Data protection

This newsletter presents a selection of legal news from June to December 2024 in the field of personal data protection.

1. CNIL decisions

The CNIL (French data protection authority) rules on the anonymization of health data

The company CEGEDIM provides a software package to general practioners, in exchange for the use of data recorded by these physicians in the software. This use of personal health data is carried out for research and statistical purposes.
Taking into account the robustness criteria established by the Article 29 Working Party, namely singling out, linkability and inference, the CNIL considered in its deliberation of September 5th, 2024 that data was not anonymous if a patient could be individualized in the dataset, even if a new user ID had been used.
The health data warehouse set up by CEGEDIM was therefore subject to GDPR and required either a CNIL authorization or a declaration of compliance with one of its frames of reference to the CNIL. CEGEDIM was ordered to pay 800,000 euros.

Decision against a municipality for failure to appoint a data protection officer (DPO)

Article 37 of the GDPR sets out the cases in which the appointment of a DPO is mandatory, and designates public bodies in particular. Moreover, the CNIL recommends always appointing a DPO, even in cases for which the GDPR does not impose one.
Concerning the municipality of Kourou, the CNIL decided in its deliberation of July 22nd, 2024, to liquidate the penalty pronounced in its deliberation of December 12th, 2023.
This settlement coincides with the CNIL’s investigation concerning changes in the role of data protection officer. The procedure was closed on November 7, 2024 following the compliance of the municipality of Kourou with its obligation to appoint a data protection officer, after having paid two fines.

240,000 fine for data scraping on the LinkedIn social network

The Kaspr company provided a tool consisting of a database of contact details “scraped” from the LinkedIn social network, using a data scraping technique, extracting a large amount of information from a website.
Despite the visibility settings of contact information chosen by users of the social network, the company collected certain data unlawfully. The company also failed to comply with its obligation of proportional limitation on the duration of data retention, which was set at 5 years from the date of any profile update, and to inform the data subjects.
The CNIL imposed a fine of 240,000 euros, as well as several orders to be carried out within 6 months.

ORANGE fined 50 million euros

This penalty rendered on 14 November 2024 follows the insertion of advertising announcements between emails, within the email service provided by Orange.
This practice specifically failed to comply with the obligation to obtain the prior consent from data subjects (article L. 34-5 of the French Postal and Electronic Communications Code – “Code des postes et des communications électroniques“).

Twenty new penalties under the simplified procedure

When a case does not present any particular difficulties, the CNIL can resort to the simplified penalty procedure. The chairman of the restricted committee makes the decision alone, and no public hearing is held, speeding up the process compared with the ordinary procedure.
Since January 2024, the CNIL has issued 20 penalties under the simplified procedure – nine between January and June, and eleven between June and September.
These procedures concerned the penalty of unlawful processing, failure to comply with the data minimisation principle, the use of cookies, failure to cooperate with the CNIL, failure to ensure data security, failure to respect individual rights, failure to inform people and the absence of a processing register.

2. CNIL documentation

The CNIL takes a stand on generative AI

As the European regulation on AI comes into force, the CNIL is encouraging the use of methods that respect privacy and personal data.
The CNIL has taken a particular interest in generative AI, which creates content. Numerous recommendations are given, in particular concerning the choice of a secure and robust system, in line with ANSSI recommendations (the national agency on IT systems security) relating to generative AI security, and avoiding the input of personal data wherever possible. Any data transfers outside the EU must also be carefully controlled through contracts.

Update of the CNIL’s register of processing activities

Required by Article 30 of the GDPR, the record of processing activities is a duty which weighs in on any data controller, falling under the obligation to document as the processing takes place.
The CNIL is therefore setting an example by publishing its updated processing register.

Audit of the use of dark patterns by 26 authorities

26 supervisory authorities analysed a wide selection of websites and mobile applications to find out about the use of dark patterns in Europe – deceptive design mechanisms influencing web users’ choices.
Simultaneously to observations made by the other authorities, the CNIL found in particular that the interfaces were generally not conducive to good privacy protection, and that account deletion procedures were considered too complex.
These observations are used to organise guidelines or practical guides that may be published by any data protection authority or the EDPB.

CNIL recommendations on open data

Following the public consultation conducted from August to November 2023, the CNIL compiled the 26 contributions to prepare its deliverable on open data.
The CNIL has published information sheets for disseminators of open data, and information sheets for re-users of data published on the Internet, to enable them to reconcile the need to promote the use of public data with the protection of privacy.

