Legal Watch No. 67 – January 2024.

Role and resources of DPOs: results of a year of audits

On January 17, the CNIL and its European counterparts published the results of their investigations into the role and resources of data protection officers (DPOs) in the context of the application of the GDPR.

This theme was the subject of coordinated European action by the European Data Protection Board (EDPB) in 2023.

The main functions of the DPO, as provided for in Articles 37 to 39 of the GDPR, include informing and advising the controller on data protection issues (including carrying out impact assessments), raising awareness and training staff, and monitoring data breaches.

The DPO cooperates with the supervisory authority, and is the point of contact for individuals whose data is being processed.

The investigations by the data protection authorities were based on a questionnaire developed jointly by all the authorities that make it up.

In France, the CNIL audited 14 data controllers and supplemented the sending of the questionnaire with several on-site checks.

The checks covered public actors such as hospitals, universities, municipalities, management centers, and private actors in the luxury and transport sectors.

The particularly low number of officials audited is noteworthy.

Like several European authorities, the CNIL has chosen to carry out a limited number of in-depth investigations, while other authorities have contacted tens of thousands of managers, without carrying out such thorough checks.

The EDPB report takes these differences in approach into consideration in its analysis.

The CNIL gives an overall positive assessment of the role and resources allocated to the DPO.

She notes that they generally have sufficient resources.

However, she highlights large disparities between the resources allocated to DPOs in public structures who often work alone, especially in small communities, while DPOs in the private sector generally have a team.

This observation is confirmed at the European level.

Among the shortcomings noted, there is the risk of conflicts of interest between the DPO's duties and other tasks assigned to him, as well as the lack of involvement of the DPO in decisions concerning data protection.

The CNIL indicates in this regard that it has (outside of this investigation) sanctioned an organization in the social sector with a fine of 10,000 euros because the delegate was not able to properly carry out his duties: he was not sufficiently involved in matters relating to the protection of personal data and his functions lacked visibility for the employees of the organization.

The European report concludes this analysis by noting that DPOs are increasingly assuming, in addition to their role regarding the GDPR, key roles in the context of new European regulations, such as those concerning AI, digital services, the digital market or data. 

They are also being given new roles related to ethics, data governance and data spaces.

In light of this trend, the Committee warns of the increased risk of conflicts of interest or the inadequacy of resources available to DPOs.

He emphasizes that data protection authorities, as well as data controllers, have an essential role to play in order for the DPO to fully play his role.

 

     

• The CNIL has imposed several significant sanctions in recent weeks.
• On December 29, 2023, it fined Yahoo 10 million euros for not respecting the choice of internet users who refused cookies on its website, and for not allowing users of its messaging service to freely withdraw their consent to cookies.
• After conducting on-site inspections at Amazon France Logistique warehouses, the French data protection authority (CNIL) also found several GDPR violations on December 27th concerning the extensive monitoring of workplaces, and fined the multinational €32 million. According to the CNIL, Amazon has implemented an "excessively intrusive" monitoring system, which operates without providing information and is insufficiently secure.
• On December 29, the CNIL also imposed a fine of 105,000 euros on NS Cards France, an electronic money distributor, for excessive retention of personal data, incomplete privacy policies, insufficient security measures and lack of user consent regarding non-essential cookies.
• Finally, it is launching a public consultation on a draft guide concerning the impact assessment of data transfers outside the European Economic Area: an evaluation of the level of data protection in the recipient country must be carried out before any transfer to a country that does not have an adequacy decision, as well as an assessment of the safeguards to be provided for this transfer. Contributions can be submitted until February 12, 2024.
• The French National Cybersecurity Agency (ANSSI) has announced the launch of Hackropole, a new platform designed to introduce people to careers in cybersecurity. The platform offers more than 300 challenges open to everyone, covering all areas of cybersecurity, from cryptography to hacking.

 

European institutions and bodies 

• Belgium took over the presidency of the Council of the European Union at the beginning of January for six months with the slogan "Protect, strengthen and prepare".

