Category: General Data Protection Regulation
29. November 2022
The Irish Data Protection Commission (DPC) imposed an administrative fine of 265 million euros on Facebook-mother Meta as a result of the unlawful publication of personal data.
Investigation proceedings
Following the availability online of personal data of up to 533 million Facebook and Instagram users from over 100 countries in April 2021, the DPC had launched investigations. As part of the investigation process, it cooperated with the other European data protection authorities and examined the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. With the help of these tools, contacts stored in the smartphone can be imported into the Instagram or Facebook app in order to find friends or acquaintances.
Lack of technical and organisational measures to protect data
As part of its investigation, the DPC dealt with the so-called technical and organisational measures according to Article 25 GDPR. According to data protection law, data controllers must use such measures to ensure that the rights of data subjects are extensively protected. These include, for example, pseudonymisation and encryption of personal data, but also physical protection measures or the existence of reliable backups.
The DPC did not consider Meta’s technical and organisational measures to be sufficient. Therefore, in addition to the aforementioned fine of 265 million euros, it issued a reprimand as well as an order to bring the processing operations into compliance with data protection law within a certain period of time and to implement a number of specific remedial measures to this end.
Not the first fine for Meta
Meta is by now familiar with fines from European data protection authorities. In total, the company has already been fined almost one billion euros, most recently in September in the amount of 405 million euros for serious data protection violations involving underage Instagram users. The reason for the considerable amount of the individual sanctions is Article 83 GDPR, according to which fines can amount to up to four percent of a company’s total worldwide annual turnover. Meta has appealed against each of the previous decisions, so it can also be assumed in this case that Meta will not accept the fine without a judicial review, either.
28. October 2022
The French data protection authority CNIL imposed a fine of 20 million Euros on Clearview AI, being the latest in a line of authorities deeming the processing activities of the biometrics company unlawful under data protection law.
Clearview AI is a US company that extracts photographs and videos that are directly accessible online, including social media, in order to feed its biometric image database, which it prides itself to be the biggest in the world. Access to the search engine based on this database is offered to law enforcement authorities.
The case
The decision followed several complaints from data subjects in 2020, which led to the CNIL’s investigations and a formal notice to Clearview AI in November 2021 to “cease the collection and use of data of persons on French territory in the absence of a legal basis” and “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” However, the company did not react to this notice within the two-month deadline imposed by the CNIL. Therefore, the authority imposed not only the fine but also an order to Clearview AI “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it had already collected, within a period of two months.” In addition, it set a “penalty of 100,000 euros per day of delay beyond these two months.”
CNIL based its decision on three breaches. First, Clearview AI had processed the data without a legal basis. Given the “intrusive and massive nature of the process which makes it possible to retrieve the images present on Internet of the millions of internet users in France”, Clearview AI had no legitimate interest in the data processing. Second, the CNIL sanctioned Clearview AI’s inadequate handling of data subjects’ requests. Lastly, it penalized the company’s failure to cooperate with the CNIL.
The impact of the decision
For over two years, Clearview AI has been under the scrutiny of data protection authorities (“DPA”s) all over the world. So far, it has been fined more than 68 million Euros in total. Apart from CNIL’s fine, there have been fines of 20 million Euros by Greece’s Hellenic DPA in July 2022, over 7.5 million pounds by the UK Information Commissioner’s Office in May 2022 and 20 million Euros by the Italian Garante in March 2022.
CNIL’s decision was likely not the last one, considering that the all-encompassing nature of Clearview AI’s collection of personal data that – given the company’s business model – inevitably concerns EU data subjects. Whether the company will comply within the two-month period is yet to be seen.
27. October 2022
On October 21st, 2022 the Italian Data Protection Authority launched an investigation on the use of cookie walls by several online newspapers. Although the GDPR allows the implementation of cookiewalls and paywalls (not revealing the content of a website unless the cookies have been accepted or a certain amount of money has been paid), the Italian watchdogs will take a closer look if these have been correctly implemented correctly and do not violated the European regulation.
Further information is yet to be released by the authorities.
12. October 2022
A few days ago a Dutch court ordered a Florida – based company to pay a compensation of 75.000 Euros to an employee. The employee had been fired because he had refused to keep his work computer’s camera on the whole day, as required by the company, being concerned with the fact that this was an invasion of his privacy.
After he was fired he took his former employer to court, suing for wrongful termination; the judges recognized the issue and stated that the American company’s regulation was a violation of the employee’s privacy and were in violation of data protection laws. The worker had already stated his complaint with his employer, also stating that they already could see his shared screen while he was working, and that it was not necessary for him to keep the camera on.
Rather than a matter of personal data protection, this was a matter of the employee’s right to privacy, as stated in Article 8 of the European Convention of Human Rights: the court argued that the company’s request was disproportionate and intrusive of the worker’s privacy.
According to Dutch law, an appeal is possible for the company within three months of the ruling. In the aftermath of the ruling, the company shut down its offices in Rijswijk, Netherlands, where the plaintiff worked.