The CNIL publishes a tool for monitoring Binding Corporate Rules

In accordance with Article 46.2 (b) of the GDPR, Binding Corporate Rules are an appropriate guarantee tool for transferring personal data outside the European Union.
By means of questionnaires, groups that have chosen to implement Binding Corporate Rules can now monitor their compliance by ensuring harmonised deployment of the Rules throughout the company.

3. Legal and case law news – France

Rejection of request for deletion of a news article containing sensitive data in favor of French press law

An article on a national television channel website reported the assault of a mayor, mentioning the involved individual’s first and last names, his membership in an identity group, and his political beliefs, real or assumed. The individual involved requested the deletion of this data on the basis of Article 17 of the GDPR and Article 6 of the “Informatique et Libertés” law.
The court ruled that this processing was lawful, as it involved providing contextual information linked to a nationally publicized event and was necessary for the exercise of the right to freedom of information (Paris Court of first instance, 30 October 2024, No. 24/56090).

Balancing a request for disclosure in the exercise of the right to evidence with the protection of personal data

In the context of a request for the disclosure of documents containing personal data in order to establish discrimination, the Cour de cassation requires the lower court (and specifically the labour court here) to determine whether such disclosure is necessary and proportionate, to ensure compliance with the principle of data minimization, to restrict such disclosure, and to instruct the limitation of the purpose of such processing.
Thus, the disclosed data must only be used in the context of the discrimination claim.

4. Legal and case law news – Europe / International

New standard contractual clauses announced by the European Commission for 2025

The European Commission has announced that it will publish standard contractual clauses for data access and use in the second quarter of 2025, applicable in cases where a data importer is located in a third country but is subject to the GDPR.
A public consultation is planned for the fourth quarter of 2024.
These model clauses are intended to help small and medium-sized businesses draft and negotiate fair contractual clauses for data sharing or for data hosted in the cloud.

Data transfers at the request of a supervisory authority

The EDPB (European Data Protection Board) has published new guidelines on Article 48 of the GDPR governing transfers outside the EU. The EDPB is particularly focused on requests for the disclosure of personal data made by supervisory authorities, which data communications may constitute transfers of data outside the EU. The data controllers concerned must therefore ensure that they have a legal basis and a transfer mechanism in place.

The CJEU (Court of Justice of the European Union) defines health data broadly

By a decision of October 4, 2024 (C-21/23), the CJEU ruled that data on a drug order, linked to a customer of an online pharmacy (whether the order is for personal use or not), is health data within the meaning of Articles 4(15) and 9(1) of the GDPR.
From now on, health data is classified as such on the basis of a probability test, based on objective information. As a result, the possibilities for qualifying data have been broadened.
The Court also recalls the possibility of taking action based on unfair competition against a company that fails to comply with the obligations arising from the GDPR.

Legality of the sale of personal data by a sports federation

By a decision of October 4, 2024 (C- 621/22) , the Court of Justice of the European Union interpreted, upon a preliminary ruling request, Article 6(1) of the GDPR, regarding legitimate interest as a legal basis for processing.
It ruled that the sale of a sports federation’s members’ personal data is only carried out in its legitimate interest under the following two conditions:

• Processing must be strictly necessary to achieve the legitimate interest ;
• And the interests or fundamental rights and freedoms of the members of a sports federation do not override the legitimate interests of that sports federation.

The CJEU rules on limiting the use of personal data collected by social networks

Following a complaint by Maximilian Schrems against Facebook, the CJEU ruled on October 4, 2024 (C-446/21) on the use of personal data on this social network.
The Court held that the principle of data minimization prevents the use of such data for the purposes of targeted advertising, with no time limit or distinction based on the nature of the data. Furthermore, the fact that a piece of data, in this case on a person’s sexual orientation – and therefore classified as sensitive – may be public but shared outside of the social network, does not authorize the social network to process such data.

Data transfers outside the EU: UBER fined €290 million (Dutch authority in cooperation with the CNIL)

On 22 July 2024, the Dutch Data Protection Authority, in cooperation with the CNIL, fined Uber B.V. and Uber Technologies Inc. €290 million in the Netherlands for transferring data outside the European Union.
Following a collective complaint from the organisation La Ligue des droits de l’Homme, representing over 170 drivers on the UBER platform (whose European headquarters are in Amsterdam), the CNIL worked with the Dutch authority to investigate the complaint.
The Dutch authority found that the personal data of drivers collected by UBER B.V. and UBER TECHNOLOGIES INC. was transferred to the United States without appropriate safeguards, in breach of Article 44 of the GDPR.

