Past trends, future insights: What’s on the Supervisory Authorities’ agendas? 

Written by: Alida Denys

As the new year approaches, we take a retrospective look at the priorities set by Supervisory Authorities in 2023 and the multi-year plans they have outlined for the upcoming period. In this blog post, we provide a concise overview of several common focus areas from the strategic objectives and multi-year plans established by the Supervisory Authorities from Belgium (hereinafter: the GBA), the Netherlands (hereinafter: the AP), France (hereinafter: the CNIL) and the UK (hereinafter: the ICO). 

For our DPO colleagues, this post enables you to proactively plan and implement measures that not only comply with current focus areas but also anticipate future challenges. We start with general focus areas that are relevant to every sector, followed by specific focus areas which are especially important for the public sector. 

Focus areas. 

Online tracking 

The GBA emphasises the critical need for detecting, disclosing, and explaining practices related to the extensive gathering of behavioural data on internet users e.g. through “cookies.” The creation of vast databases, fueled by both online and offline information, forms the basis for predicting and influencing user behaviour within complex ecosystems. The GBA stresses the importance of ensuring transparency and legitimacy in data processing, allowing citizens the freedom to decide whether they wish to participate in such practices. 

Similar to the collection of cookies on websites, addresses the CNIL the challenge posed by mobile applications, where users are tracked for advertising, statistical or technical purposes without adequate user information or consent. 

The ICO notes that online tracking is used for different purposes, ranging from advertising to age estimation. The ICO advocates for changes such as the phasing out of third-party cookies to foster a privacy-oriented internet. Through collaborating with government, industry stakeholders, and regulators, the ICO aims to empower users with meaningful control over their online tracking preferences and to shift away from cookie pop-ups. 

Resale of personal data 

The AP discusses online advertising business whereby the emerging technical capabilities to track individuals, create profiles, and subsequently sell that information are becoming more prevalent. The AP notes a growing problem of unauthorised resale of personal data. This involves both data brokers, who exclusively profit from (international) data sales, and traditional businesses engaging in such practice. With that, data subjects lose control over what happens with their data and are unable to exercise their rights. The responsibility for lawful and transparent data collection lies with data brokers. The AP will enforce measures against the unlimited and unauthorised tracking of individuals’ online activities, as well as the resale of such data without legal basis.

The GBA also requires that data subject must maintain control over the actual usage of their data. They should be informed in advance of the intentions of the data brokers to allow them to decide if they consent to such practices. The GBA aims to subject such practices to an investigation. 

(Smart) camera’s 

Related to smart cities is the use of (smart) cameras. The CNIL is questioning about the necessary and proportionate of the use of smart cameras, particularly by public authorities. The CNIL is concerned about the potential large-scale surveillance of individuals. The CNIL aims to ensure compliance with legal frameworks by public authorities through priority investigations in 2023. The ICO investigates how CCTV are used in various settings such as care home.

Use of biometric data 

The GBA and the ICO refer to the use of biometric data (such as fingerprints, facial recognition, …) across different sectors (finance, health, education, …). There is a lack of public awareness that in principle such practices are prohibited. The ICO pays close attention to the potential risks of using biometric data, in particularly concerning emotion recognition technologies which might lead to discrimination against vulnerable groups. The ICO will set out how these technologies should be used and will investigate whether these technologies have any adverse impacts on vulnerable groups.

Elections 

The GBA and the AP are concerned about elections and microtargeting. Particularly in light of concerns arising from cases like Cambridge Analytica. Political parties are increasingly processing personal data with the aim of reaching their members in the most targeted way, often with the assistance of external parties. The European legislator has indicated that this is permitted based on a general interest but with established safeguards. Legitimate, fair, and transparent processing is crucial to ensure free elections in an open society.1

Children 

The GBA and the ICO advocate for children’s privacy. The ICO prioritises safeguarding children on social media platforms, while the ICO concentrates on preserving children’s privacy within educational context. 

The ICO requires that social media platforms take steps to ensure accurate assessment of children’s ages and that they comply with specific guidelines established to protect children’s privacy, particularly regarding the collection and sharing of their data. The ICO will press charges if these social media platforms do not comply. The ICO emphasizes that it is important to enhance transparency by drafting privacy statements that children can understand.

The GBA focuses on the educational sector, since schools ask lots of information to minors such as photo’s, e-learning, sickness, … Moreover, there is a notable shift occurring in this sector towards the adoption of digital technology.

Specific focus areas for public sector 

The Supervisory Authorities are monitoring public authorities with keen interest. Public authorities inherently possess a significant amount of personal data, frequently involving highly sensitive data. 

Purpose limitation & sharing of data 

More and more data is being shared and connected among various public entities for various reasons such as preventing the misuse of public resources, detecting serious criminal activities, … However, the AP warns that connecting and sharing these data can constitute a violation of the legal principle of purpose limitation. As a result, governments should exercise caution and hold back in sharing data even if motivated by good intentions and despite potential lower costs.

Both the AP and the GBA emphasise that is that guiding and overseeing these public authorities is crucial to ensure that such data is accessed only for the purposes for which it was initially collected or for compatible purposes. The GBA confirms that any reuse of such data by these authorities must also be clearly restricted to the public interest if it can provide an added value.

Security 

The AP expects public authorities to invest in improving their information security to limit the risks of data breaches on the high amount of (sensitive) data they possess. In the upcoming years, the AP plans to assess the security levels of these organisations and encourage them to develop robust IT and data management system.

Smart cities 

Public authorities are on the lookout for innovative solutions to address challenges in mobility, energy, safety and housing. These solutions often involve the internet of things, the deployment of sensors and the collection of data. This comes with significant risks for the data subjects: they can be tracked and identified anywhere and cannot escape the sensors as their locations is often hidden. The AP emphasizes that public authorities from the beginning should consider the fundamental rights and freedoms of choice of individuals. They should be developed in a manner that they process the minimum amount of data possible (privacy by design). The AP points out the danger that in the practice, private companies also play a role, and in this context, public interests can sometimes become intertwined with private interests. 

In this regard, the GBA would also like to develop preventive actions and go in dialogue with public authorities.

Conclusion. 

The Supervisory Authorities have identified various common focus areas in their strategic objectives and multi-years plans. We can anticipate that they will continue to prioritize and monitor these points in the coming years. This is interesting for DPOs to keep in mind when establishing the priorities in the upcoming year. 

Used Sources. 

Autoriteit Persoonsgegevens, Focus AP, 2020-2023. 

Gegevensbeschermingsautoriteit, Beheersplan 2024. 

Gegevensbeschermingsautoriteit, “De GBA stelt haar prioriteiten voor het jaar 2023 vast”, 15 november 2022, https://www.gegevensbeschermingsautoriteit.be/burger/de-gba-stelt-haar-prioriteiten-voor-het-jaar-2023-vast. 

Gegevensbeschermingsautoriteit, Strategisch Plan 2020 – 2025, 28 januari 2020. 

Information Commissioner’s Office, ICO25 – empowering you through information. 

National Commission on Informatics and Liberty, Strategic plan 2022-2024.