Topics to be addressed in 2024 include cyber resilience of connected products, digital identity, data spaces, cross-border application of the GDPR and artificial intelligence.

 2024 will also be an implementation year for many laws finalized last year, including the digital services law, there digital markets law and the data governance law.

• On February 2nd, the ambassadors of the 27 countries of the European Union unanimously, but not without difficulty, approved the artificial intelligence regulations, thus endorsing, at the governmental level, the political agreement reached in December.

Following the vote by the European parliamentary committees in mid-February, the adoption in plenary session is provisionally scheduled for April 10 and 11.

The regulation will enter into force 20 days after its publication in the official journal.

The bans on prohibited practices will begin to apply six months later, and the obligations relating to AI models within a year.

• In parallel, the European Commission announced on January 24 the creation of a European AI office to contribute to the implementation and application of the future regulation.

This office will aim to publish guidelines to establish harmonized rules across the EU, and to encourage and facilitate the development of codes of practice and codes of conduct at Union level.

• The legislative process relating to CSAR regulations With (“chat control”) far from being completed, the European Union has proposed extending a temporary solution allowing tech giants to scan their customers’ devices for child pornography on a voluntary basis.

This measure has drawn criticism, notably from the European Data Protection Supervisor (EDPS). In an opinion published on January 29, the EDPS expressed concern about the objectives of this regulation, which would restrict individuals' right to the confidentiality of their communications.

• On January 31, the European Commission published the Digital Services Act (DSA) Transparency Scoreboard. This provides an overview of content moderation decisions made by the largest online platforms.
• The European data regulation came into force in January 2024.

Its objectives include promoting the fair sharing of data, enabling public sector bodies to use data held by the private sector for specific purposes of public interest, and allowing customers to easily switch data processing service providers in order to promote the European cloud market.

• The European Commission will investigate the partnership between Microsoft and OpenAI, within which MS plans to integrate a suite of AI tools into its own products.

In a press release dated January 9, the Commission invites all interested parties to share their experience and comments on the level of competition in the context of virtual worlds and generative AI, as well as their ideas on how competition law can help ensure that these new markets remain competitive.

• The European Commission published its report on January 15th. the evaluation of the 11 suitability decisions adopted under the 1995 Data Protection Directive.

It notes that personal data transferred from the European Union to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to benefit from an adequacy decision under the GDPR.

• The European Data Protection Board (EDPB) has published a website audit tool for compliance with the EU General Data Protection Regulation.

The tool was developed by the EDPB's pool of experts and can be used by data protection authorities, as well as data controllers and processors, to streamline the preparation, execution, and evaluation of audits. It is free and open-source software licensed under EUPL 1.2 and can be downloaded from code.europa.eu.

• The EDPB also published on January 18 a file on data processing security and data breach notification.

The document analyzes the decisions adopted by the supervisory authorities in accordance with Article 60 of the GDPR within the framework of the one-stop-shop mechanism in the field of data processing security and personal data breaches.

• The Court of Justice of the EU ruled in a judgment of 30 January that the general and indiscriminate retention of biometric and genetic data of persons convicted of criminal offences, until their death, is contrary to EU law and in particular the right to be forgotten.
• The CJEU also decided on January 16 that The GDPR applies to national parliamentary committees.

The Court clarified the concept of national security, and stated that in the absence of evidence of a national security objective, national courts must determine whether Article 2(2)(a) concerning the scope of the GDPR applies.

• Tech giants have until March 6 to comply with the provisions of the European regulation on digital markets, and must in particular allow their users to register for a single service without automatically linking it to another.

It is in this context that Meta announced on January 22 that Instagram and Facebook users will be able to manage their accounts separately, so that their information is no longer shared between the two accounts.

Google also mentioned on its help center page the possibility for European users to select the services they wish to keep linked in terms of data sharing.

 

News from European member states

• On December 11, 2023, in cooperation with the CNIL, the Dutch Data Protection Authority (APD) issued a ruling against the companies Uber BV and Uber Technologies

Inc. was fined ten million euros for several failures to provide information to drivers. 

