CMS data protection update (04/2024)


I. The latest from the data protection authorities and current topics

1. EDPB: Launch of coordinated enforcement on the right of access

The European Data Protection Board (EDPB) selected the right of access under Article 15 GDPR as the focus of the third coordinated enforcement action of the data protection authorities. Coordinated enforcement has now begun and aims to help assess how the right of access is implemented in practice and to what extent adjustments or clarifications are needed in the EDPB's Guidelines on this topic. Last year’s results of the coordinated enforcement action on the topic of data protection officers were also published by the EDPB. The Bavarian State Office for Data Protection (BayLDA) summarises and comments on this.

2. EDPB: Website auditing tool

In January 2024, the EDPB introduced a tool for checking websites that is intended to support data protection authorities, controllers and processors in checking compliance with the law. The tool is based on open-source software and does not require any technical expertise. Further information is available here.

A press release published by the BayLDA on 9 February 2024 also ties in with this topic: The BayLDA had examined over 350 websites and 15 apps from operators based in Bavaria for the legally compliant integration of consent in line with data-protection provisions. According to the BayLDA, many of the offers did not fulfil the statutory requirements. In particular, this related to the option of rejecting cookies.

3. DSK: New guidelines on obtaining self-disclosures from prospective tenants

The Conference of Independent German Federal and State Data Protection Supervisory Authorities (DSK) has published new "Guidelines on obtaining self-disclosures from prospective tenants". These deal with the personal data on the basis of which a decision is usually made on the conclusion of a tenancy agreement and the various different points in time at which the data are collected, from the viewing appointment to the conclusion of the agreement. The DSK guidelines provide a sample questionnaire for tenant self-disclosure.

4. EU Parliament: Green light for AI Act

After the Parliament and the Council of the European Union announced in December 2023 that they had reached a political agreement on the AI Act, the Parliament adopted the regulation in March 2024. According to the press release dated 13 March 2024, the AI Regulation was approved by MEPs with 523 votes in favour, 46 against and 49 abstentions and is to be finally adopted during the current legislative period, which requires, among other things, formal endorsement by the Council. We provide an overview of the AI Act here: Looking ahead to the EU AI Act.

The first data protection authorities have already commented on the current status of the AI Act. The German Federal Commission for Data Protection and Freedom of Information (BfDI) welcomed the Act as a supplement to the GDPR and emphasised the connection between high-risk AI systems in particular and data protection. At the same time, the BfDI criticised the fact that there was no explicit ban on biometric remote recognition in public spaces and called on the German government to make use of the corresponding opening clauses for stricter bans. The BfDI also comments on the AI Act on p. 20 f. of its Activity Report for the year 2023. The State Commissioner for Data Protection and Freedom of Information of the State of North Rhine-Westphalia (LDI NRW) points out the difficulties that arise when determining whether AI systems use personal data and calls for careful examination of AI applications in accordance with both the AI Act and the GDPR.

5. BayLDA: AI and GDPR checklist

On 24 January 2024, the BayLDA published an up-to-date checklist on the topic of AI and data protection, which is intended to provide non-exhaustive assistance in the development and use of AI in compliance with data protection provisions ("Data protection-compliant AI – checklist with GDPR criteria"). The BayLDA focuses on training AI models and risk assessment in the context of the GDPR. You can also find out more about AI and GDPR here: Using AI and responsibility for data privacy.

6. EU Parliament: eIDAS Regulation approved

The EU Digital Identity Wallet is intended to enable secure digital proof of identity throughout the EU. The revision of the eIDAS Regulation should provide the legal basis for this. In a press release dated 29 February 2024, the European Parliament announced that it had formally approved the regulation by 335 votes to 190 with 31 abstentions. The next step is for the EU Council of Ministers to give the green light. On p. 33 f. of its activity report for the year 2023, the BfDI, which advises the German government on the planning of the German EU wallet, comments on the eIDAS Regulation and recommends a design based on the principle of data minimisation.

7. EU Commission: Evaluation of existing adequacy decisions for non-EU countries

The EU Commission is currently reviewing the adequacy decisions pursuant to Article 45 GDPR for international data transfers regarding 11 countries and has published an initial report on this. Such a review was already required by the Data Protection Directive. The initiative serves to check whether the countries for which an adequacy decision exists still fulfil the requirements. In this initial report, the Commission concludes that Andorra, Argentina, Canada (for commercial operators), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay still have an adequate level of data protection.

