPB adopted the following documents:

• Guidelines on Art. 60 GDPR
• Guidelines on dark patterns in social media platform interfaces
• EDPB-EDPS Joint Opinion on the extension of Covid-19 certificate Regulation
• Toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs

 

 

The EDPB and EDPS have adopted a joint opinion on the European Commission’s proposals to extend the current Regulations on the EU Digital COVID Certificate (EUDCC) by 12 months and to amend certain provisions, such as a broadening of the types of COVID tests accepted in the context of travels within the EU and clarifying that vaccination certificates should contain the number of doses administered to the holder, regardless of the Member State in which they have been administered.

The EDPB and the EDPS take note that the proposal does not alter substantially the existing provisions of the Regulations with regard to the processing of personal data. In line with the previous joint opinion on the initial COVID Certificate Regulations, the EDPB and the EDPS recall that compliance with data protection rules does not constitute an obstacle for fighting the COVID-19 pandemic. Given the unpredictability of the possible prolongation of the pandemic, the EDPB and the EDPS understand the need to extend the applicability of the EUDCC Regulation.

However, since this proposal aims to extend the duration of a measure to fight the COVID-19 pandemic, the relevant scientific evidence and additional measures in place, should be regularly assessed to ensure the respect of general principles of effectiveness, necessity and proportionality.

The EDPB and EDPS regret that no impact assessment was carried out by the Commission. In addition, the EUDCC Regulation provides for a duty for the EU Commission to submit a report to the European Parliament and the Council on the impact of the Regulation on the facilitation of free movement, fundamental rights and non-discrimination. The EDPB & EDPS strongly consider that the Commission should annex this report to the current proposal.

EDPB Chair, Andrea Jelinek said: “These proposals are of particular importance due to their major impact on the protection of individuals’ rights and freedoms. Any restriction to the free movement of persons within the EU to limit the spread of COVID-19, including the requirement to present EU Digital COVID Certificates, should be lifted as soon as the epidemiological situation allows.”

EDPS Supervisor, Wojciech Wiewiórowski said: “We need to continuously evaluate which measures remain effective, necessary and proportionate in the fight against the COVID-19 pandemic. Data protection principles should be continuously applied and integrated, having due regard to the evolution of the epidemiological situation and the impact on fundamental rights.”

The modification of certain fields of data, such as the clarification that vaccination certificates are to contain the number of doses administered to the holder or the proposal to make participants in clinical trials for the development of COVID-19 vaccines eligible for a COVID-19 vaccination certificate, seems to be limited to what is strictly necessary and does not raise particular concerns from a data protection perspective. However, the EDPB and EDPS recall their previous position that any modification of data fields might require a re-evaluation of the  risks to fundamental rights and that only more detailed data fields falling under the already defined categories of data should be added through the adoption of delegated acts. The EDPB and EDPS will continue to pay special attention to the evolution of the COVID-19 pandemic and, in  particular,  to  the  use  of  personal data following the end of the pandemic.

Brussels, 15 March - The EDPB adopted Guidelines on Art. 60 GDPR. The drafting of such guidance is part of the EDPB Strategy and Work Programme 2021-2022 to support effective enforcement and efficient cooperation between national supervisory authorities (SAs). The guidelines provide a detailed description of the GDPR cooperation between SAs and aim to further increase the consistent application of the legal provisions relating to the one-stop-shop mechanism. The guidelines help SAs to interpret and apply their own national procedures in such a way that it conforms to and fits in the cooperation under the one-stop-shop mechanism.

The EDPB adopted Guidelines on dark patterns in social media platform interfaces. The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements. Dark patterns are interfaces and user experiences implemented on social media platforms that cause users to make unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. This influences users’ behaviour and ability to effectively protect their personal data. The guidelines give concrete examples of dark pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR.

The EDPB adopted a toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs. This contributes to one of the key actions of the EDPB Strategy and Work Programme 2021-2022 and aims to facilitate the engagement between EDPB members and the SAs of third countries. The toolbox can be used both for administrative arrangements developed within the EDPB by the SAs themselves and for international agreements negotiated by the European Commission. The toolbox covers key topics, such as enforceable rights of data subjects, compliance with data protection principles and judicial redress.