These shortcomings relate in particular to the procedures for the right of access to data, transfers outside the EU, retention periods and the right to data portability.

• The Dutch Data Protection Authority also fined ICS, a credit card company, 150,000 euros for failing to carry out an impact assessment (DPIA).

In its considerations, the APD stressed that the absence of a DPIA constitutes a violation of the GDPR in itself, but that it also increases the likelihood of other violations of the regulation because there is no consideration of risks before the implementation of the processing.

• The Belgian Data Protection Authority (APD) has fined a data broker 174,640 euros.

Among other violations, the data controller could not rely on a legitimate interest to collect data from third parties.

He also failed to inform the applicant about the sources and recipients of the data in the context of an access request. 

• The Belgian authority also investigated the practices of a data controller following a data breach affecting nearly 90,000 people.

It did not adopt any sanctions, considering that the data breach was an isolated incident and that the data controller had complied with Article 33 of the GDPR.

• The Austrian Data Protection Authority (APD) has fined a data controller 10,000 euros for failing to cooperate with it in a complaint procedure, thereby violating Article 31 of the GDPR.
• In Germany, a security researcher was fined 3,000 euros on January 17 for discovering and reporting a security flaw in an e-commerce database that exposed nearly 700,000 customer records.

Discovering a password in plain text and using it without authorization in a search has been considered a crime.

This decision, which will be appealed, is criticized by a security expert for its chilling effect on legitimate research into system vulnerabilities.

• At the end of January, the Danish Data Protection Authority (APD) found a municipality had violated GDPR security rules by failing to encrypt its computer hard drives.

A work computer had been stolen from an employee's home and contained sensitive personal data, social security data, and data concerning minors.

The hard drive was not encrypted.

The investigation revealed that nearly 1,200 of the municipality's laptops were also not encrypted.

• On January 24, the UK's National Cyber Security Centre published a worrying report on the short-term impact of AI on the cyber threat.

The report notes in particular that AI will certainly increase the volume and impact of cyberattacks over the next two years with improvements in existing tactics, techniques, and procedures.

He also notes that AI limits the difficulties for amateur cybercriminals who will soon be able to launch sophisticated phishing attacks that are difficult for recipients to identify.

 

• At the end of January, Thierry Breton, Commissioner for the Internal Market, and Alejandro N. Mayorkas, US Secretary of Homeland Security, discussed the EU-US Joint Action Plan for Cyber-Safe Products, following the EU-US summit in October 2023.

This collaboration between the Commission and the relevant US regulatory agencies aims to explore a possible mutual recognition of cybersecurity requirements for consumer hardware and software products of the Internet of Things.

The action plan is based on the framework of the EU law on cyber resilience and on the cybersecurity labeling program proposed by the United States (Cyber Trust Mark Act).

• The Biden-Harris administration announced key AI measures on January 29 following President Biden's executive order adopted three months ago.

The decree notably provides for setting essential disclosure requirements for developers of the most powerful systems, assessing the risks of AI to critical infrastructure and "hindering efforts by foreign actors to develop AI for harmful purposes".

The relevant federal agencies and departments indicated that they had completed all the actions stipulated in the decree within 90 days and indicated the progress of the measures planned for the longer term.

• The Government of Canada has created a "glossary of personal information and privacy" which contains the English and French terms for more than 300 concepts.

It also includes other terminological information (which may vary from entry to entry) which includes other designations, definitions, notes and examples of use.

• Two researchers from the Carnegie Endowment for International Peace have urged the South African government to give the highest priority to cybersecurity and to adopt stronger leadership in this area on the international stage.

Despite its digital dependence, researchers indicate that the country's cyber strategy is sorely lacking in funding and the government has no clear position in debates on cyber governance.

According to the South African Council for Scientific and Industrial Research, South Africa is the African country most targeted by these cyberattacks and ranks eighth in the world.