27. September 2022
From September 6th to September 9th, 2022 a meeting between representatives of the G7’s Data Protection Authorities was held in Bonn, Germany, to discuss current regulatory and technological issues concerning the concept of Data Flow with Free Trust (DFFT), a proposed guiding principle for international cooperation on data flows.
It aims at providing answers to several questions in order to create a safe global digital environment in which the protection of data flow is guaranteed. The most important question is: how to overcome the existing data flow barriers? It may seem difficult to introduce a harmonization between countries that have a completely different approach and regulations in regard to personal data protection. To answer this question, a bottom – up approach was adopted for the implementation of the DFFT: it is foreseen that high – level intragovernmental discussions that result in pragmatic rule – making will be held, in order to parallel the public/private relationship for the resolution of individual issues.
Scholars and experts seem to think that RegTech could prove a very useful help to the implementation of the DFFT. To tackle some of the issues that were found in the various discussions and that resulted from research, the World Economic Forum issued a white paper finding seven common success factors that define the best deployment of RegTech.
This concept, first proposed by Japan’s late Prime Minister Shinzo Abe in 2019, is now moving into the implementation phase, mainly concerning trade agreements including e – commerce. A milestone regarding this topic will probably be the next G7 Conference, which will be held in Japan in 2023. Kishida Fumio, the new Japanese Prime Minister, claimed his country’s initiative in the project, and pledged his commitment to the continuous development of the DFFT.
30. June 2022
In early June, three of the four chairmen of the U.S. congressional committees responsible for data privacy submitted a drafted American Data Privacy and Protection Act (ADPPA) for consideration. If passed, it would override certain recently enacted privacy laws in some U.S. states.
The draft includes elements of the California Consumer Privacy Act and the European General Data Protection Regulation.
States led the way
Until now, data protection in the United States has primarily been at the top of the agenda at the state level. California, Colorado, Connecticut, Virginia and Utah have recently enacted comprehensive data privacy laws. This year alone, more than 100 privacy bills have already been introduced in the states. Although not all of these were adopted, the proliferation of state laws and their varying regulatory requirements has led to increasing calls for the adoption of a federal privacy law. A unified federal law, if passed, would provide much-needed clarity to entities and businesses and, ideally, would also stem the tide of class action and other privacy lawsuits brought under various state laws.
Affected Entities
The ADPPA broadly applies (with exceptions) to organizations operating in the United States that collect, process, or transfer personal information and fall into one of the following categories:
- Subject to the Federal Trade Commission Act
- Nonprofit organizations
- So-called Common Carriers, subject to Title II of the Communications Act of 1934
Requirements of the ADPPA (not final)
- Limit data collection and processing to that which is reasonably necessary
- Compliance with public and internal privacy regulations
- Granting consumer rights such as access, correction, and deletion
- Appeal options
- Obtaining consent before collecting or processing sensitive data, e.g. geolocation, genetic and biometric information, and browsing history
- Appointment of a data protection officer
- Providing evidence that adequate safeguards are in place
- Registration of data brokers with the Federal Trade Commission (FTC)
- FTC will establish and maintain a searchable, centralized online public registry of all registered data traders, as well as a “Do Not Collect” registry that will allow individuals to request all data traders to delete their data within 30 days
- Entities shall not collect, process, or transfer collected data in a manner that discriminates on the basis of race, color, religion, national origin, sex, sexual orientation, or disability
- Implement appropriate administrative, technical, and physical data security practices and procedures to protect covered data from unauthorized access and disclosure
Outcome still uncertain
Shortly after a draft of the ADPPA was released, privacy organizations, civil liberties groups, and businesses spoke out, taking sides for and against the law.
As the legislative session draws to a close, the prospects for ADPPA’s adoption remain uncertain. Strong disagreement remains among key stakeholders on important aspects of the proposed legislation. However, there is consensus that the United States is in dire need of a federal privacy law. Thus, passage of such legislation is quite likely in the foreseeable future.
29. June 2022
On June 1, 2022, Thailand’s Personal Data Protection Act (PDPA) entered into force after three years of delays after its enactment in May 2019. Due to the COVID-19 pandemic, the Thai government issued royal decrees to extend the compliance deadline to June 1, 2022.
The PDPA is widely based on the EU General Data Protection Regulation (GDPR). In particular, it also requires data controllers and processors to have a valid legal basis for processing personal data (i.e., data that can identify living natural persons directly or indirectly). If such personal data is sensitive personal data (e.g. health data, biometric data, race, religion, sexual preference and criminal record), data controllers and processors must ensure that data subjects give explicit consent for any collection, use or disclosure of such data. Exemptions are granted for public interest, contractual obligations, vital interest or compliance with the law.
The PDPA also ensures that data subjects have specific rights, which are very similar to the GDPR: the right to be informed, access, rectify and update data, as well as restrict and object to processing and the right to data erasure and portability.
