November Newsletter

1.German data protection regulators have found that Microsoft 365 may not comply with Europe’s data rules.

In 2019 German state of Hesse banned the use Microsoft 365 in schools after the local data protection commissioner ruled that the platform could potentially expose EU citizens’ data to US officials. After looking into the software for around two years, a working group of German data protection regulators has found that Microsoft 365 may be incompatible with GDPR – and that Microsoft has not resolved any of the compliance concerns raised by the group so far.The new DSK report said it could not conclusively determine in which cases Microsoft acts as a data controller as opposed to just a data processor. Under EU law, a data controller has to abide by a more stringent set of accountability regulations. It also pointed out that there isn’t sufficient clarity around measures Microsoft has taken to ensure the safety of any data exported to the US from the EU.

One of the founders of German encrypted email service Tutanota said that: US-based companies' online services are still "trampling" on GDPR more than four years after it went into effect.

Moreover French legislators raised similar concerns recently and the French education ministry advised schools not to use the free version of Microsoft 365.?

In response Microsoft said: “We respectfully disagree with the concerns raised by the [DSK] and have already implemented many suggested changes to our data protection terms. We remain committed to working with the DSK to address any remaining concerns.

Is Microsoft going to be fined? What will happen next??

Read more here.

2. The EDPS published an Opinion on a proposed Regulation laying down cybersecurity requirements for products with digital elements.

EPDS published an Opinion on Regulation which aims to set out EU-wide cybersecurity requirements for a broad range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters or routers. Opinion repeat that, in accordance with the General Data Protection Regulation (GDPR), an adequate level of security in the processing of personal data must be ensured by controllers and processors. In addition, the principles of data protection must be taken into account in the development of technologies that process personal data, including many products with digital elements. In addition, data protection principles must be embedded throughout the development of technologies that process personal data, including many products with digital elements.Concerning the standardisation and certification on cybersecurity mentioned in the proposed Regulation, the EDPS suggests clarifying the type of synergies envisaged between the relevant bodies and organisations. The EDPS suggests clarifying the relationship between the proposed Regulation and EU data protection laws, in particular how they will interact in the area of market surveillance and enforcement. To this end, the EDPS considers that the proposed Regulation should not affect or seek to affect existing EU laws that already regulate the processing of personal data of individuals and the tasks and powers of independent data protection authorities.

Read opinion here.

3.EDPS and ENISA sign Memorandum of Understanding

EDPS and ENISA signed a Memorandum of Understanding (MoU) which establishes a strategic cooperation framework between them. Both organisations agree to consider the design, development and implementation of capacity-building and awareness-raising activities, as well as cooperation on policy issues on topics of common interest, and to contribute to similar activities organised by other EU institutions, bodies, offices and agencies (EUIBAs). Memorandum includes a strategic plan to promote the awareness of cyber hygiene, privacy and data protection and albo aims to promote a joint approach to cybersecurity aspects of data protection, to adopt privacy-enhancing technologies, and to strengthen the capacities and skills of EUIBAs.

Wojciech Wiewiórowski, EDPS, said: “Today's MoU formalises the EDPS and ENISA's cooperation, which has been ongoing for several years. The document establishes strategic cooperation to address issues of common concern, such as cybersecurity as a way of protecting individuals’ personal data. Cybersecurity and data protection go hand in hand and are two essential allies for the protection of individuals and their rights. Privacy-enhancing technologies are a good example of this.”

Read the memorandum here.

Decisions

1.The Irish DPA once again has fined the Meta Platforms Ireland Ltd.

The Irish DPA has fined Meta Platforms Ireland Limited EUR 265 million. The DPA had launched an investigation against Meta in 2021 after media reports indicated that a dataset containing personal data from Facebook had been made available on a hacking platform. The data leak affected up to 533 million users with their data such as phone numbers and email addresses. As part of the investigation, the DPA reviewed and assessed the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. The DPA primarily reviewed the implementation of technical and organizational measures to protect personal data and found a breach of Art. 25 GDPR. You can find more here.

2.Discord Inc. has been fined EUR 800,000 for non-compliance with general data processing principles.?

The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls. During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximately 50,000 accounts that had not been used for more than five years. Further, the DPA noted that the company did not have complete information regarding retention periods. Also, the DPA found that the company had failed to ensure data protection by default, contrary to the obligation under Art. 25 (2) GDPR. Thus, it was possible for user data to be transmitted even after the communication application was closed. The DPA also found that the company had failed to sufficiently ensure the security of personal data by accepting insecure passwords from users. The company accepted user passwords that consisted of six characters containing only letters and numbers. Finally, the DPA found that the company had failed to conduct a data protection impact assessment. Read more here.

3.The French DPA has imposed a fine of EUR 600,000 on éLECTRICITé DE FRANCE (EDF), France's largest electricity supplier.?

The DPA had received several complaints that individuals were experiencing difficulties in exercising their rights by EDF. During its investigation, the DPA found that EDF's privacy policy did not provide sufficient information on various aspects of data processing, such as the retention period of personal data. In addition, the DPA found that EDF had not responded to a number of data subject requests in a timely manner Also, EDF failed to respect data subjects' right to object to advertising requests in some cases. Furthermore, the DPA noted that EDF failed to demonstrate that it had obtained valid consent from data subjects in the context of a commercial solicitation campaign. Finally, the DPA concluded that EDF had failed to implement sufficient technical and organizational measures to protect personal data. EDF had insecurely stored passwords of more than 25,000 customer accounts. In addition, the company had merely hashed and not salted passwords of 2,4 million accounts. Here you can find details.?