blockchain

Data protection digest 3 – 17 Jul 2026: blockchain latest, ‘humanless’ resources & AI-repellent fashion

EDPB issues updates on anonymisation, web-scraping, blockchain and cookies

The European Data Protection Board (EDPB) adopted guidelines on anonymisation and on web scraping in the context of generative AI. It brings clarity to the notion of anonymous data, taking also into account the latest CJEU jurisprudence. It also clarifies various aspects of the GDPR compliance of web scraping, including the legal basis for such activities and the conditions under which special categories of data can be processed in the context of training generative AI. 

Furthermore, the top EU regulator has adopted the final version of its guidelines on the processing of personal data through blockchain technologies. It provides a framework for organisations considering the use of blockchain technology, outlining key GDPR compliance considerations for planned processing activities:

  • Lawfulness of processing
  • Roles and responsibilities of different actors in blockchain-related processing 
  • Data Protection by Design and by Default
  • International transfers
  • Data retention periods
  • Security measures
  • Rights of data subjects regarding transparency, rectification and erasure, etc

Stay up to date! Sign up to receive our fortnightly digest via email. 

Finally, the EDPB also required the Belgian data protection regulator to assess the merits of the Austrian advocacy group NOYB’s cookie banner complaint against a public broadcasting company based in Belgium. The Belgian regulator, acting as Lead Supervisory Authority (LSA), submitted a draft decision proposing to dismiss the complaint based on an alleged abuse of Art.77 and Art. 80 (1) of the GDPR. The Austrian regulator, the Concerned Supervisory Authority (CSA), objected, arguing that the LSA should not have dismissed the complaint on procedural grounds and should instead have issued a decision on its merits. 

Criminal convictions data online

The CJEU ruled that mere placing online, in return for payment, of decisions on criminal convictions does not in principle constitute processing of personal data for ‘journalistic purposes’. A person must be able to exercise the remedies which are granted to him or her under the GDPR. In a related case, a Swedish company operates a commercial database which enables searches on criminal proceedings. A person who was convicted in 2011 requested the erasure of their personal data from that database.

That erasure, however, was subsequently only carried out based on the company’s data storage policy. The company relied on the constitutional protection enjoyed by that database in respect of the freedom of expression and leaves the person only the possibility of bringing proceedings for defamation.

Indeed, the GDPR requires member states by law to reconcile the right to the protection of personal data with the freedom of expression and information, including for journalistic purposes. The CJEU, however, ruled that the act of placing online, in return for payment, criminal convictions, does not appear to fulfil those conditions (to inform the public or to disclose opinions or ideas, where the content is prepared according to ethical rules or codes of conduct and has been edited or adapted). 

AI-assisted layoffs

According to a vitallaw.com publication, 26 current and former Meta Platforms employees filed a suit in California, alleging the company unlawfully used artificial intelligence-assisted systems to select workers for a May 2026 reduction in the workforce that affected approximately 10 per cent of its employees. Meta did not assemble the termination list through the considered judgment of managers who knew the work. Instead, the company used a constellation of internal artificial-intelligence systems, including a system referred to internally as “Metamate,” employee-trained “second-brain” agents, keystroke and activity-monitoring data, AI-token-usage dashboards, and algorithmically assisted performance ranking and calibration. 

That, by design, cannot be accumulated by an employee who is on protected medical or family leave, or whose output is reduced by a disability. The result was that employees who took protected leaves were disproportionately selected for layoff, based on scoring that not only failed to account for their protected leaves, but in effect penalised the employees for exercising their legal rights to those leaves. 

Geolocation risks

Several investigations by French media have highlighted the massive circulation of geolocation data from mobile applications and their use in the advertising ecosystem. They revealed the existence of databases containing millions of advertising identifiers associated with location histories, collected via widely used everyday applications, whose legality is questionable. This data, then resold by specialised brokers, makes it possible to reconstruct travel trajectories with sometimes very fine precision.

Contrary to popular belief, it is not always necessary to know the name of a person to identify them. A few location points are often enough to recognise an individual, especially when they reveal their home, place of work or travel habits. Even when the data is presented as “anonymous” or associated with a simple technical identifier, it can sometimes be cross-referenced with other information, enabling the identification of a person. The more precise the geolocation data is and the longer it is collected over a long period of time, the greater the risk of re-identification, explains the French CNIL. 

More official guidance

AI trustworthiness: With the increasing prevalence and complexity of AI systems, regulatory requirements for their use are also growing. To that end, the German Federal Office for Information Security (BSI) issues its audit architecture for AI systems (in German) for public comments. It conveys technical trustworthiness in the context of regulatory requirements such as the EU AI Act and the Cyber ​​Resilience Act, and aims at all stakeholders along the AI ​​value chain (development, operation, and oversight). 

