Recent developments in data protection

In this News Update, we discuss several recent developments in data protection law:

• Dutch DPA imposes a fine for violations relating to tracking cookies
• The Hague district court confirms validity of automatic number recognition by Dutch police 
• Dutch DPA: web scraping is almost always illegal
• European Data Protection Board issues statement on data protection authorities' role in the AI Act
  
  

1. DUTCH DPA IMPOSES FINE FOR VIOLATIONS RELATING TO TRACKING COOKIES

The Dutch Data Protection Authority has imposed a fine of EUR 600,000 on AS Watson, the company behind Dutch pharmacy retail chain Kruidvat. The Dutch DPA has found that AS Watson had processed personal data through the use of cookies on its website Kruidvat.nl. The types of cookies used can be qualified as 'tracking cookies', which – together with other data collected – allowed the retailer to make profiles for each website visitor. Apparently, the retailer did so without obtaining visitors' consent in accordance with the GDPR. What's remarkable is that the violations date back to 2020. This fine therefore does not seem to be the direct result of the Dutch DPA's crackdown on misleading cookie banners announced earlier this year. AS Watson has said that it would appeal the Dutch DPA's decision.

2. THE HAGUE DISTRICT COURT CONFIRMS VALIDITY OF AUTOMATIC NUMBER PLATE RECOGNITION BY DUTCH POLICE

In a class actions case between privacy rights association Privacy First and the Dutch government, the district court of The Hague has ruled that the legal framework allowing Dutch police to record and store vehicles' number plates on public roads by using Automatic Number Plate Recognition (ANPR) cameras, is lawful. Privacy First alleged that the legal provision on which the ANPR is based, is illegal because it is in violation of the fundamental right to private life under Article 8 of the European Convention on Human Rights/Article 7 of the EU Charter and the fundamental right to the protection of personal data of Article 8 of the EU Charter. The Court ruled that the provision does not violate any fundamental rights and has rejected Privacy First's claims. While the court did assess that the ANPR scheme caused an interference with citizens' privacy rights, the court found that such interference is justified because there is a legitimate purpose for the ANPR-based monitoring, which is proven to be effective. The court also found that the framework meets proportionality requirements and is designed with sufficient safeguards to prevent abuse. 

3. DUTCH DPA: WEB SCRAPING ALMOST ALWAYS ILLEGAL

The Dutch DPA has issued guidance on web scraping. Scraping is the automatic collection and storage of information from the internet. According to the Dutch DPA, which takes a very strict position, scraping by private parties and individuals is almost never allowed because in most cases, the strict requirements for a legitimate interest-based processing cannot be met. According to the Dutch DPA, a widespread misconception is that scrapping would be allowed because everything on the internet is available for anyone to see anyway. "But the fact that information about you is public does not automatically mean that you also give permission for scraping," says chairman Aleid Wolfsen. The Dutch DPA's position on using scraped data for training AI systems is not very clear. The Dutch DPA just notes in its guidance that developers "keep an eye on the risks" associated with using scraped data and "need to comply with the GDPR", but does not say in so many words that this is prohibited altogether.

4. EDPB ISSUES STATEMENT ON DATA PROTECTION AUTHORITIES' ROLE IN THE ARTIFICIAL INTELLIGENCE ACT

On 17 July 2024, the European Data Protection Board (EDPB) has issued a statement (3/2024) on data protection authorities' role in the Artificial Intelligence Act framework. The Artificial Intelligence Act (Regulation (EU) 2024/1689) was published on 12 July 2024 (read our news update here). In its statement, the EDPB highlights supervision and coordination issues that could result from the designation of competent authorities by the EU member states in areas of the AI Act that are closely linked to personal data protection matters. EU member states will establish or designate one or more "national competent authorities", and in particular "market surveillance authorities" under the AI Act which will interact with data protection authorities. The EDPB stresses the importance of the existing data protection authorities' expertise and experience, and believes that the existing DPA's are best placed to become market surveillance authorities under the AI Act. In the Netherlands, it is expected that the Dutch Data Protection Authority will indeed be appointed as market surveillance authority under the AI Act.