One major difference to the GDPR is that, while there are fines for breaching the PDPA obligations, certain data breaches involving sensitive personal data and unlawful disclosure also carry criminal penalties including imprisonment of up to one year.
Just like the GDPR, the PDPA also affects both entities in Thailand as well as entities abroad that process personal data for the provision of products and/or services within Thai borders.
Just as we have seen with the GDPR, it will be important to observe the evolution the PDPA will venture through as it becomes more incorporated into the Thai companies’ compliance.
30. May 2022
On 25 May 2022, the European Commission published guidance outlining questions and answers (‘Q&A’) on the two sets of Standard Contractual Clauses (‘SCCs’), on controllers and processors (‘the Controller-Processor SCCs’) and third-country data transfers (‘the Data Transfer SCCs’) respectively, as adopted by the European Commission on 4 June 2021. The Q&A are intended to provide practical guidance on the use of the SCCs. They are based on feedback from various stakeholders on their experiences using the new SCCs in the months following their adoption.
Specifically, 44 questions are addressed, including those related to contracting, amendments, the relationship to other contract clauses, and the operation of the so-called docking clause. In addition, the Q&A contains a specific section dedicated to each set of SCCs. Notably, in the section on the Data Transfer SCCs, the Commission addresses the scope of data transfers for which the Data Transfer SCCs may be used, highlighting that they may not be used for data transfers to controllers or processors whose processing operations are directly subject to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) by virtue of Article 3 of the GDPR. Further to this point, the Q&A highlights that the Commission is in the process of developing an additional set of SCCs for this scenario, which will consider the requirements that already apply directly to those controllers and processors under the GDPR.
In addition, the Q&A includes a section with questions on the obligations of data importers and exporters, specifically addressing the SCC liability scheme. Specifically, the Q&A states that other provisions in the broader (commercial) contract (e.g., specific rules for allocation of liability, caps on liability between the parties) may not contradict or undermine liability schemes of the SCCs.
Additionally, with respect to the Court of Justice of the European Union’s judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (‘the Schrems II Case’), the Q&A includes a set of questions on local laws and government access aimed at clarifying contracting parties’ obligations under Clause 14 of the Data Transfer SCCs.
In this regard, the Q&A highlights that Clause 14 of the Data Transfer SCCs should not be read in isolation but used together with the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools.
29. April 2022
Associations can bring legal proceedings against companies according to a press release of the European Court of Justice (CJEU).
This is the conclusion reached by the Court in a decision on the proceedings of the Federation of German Consumer Organisations (vzbv), which challenged Facebook’s data protection directive. Accordingly, it “allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, The vzbv is an institution that is entitled to bring legal proceeding under the GDPR because it pursues an objective in the public interest.
Specifically, the case is about third-party games on Facebook, in which users must agree to the use of data in order to be able to play these games on Facebook. According to the association, Facebook has not informed the data subjects in a precise, transparent and understandable form about the use of the data, as is actually prescribed by the General Data Protection Regulation (GDPR). The Federal Court of Justice in Germany (BGH) already came to this conclusion in May 2020 however, it was not considered sufficiently clarified whether the association can bring legal proceedings in this case.
The EU Advocate General also concluded before that the association can bring legal proceeding in a legally non-binding statement.
Thus, the CJEU confirmed this view so that the BGH must now finally decide on the case of vzbv vs. facebook. It is also important that this decision opens doors for similar collective actions against other companies.
6. April 2022
In the press release of the judgment of 5.4.2022, the ECJ has once again ruled that the collection of private communications data is unlawful without any reason or limit. This reinforces the rulings of 2014, 2016 and 2020, according to which changes are necessary at EU and national level.
In this judgment, the ECJ states that the decision to allow data retention as evidence in the case of a long-standing murder case is for the national court in Ireland.
Questions regarding this issue were submitted in 2020 by Germany, France and Ireland. The EU Advocate General confirmed, in a legally non-binding manner, the incompatibility of national laws with EU fundamental rights.
However, a first exception to data retention resulted from the 2020 judgment, according to which, in the event of a serious threat to national security, storage for a limited period and subject to judicial review was recognized as permissible.
Subsequently, a judgment in 2021 stated that national law must provide clear and precise rules with minimum conditions for the purpose of preventing abuse.
According to the ECJ, an without cause storage with restriction should be allowed in the following cases:
- When limited to specific individuals or locations;
- No concrete evidence of crime necessary, local crime rate is sufficient;
- Frequently visited locations such as airports and train stations;
- When national laws require the identity of prepaid cardholders to be stored;
- Quick freeze, an immediate backup and temporary data storage if there is suspicion of crime.
All of these are to be used only to combat serious crime or prevent threats to national security.
In Germany, Justice Minister Marco Buschmann is in favor of a quick freeze solution as an alternative that preserves fundamental rights. However, the EU states are to work on a legally compliant option for data retention despite the ECJ’s criticism of this principle.
Pages: 1 2 3 4 5 6 7 8 9 10 ... 14 15 16 Next