8. LfDI Baden-Württemberg: Guidance on transfers of personal data to third countries or international organisations

In February 2024, the State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg (LfDI Baden-Württemberg) provided up-to-date guidance for data controllers and data subjects on the topic of third-country transfers and transfer instruments ("Third-country transfers under the GDPR – A guide to Chapter V of the GDPR"). The reason for this is the EU Commission's adequacy decision for the USA from July 2023, which is supposed to allow the transfer of personal data to self-certified US companies and organisations. The guidance is intended to present the transfer instruments and serve as an initial introduction (see: podcast on freedom of data, episode 36 of the LfDI Baden-Württemberg).

II. New GDPR fines

1. France: EUR 32 million fine for non-compliance with the general principles of data processing  

The year 2024 is only a few months old and yet many fines have already been imposed under the GDPR. For example, the data protection authority in France imposed a fine of EUR 32 million under the GDPR on the logistics division of an online mail order company for unlawful monitoring of employees. The division was equipped with scanners that provided information on factors such as productivity and stored the information for 31 days. The data protection authority categorised this procedure as disproportionate and also criticised the failure to fulfil information and transparency obligations in this context.

The French data protection authority thus classifies such a procedure in a similar way to the data protection authority in Lower Saxony (State Commissioner for Data Protection, LfD Lower Saxony), which banned a similar procedure in a German logistics centre. However, the Administrative Court of Hanover disagreed with the data protection authority in its ruling on the case of 9 February 2023 (10 A 6199/20) and overturned the decision of the Lower Saxony data protection authority. As there is no specific employee data protection law in Germany, the Administrative Court subsumed the case under section 26 of the German Federal Data Protection Act (BDSG) and came to the conclusion that the data processing was necessary for controlling logistics processes and training and for creating an assessment basis for individual feedback and personnel decisions.

2. Italy: EUR 2.8 million fine for insufficient technical and organisational measures (TOMs)

In addition, the Italian data protection authority imposed a fine of EUR 2.8 million on a bank that suffered a cyberattack on its mobile banking portal. Personal data such as names, social security numbers and identification codes of thousands of former and active customers were leaked. The attackers were also able to determine the PIN for accessing the portal for almost 7,000 customers. The data protection authority found that no suitable technical and organisational measures (TOMs) had been taken to counteract a cyberattack.

3. Netherlands: EUR 150,000 fine for insufficient TOMs

In the Netherlands, the data protection authority imposed a fine of EUR 150,000 on a credit card issuer for insufficient TOMs because the company failed to carry out a data protection impact assessment before launching a digital customer identification programme.

4. Belgium: Fine of EUR 174,640 for insufficient fulfilment of information obligations

The Belgian data protection authority imposed a fine of EUR 174,640 on a software developer. The fine was imposed following a complaint from a data subject whose request for information was not properly fulfilled. In a subsequent investigation, the data protection authority found further breaches of information obligations and an unnecessary storage period. 

III. Current court decisions

1. CJEU: Regarding real-time bidding  

The CJEU ruling of 7 March 2024 in case C-604/22 on the auctioning of personal data for advertising purposes is of particular relevance for advertising and data protection. In this case, the CJEU ruled on real-time bidding. With real-time bidding, advertising companies, data brokers and advertising platforms place anonymous bids for advertising space in real time when a user accesses a website in order to display adverts tailored to the user's profile. However, this requires the user's consent, and the user can object to this procedure. In the proceedings, the Belgian Court of Appeal, based in Brussels, referred questions to the CJEU for a preliminary ruling, since an association that provided a technical solution in which the user's preferences are stored in a TC String challenged the decision of the Belgian data protection authority, which categorised this string as personal data and imposed measures on the association.

The CJEU confirmed the legal opinion of the Belgian data protection authority and also categorised the TC String as personal data, since it contains information about the user who can be identified via the IP address. The association is also a joint controller within the meaning of the GDPR for data processing, insofar as it has exercised influence on determining the purposes and means of further processing. The latter is to be determined by the national courts.

2. CJEU: Claim for compensation under the Europol Regulation  

In a ruling dated 5 March 2024 (C-755/21 P), the CJEU ruled in favour of compensation for unlawful disclosure of data under the Europol Regulation after personal communication data of the data subject were disclosed and transcripts were published in the Slovakian press in the course of investigations by Slovakian authorities and Europol. The data subject initially claimed compensation for non-material damage of EUR 50,000 before the General Court of the EU (EGC) for the disclosure of the communication data. The EGC had dismissed the claim in its ruling of 29 September 2021 (T-528/20).