Finally, the EDPB adopted a joint EDPB-EDPS opinion on the proposals to extend the Digital COVID Certificate. A separate press release will be published on this topic later today.

Note to editors:

­ All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

 

EDPB_Press Release_2022_04

Background information

Date of final decision: 10 February 2022
Cross-border case or national case: national case, Article 3(2) applies
Controller: Clearview AI Inc.
Legal Reference:  Principles relating to processing of personal data (Article 5(1)(a)(b)(e)); Lawfulness of processing (Article 6); Processing of special categories of personal data (Article 9); Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12); Information to be provided where personal data are collected from the data subject (Article 13); Information to be provided where personal data have not been obtained from the data subject (Article 14); Right of access by the data subject (Article 15); Representatives of controllers not established in the Union (Article 27).
Decision:  The Italian SA imposed a fine amounting to EUR 20 million, imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by the Company’s facial recognition system with regard to persons in the Italian territory and the designation of a representative in the territory of the European Union.
Key words:  Web Scraping, Images Database, Facial Recognition, Biometric Data, AI systems, Geolocation, Jurisdiction under EU law, Representative in the EU.

  Summary of the Decision Origin of the case

The Italian SA launched an own volition proceeding following press reports on several issues in connection with facial recognition products which were offered by the Clearview AI Inc. Moreover, the Garante received, during 2021, four complaints and two alerts by two organisations that are active in the field of protecting privacy and the fundamental rights of individuals against Clearview.

Key Findings

The inquiries and assessment by the Italian SA found several infringements by Clearview AI Inc. The personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis – since the legitimate interest of the US-based company does not qualify as such. Additionally, the company infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation; it failed to provide the information set out by Article 13-14, to provide information on an action taken on a request under Article 15 within the due timeframe, and to designate a representative in the EU.

Decision

The Italian SA imposed a fine amounting to EUR 20 million.
Additionally, the Italian SA:

1. imposed a ban on any further collection, by way of web scraping techniques, of images and the relevant metadata concerning persons in the Italian territory and on further processing of the standard and biometric data that are handled by the Company via its facial recognition system and concern persons in the Italian territory;
2. ordered erasure of the data, including biometric data, processed by its facial recognition system with regard to persons in the Italian territory, subject to the obligation to timely reply to such requests for the exercise of the rights under Articles 15 to 22 of the Regulation as may have been received  from data subjects in accordance with Article 12(3) of the Regulation;
3. ordered the Company to designate a representative in the territory of the European Union.

For further information:
Ordinanza ingiunzione nei confronti di Clearview AI - 10 febbraio 2022 (IT)

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

During its February 22nd plenary, the EDPB adopted the following documents:

• Reply to LIBE regarding the Second Additional Protocol to the Cybercrime Convention
• Guidelines on Codes of Conduct as a tool for transfers (following public consultation)
• Letter on AI liability

The EDPB adopted a letter in reply to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) regarding the Second Additional Protocol to the Cybercrime Convention, and in view of the two European Commission Proposals for Council Decisions authorising Member States to sign and ratify the Protocol.

In its reply, the EDPB recalls that the level of protection of personal data transferred to third countries resulting from the Protocol must be essentially equivalent to the EU level of protection. The EDPB also refers to the EDPS Opinion on the Commission proposals and highlights some of its crucial points.

The EDPB welcomes the safeguards included in the Protocol, such as the provisions on oversight. However, the EDPB regrets that the Protocol does not ensure that, as a general rule, information to individuals related to access is provided free of charge.

The EDPB recommends that Member States reserve the right not to apply the direct cooperation provision enabling third country authorities to directly request EU service providers to disclose certain types of data (access numbers). This would help to ensure a more substantial involvement of EU judicial or other independent authorities in the review of such requests.