VINTED fined €2.3 million (Lithuanian authority in cooperation with the CNIL)

On 2 July 2024, the Lithuanian Data Protection Authority, in cooperation with the CNIL, fined VINTED UAB €2,385,276.
Following numerous complaints received in 2020, the CNIL collaborated with the Lithuanian data protection authority, as Vinted’s head office is located in Lithuania.
The investigations revealed several breaches of the GDPR:

• The company refused to erase people’s data on the sole grounds that the applicants did not quote one of the criteria set out in the GDPR in their erasure request, and without stating all the reasons for the refusal;
• The company was unable to prove that it had correctly responded to requests for right of access;
• The company illegally implemented ‘stealth banning’, a method of making malicious users invisible to others, without informing them.

The implementation of this practice excessively infringed users’ rights by preventing them from contacting customer support or exercising their rights.

The performance of a contract may constitute a lawful basis for processing personal data within the meaning of the GDPR

In joined cases C-17/22 and C-18/22, the ECJ addressed the issue of the legality of the processing of personal data in the context of the performance of a contract.
The Court examined the application of Article 6(1) of the GDPR and the circumstances in which the processing of personal data may be lawful, particularly in the absence of consent.
The Court considered that the performance of a contract is a lawful basis within the meaning of the GDPR, justifying the processing of personal data necessary to its performance.
Nevertheless, the Court emphasised that if the contract expressly prohibits the disclosure of personal data, the disclosure of such data cannot objectively be considered as essential to its performance.

Publication in the Official Journal of the European Union of Regulation 2024/1689 on artificial intelligence, commonly known as the AI Act

Regulation 2024/1689 on artificial intelligence, commonly known as the AI Act, was published in the Official Journal on 12 July 2024 and came into force on 1 August, 2024.
The requirements of the AI Act will begin to apply progressively according to a specific timetable starting on 2 February 2025 and ending on 2 August 2027
The purpose of the AI Act is to regulate the development, marketing and use of artificial intelligence systems that may pose risks to health, safety or fundamental rights.
In parallel, the EDPB has published its opinion for responsible AI in accordance with the principles of the GDPR.

The EDPB adopts a statement on the role of European data protection authorities in the context of the Artificial Intelligence Regulation.

On 16 July 2024, the European Data Protection Board (EDPB) adopted a statement in which European data protection authorities recall that they already have experience and expertise in dealing with the impact of artificial intelligence (AI) on fundamental rights, in particular the right to protection of personal data, and that they should therefore be designated as market surveillance authorities for a number of high-risk AI systems.
Indeed, the AI Act provides for the designation of one or more competent authorities to take on the role of market surveillance authority, without specifying the nature of the authorities concerned.
The choice of the competent authority is left to each Member State, which must designate one before 2 August 2025.

Dutch data protection authority fines Clearview AI 30.5 million euros

On 3 September 2024, the Dutch Data Protection Authority fined facial recognition company Clearview AI 30.5 million euros, including penalty payments in the event of non-compliance.
The Dutch data protection authority accused Clearview AI of illegally setting up a photo directory without authorisation.

Personal data supervisory authority not obliged to take corrective action

In a judgment of 26 September 2024, the CJEU (Court of justice of European Union) ruled that a supervisory authority is not obliged to take a remedial measure, in particular to impose an administrative fine, where this is not necessary to remedy the shortcoming found and ensure full compliance with the GDPR.
This decision follows the question referred by a German court to the CJEU on the interpretation of the GDPR, as to whether the personal data protection authority was obliged to take corrective measures in respect of a bank that had consulted a customer’s personal data without being authorised to do so.

New guidelines on the notion of “tracking”

The notion of “tracking” appears in Article 5(3) of the ePrivacy Directive. The EDPB has adopted new guidelines , consolidating those of 2023.
The main consequence is the subjection of most of online interactions to the rules governing third-party cookies, so that all alternatives to cookies for targeted advertising follows the same regime, based on the principle of protecting the device (mobile device or computer, for example) against unwanted intrusions by the user.