Employer supervision practices: The French CNIL explains that an employer has the power to supervise and control the activity of staff members as well as their use of equipment at work. This is a normal consideration inherent to the employment contract. Nevertheless, this power cannot be exercised excessively. To be lawful, a system for monitoring staff activity must cumulatively:

  • meet the tests of justification and proportionality,
  • be submitted to the employee representative bodies in accordance with the rules in force, and
  • be brought to the attention of employees/agents.

Connected vehicles: The CNIL has also published its recommendations on the use by professionals of location data of connected vehicles (in French). The aim is to increase legal certainty and give users more transparency. Specifically, the user’s consent to the use of location data appears to be mandatory, unless such data is necessary for a service expressly requested by the user. The recommendation provides insights into the most frequent uses of location data: 

  • breakdown of the rented vehicle, 
  • assistance to people in the event of an accident, 
  • fleet management,
  • fight against theft, 
  • optimisation and improvement of products and services. 

Receive our digest by email 

Sign up to receive our digest by email every 2 weeks

In other news

Corporate system security fine: The Italian data protection authority Garante has fined Wind Tre Spa 1,715,600 euros for serious security deficiencies in its corporate systems, which resulted in two unauthorised accesses and the exfiltration of personal data of over 365,000 customers. For 41,359 of them, the exfiltration also included information related to payment methods used. 

Hackers, posing as support technicians, convinced operators at two stores to grant access to company systems, thus exfiltrating customers’ personal and contact information. Specifically, the authority found deficiencies in the management of login credentials and digital certificates. Furthermore, the security audits conducted by the company did not identify vulnerabilities that would have been detectable with more thorough checks.  

Hospital data processor fine: In Poland, the Personal Data Protection Office (UODO) issued a warning to a hospital for failing to verify the processor’s performance to ensure sufficient security guarantees. The controller was also reprimanded for failing to conduct a proper risk analysis of personal data processing via email. UODO also reprimanded the processor for failing to properly implement appropriate measures to ensure the security of personal data

The case began in 2021 when an unauthorised person gained access to the administrator’s email, which was hosted on the servers of an external service provider.  The unauthorised person downloaded all of its content, ​​including the personal data of 224 individuals. The investigation found that the controller failed to follow its own risk assessment procedure when selecting a processor. The processor, meanwhile, declared that it applied appropriate security measures that met the requirements of the GDPR and had obtained the appropriate ISO/IEC 27001 certification.

Character AI fined in Italy

Italy’s Garante has also imposed a fine of 158,000 euros on Character Technologies Inc., a US company that operates Character.AI, a generative artificial intelligence service that enables users, including minors, to create and chat with virtual characters. During the fact-finding initiated ex officio, the authority identified several infringements of data protection regulations, among which were shortcomings in the privacy notice. Furthermore, the preparation of the data protection impact assessment and the appointment of the EU representative were not completed within the required period.

And Finally

‘Humanless’ resources taking over workplaces: An estimated 90% of employers use some form of automated or algorithmic system to search, prioritise, rank, or deselect candidates. Privacy International’s investigation into two AI recruitment platforms (Manatal and  Talenteria) exposed a lack of transparency and fairness for candidates in opaque and often unreliable systems. In particular, the key findings were that:

  • Identical CVs were scored differently across attempts by the same algorithm.
  • Generic AI-written CVs were scored higher than human-written CVs, despite the AI CVs missing obvious information.
  • There was little to no explanation about how the algorithms calculated numerical scores from qualitative CV information, and
  • Algorithmic assessments were presented as the default.

PI’s research focused on AI-assisted processes described as “candidate enrichment,” including the scraping of public social media data to build profiles of applicants or AI-facilitated CV screening and video interviewing. Additionally, such tools can be used for generating job descriptions, writing personalised candidate emails, and facilitating the recruitment chatbot.  

Art. 22 of the GDPR places limits on the use of automated decision-making for significant decisions in the first place. Taking human decision-makers out of crucial parts of the recruitment picture makes complying with these rules challenging, concludes Privacy International.

AI-repellent clothes: The German start-up Urban Privacy transforms jackets, scarves and smartphone pouches into small tools to protect against AI surveillance. The idea is to complicate the life of smart cameras, journaldugeek.com reports. Such clothes do not make their owner invisible, but it does seek to blur certain video analysis systems. Its pattern evokes a face, which can disturb AI-equipped cameras. And its loose, asymmetrical fit also makes it difficult for software to automatically assign a gender. One more product, a smartphone pouch, claims to completely cut the device off from the network.  

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation

Tags

Show more +