Following public consultation, the EDPB adopted a final version of the Guidelines on Codes of Conduct as a tool for transfers, taking into consideration the feedback received from stakeholders. The main purpose of the guidelines is to clarify the application of articles 40 (3) and 46 (2) (e) GDPR. These provisions stipulate that, once approved by a competent Supervisory Authority (SA) and after having been granted general validity within the European Economic Area (EEA) by the European Commission, a code may also be adhered to and used by controllers and processors in a third country to provide appropriate safeguards to transfers of data outside of the EEA.

The EDPB adopted a letter on AI liability. In its letter, the EDPB welcomes the European Commission’s initiative to adapt liability rules to the digital age and artificial intelligence (AI), in light of the evaluation of the Product Liability Directive. Among others, the EDPB considers it relevant to strengthen the liability regime of providers of AI systems, so that processors and controllers can trustfully rely on those systems. In addition, AI systems should be explainable by design and providers of AI systems should embed security by design throughout the entire lifecycle of the AI.

Finally, the EDPB designated Georgia Panagopoulou (EL SA) as representative and Konstantinos Limniotis (EL SA) as substitute to take part in ENISA’s newly formed Stakeholder Cybersecurity Certification Group (SCCG). The SCCG will advise ENISA and the European Commission on strategic issues regarding cybersecurity certification.

Note to editors:
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2022_03

 

• Apply now

The European Data Protection Board (EDPB) is looking for experts to cooperate with Supervisory Authorities around the European Economic Area (EEA), on different stages of their investigation and enforcement activities in the field of data protection law.

The EDPB is seeking to establish a Support Pool of Experts with qualified experts in areas such as IT auditing, website security, mobile OS and apps, IoT, cloud-computing, behavioural advertising, anonymization techniques, cryptology, AI, UX design, Fintech, Data science, digital law, etc.

The EDPB Support Pool of Experts is a key strategic initiative of the EDPB, that helps Supervisory Authorities increase their capacity to supervise and enforce the safeguarding of personal data.

The European Data Protection Board (EDPB) is an independent EU body established by the General Data Protection Regulation or GDPR, which contributes to the consistent application of data protection rules throughout the European Economic Area (EEA), and promotes cooperation between the EEA data protection authorities.

 

Send us your expression of interest and join the EDPB Support Pool of Experts
Learn how to submit your application

Brussels, 15 February - Today marks the kick-off of the first coordinated enforcement action of the European Data Protection Board. In the coming months, 22 supervisory authorities across the EEA (including EDPS) will launch investigations into the use of cloud-based services by the public sector.

This series of actions follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities (SAs).

According to EuroStat, the cloud uptake by enterprises doubled across the EU in the last 6 years. The COVID-19 pandemic has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules. Through coordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data.

Over 80 public bodies in total will be addressed across the EEA, including EU institutions, covering a wide range of sectors (such as health, finance, tax, education, central buyers or providers of IT services). Building on common preparatory work by all participating SAs, the CEF will be implemented at national level in one or several of the following ways: fact-finding exercise; questionnaire to identify if a formal investigation is warranted; commencement of a formal investigation; follow-up of ongoing formal investigations. In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.

The results will be analysed in a coordinated manner and the SAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis before the end of 2022.

EDPB_Press Release_statement_2022_01

 

Further information:

• BE SA: L’APD participe à la première action coordonnée annuelle européenne sur l'utilisation du cloud par le secteur public (FR), De GBA neemt deel aan de eerste Europese jaarlijkse gecoördineerde actie over het gebruik van de cloud door de overheid (NL), The BE DPA participates in the first European annual coordinated action on the use of cloud by the public sector (EN).
• BG SA: Европейският комитет по защита на данните започна първото координирано правоприлагащо действие относно използването на облачните услуги от публичния сектор
• DE SA: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit: Koordinierte Durchsetzung durch 22 Aufsichtsbehörden zur Nutzung von Cloud-Diensten durch den öffentlichen Sektor.
• DE SA: Der Bayerische Landesbeauftragte für den Datenschutz (BayLfD): Cloud-Dienste im öffentlichen Sektor.
• DE SA: Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg: EU-weite Prüfung zur Nutzung von Cloud-Diensten durch den öffentlichen Bereich.
• EDPS: Data protection and use of cloud by public sector: the EDPS initiates and participates in the 2022 Coordinated Enforcement Action of the EDPB
• EL SA: Συμμετοχή της Αρχής Προστασίας Δεδομένων στη συντονισμένη δράση του ΕΣΠΔ για τη χρήση υπηρεσιών υπολογιστικού νέφους στο δημόσιο τομέα (EL), Participation of the Hellenic DPA in the coordinated enforcement action of the EDPB on the use of cloud-based services by the public sector (EN)
• ES SA: La AEPD participa en la primera acción europea coordinada para analizar el uso de la nube en el sector público.
• ET SA: Eesti osaleb üleeuroopalises avaliku sektori pilveteenuste kasutamise järelevalves.
• FI SA: Tietosuojavaltuutetun toimisto käynnistää selvityksen julkisen sektorin pilvipalvelujen käytöstä osana Euroopan valvontaviranomaisten yhteistä toimenpidettä.
• FR SA: Priority topics for investigations in 2022: commercial prospecting, cloud and telework monitoring (EN).
• IS SA: Samræmdar úttektir innan EES á notkun opinberra aðila á skýjaþjónustu.
• IT SA: Cloud nella PA: i Garanti europei lanciano un'indagine coordinata.
• LIE SA: Europäische Initiative zur Nutzung von Cloud-gestützten Diensten durch öffentliche Stellen
• LT SA: Lietuva prisidės prie koordinuotų tikrinimų dėl asmens duomenų apsaugos viešajam sektoriui naudojantis debesijos paslaugomis.
• LV SA: Eiropas Datu aizsardzības kolēģija uzsāk pirmo koordinēto pārbaudi par mākoņdatošanas izmantošanu publiskajā sektorā.
• NL SA: Privacytoezichthouders onderzoeken gebruik clouddiensten door overheidsinstellingen.
• PT SA: Ação coordenada da ue para investigar o uso de serviços de 'cloud' no setor público.
• SE SA: Dataskyddsmyndigheter i EU ska tillsammans undersöka hur molntjänster används inom offentlig sektor.
• SI SA: IP se pridružuje prvemu usklajenemu ukrepu na temo uporabe oblačnih storitev v javnem sektorju.
• SK SA: Úrad na ochranu osobných údajov SR sa zapája do prvej koordinovanej akcie EDPB.

 

During its January 18th plenary session, the EDPB adopted the following documents:

• Guidelines on Right of Access
• Letter on cookie consent

During its February 1st plenary session, the EDPB adopted:

• Opinion 1/2022 on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR – CARPA certification criteria

The EDPB adopted its opinion on the GDPR-CARPA certification scheme submitted to the Board by the Luxembourg Supervisory Authority (SA). This is the first time that the EDPB adopts a consistency opinion on criteria for a nationwide certification scheme. The GDPR-CARPA certification scheme is a general scheme, which does not focus on a specific sector or type of processing. It includes requirements on data protection governance in the organisation surrounding the processing activities.

EDPB Chair, Andrea Jelinek, said: “This opinion is an important step towards greater GDPR compliance. The main aim of certification mechanisms is to help controllers and processors demonstrate compliance with the GDPR. Controllers and processors adhering to a certification mechanism also gain greater visibility and credibility, as it allows individuals to quickly assess the level of protection of the processing operations.”
The EDPB opinion aims to ensure the consistency and correct application of certification criteria among SAs in the European Economic Area. To this end, the EDPB considers that a number of changes need to be made to the draft certification criteria.

After approval by the SA, the certification mechanism will also be added to the register of certification mechanisms and data protection seals in accordance with Art. 42 (8) GDPR.

Note to editors:
The present certification is not a certification according to article 46(2)(f) of the GDPR meant for international transfers of personal data and therefore does not provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations.

All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

 

On the occasion of the 16th annual Data Protection Day, the Members of the EDPB bring you joint greetings. We are a closely-coordinated regulatory network of national competent authorities in the Member States of the European Economic Area (EEA). We work together, day after day, to protect your personal data. Happy Data Protection Day from all of us!