The data subject filed an appeal with the CJEU and the CJEU awarded the data subject compensation of EUR 2,000 and emphasised in this context that, in order to assert joint and several liability, the data subject only had to prove that unlawful data processing had occurred during the cooperation between Europol and the authorities of the EU member state concerned, which had caused the damage claimed. Beyond that, however, the data subject does not have to prove which of the bodies is responsible for the unlawful processing. Compared to other cases before national courts, the amount awarded by the CJEU appears low in view of the serious interference with telecommunications data.

3. CJEU Advocate-General: Consumer associations have legal standing in the event of GDPR breaches

In case C-757/22 pending before the CJEU, the Advocate-General's Opinion has been available since 25 January 2024. The CJEU had already ruled in the spring of 2022 (C-319/20) that a claim made by consumer protection associations is also admissible if there is no specific order from a consumer. However, the German Federal Court of Justice (BGH) referred another question to the CJEU with its ruling of 10 November 2022 (I ZR 186/17), this time concerning the condition "as a result of the processing" under Article 80 (2) of the GDPR. In this regard, the German Federal Court of Justice would like to know whether a violation of law is asserted "as a result of the processing" if a consumer protection association bases a claim on the fact that the rights of a data subject have been violated by non-fulfilment of the obligations under Article 12 (1) sentence 1 and Article 13 (1) c) and e) of the GDPR. In his Opinion, the CJEU Advocate-General comes to the conclusion that consumer protection associations can assert claims for violation of these information obligations.

4. Cologne Higher Regional Court: Cookie banner requires equivalent options between reject and accept

In early 2024, the Cologne Higher Regional Court ruled on the design of cookie banners. In its ruling of 19 January 2024 (6 U 80/23), the Court pointed out that these must offer consumers a clear and understandable option to reject cookies. In doing so, the Court refers to the requirements of Article 4 no. 11 of the GDPR in conjunction with section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG), according to which consent must be given freely and after sufficient information has been provided. In the present case, this was violated because the defendant operator of the website did not design it in such a way that the visitor had two equivalent options on the cookie banner to accept or reject cookies.

5. Lower Saxony Higher Administrative Court: Regarding the prohibition of requesting date of birth as mandatory information in online pharmacy  

Lower Saxony Higher Administrative Court issued a ruling on 23 January 2024 (14 LA 1/24) and confirmed the injunction issued by the Lower Saxony data protection authority prohibiting an online pharmacy from requesting the date of birth as a mandatory field in every order process, regardless of the type of product ordered. The processing of the exact date of birth is usually not necessary for the fulfilment of the contract, as it is sufficient to generally enquire about the age of majority of the person placing the order. This does not change in this specific case due to section 2 (1) no. 3 of the German Pharmaceutical Prescription Ordinance (Arzneimittelverschreibungsverordnung), which is not applicable to the sales products of online pharmacies other than prescription drugs, or section 20 (1) and (2) of the German Regulation Concerning the Operation of Pharmacies (Apothekenbetriebsordnung), since no distinction can be made between the person ordering and the person using the product regarding the obligations to provide advice.

In a press release dated 20 March 2024, the LfD Lower Saxony comments on the decision from Lüneburg and sees its legal opinion confirmed. At the same time, the LfD Lower Saxony advises webshop operators to check their ordering process to see whether they request the date of birth as mandatory information and, if necessary, to change this to voluntary information.

6. Suhl Labour Court: Unencrypted email as a GDPR breach  

An interesting decision was also made at the Suhl Labour Court in a ruling dated 20 December 2023 (6 Ca 704/23). In line with the CJEU, the Court not only stated that a GDPR breach alone is not sufficient to assume a claim for compensation under Article 82 (1) of the GDPR, but that this also requires proof that the Defendant caused the damage. In addition, the Court pointed out that information provided by email within the meaning of Article 15 of the GDPR constitutes a breach of Article 5 of the GDPR if the email remains unencrypted. The claimant in this case claimed compensation of at least EUR 10,000 from a former employer due to various alleged GDPR breaches, which the Court rejected because the Claimant had not proven any non-material damage.

IV. CMS events, blog posts and more

For more information, contact your CMS client partner or these CMS experts: Philippe HeinzkeDr Reemt Matthiesen and Dr Julia Dreyer.