This newsletter presents a selection of legal news in the field of personal data protection for the year 2023-2024.
1. CNIL decisions
The PAP company fined 100,000 euros.
In a deliberation dated 31 January, 2024, the CNIL (French Data Protection Authority) sanctioned the company specialised in real estate ads between private individuals on the basis of Articles 51-e) (limit of the data storage period), 13 (information to those concerned), 28 (obligation to conclude a legal act framing relations with subcontractors) and 32 (security of processing) of the GDPR.
In particular, the authority penalized non-compliance with the obligation to limit the length of the time personal data is stored, coupled with the obligation to keep written records of contracts concluded online with consumers, involving sums equal to or greater than 120 euros (articles L. 213-1 and D. 213-1 of the French Consumer Code). The authority also checked the privacy policy on the company’s website, noting imprecise information on the legal bases, inaccurate information on the list of sub-contractors receiving data and storage periods, and incomplete information on the right to lodge a complaint with the CNIL.
CNIL cookie control: Yahoo and NS Cards sanctioned.
In two deliberations dated 29 December, 2023, the CNIL monitored the processing of data linked to cookies and tracers.
The NS Cards company, editor of an online payment application, was sanctioned both on the basis of the GDPR, as part of the “one-stop shop” mechanism, and on the basis of the French Data Protection Act. It was found that i) there was no limitation of the duration of data storage, ii) the privacy policy was incomplete, outdated and provided in English only for a predominantly French-speaking audience, iii) security measures concerning passwords were too weak, iv) and there were breaches relating to cookies and tracers.
Following 27 complaints, the CNIL fined the search engine YAHOO 10 million euros: the authority noted that cookies were deposited without the Internet user’s consent, and that Internet users were encouraged not to withdraw their consent by announcing that it would be impossible to access certain services.
Amazon fined for “disproportionate computer surveillance of employees”.
After more than four years of proceedings, the CNIL imposed a penalty of 32 million euros on Amazon France Logistique. The subsidiary’s employees use scanners in their warehouses to track the reception, storage and packaging of products.
The CNIL sanctioned Amazon for lack of legal basis, by balancing the interests at stake and noting the negative consequences of the intrusive continuous monitoring of employees. Amazon was also sanctioned for the use of very detailed data, without justification (infringement of the principle of minimization), and for infringement of the principle of limiting the duration of data storage (in this case 31 days).
CANAL+ sanctioned for telephone prospecting.
In a deliberation dated 12 October, 2023, the TV broadcasting company was fined €600,000, on the basis of the GDPR and Article L. 34-5 of the French Post and Electronic Communications Code.
Following inspections, the CNIL noted in particular that CANAL+ was failing in its obligation to inform the persons concerned in the case of telephone calls not subject to the prior consent of the person concerned. The person concerned should be informed at the latest at the time of the call, and in particular of the identity of the recipients to whom the data are transmitted.
CNIL controls excessive data collection.
SAF LOGISTICS, an airfreight company, was collecting data relating to the private lives of its employees, via a form intended for the internal recruitment process. The CNIL carried out an on-site inspection.
In a decision dated 18 September, 2023, the company was sanctioned for failure to comply with the principle of minimization, in view of the excessive collection of information on its employees, and in particular of so-called “sensitive” data, in this case the consultation of criminal records and the processing of data relating to offenses. The company was also sanctioned for failing to cooperate with the CNIL.
Control of consent in the context of commercial prospecting
On 31 January 2024, the CNIL imposed penalties of 310,000 euros on FORIOU, and 525,000 euros on HUBSIDE.STORE on 4 April 2024.
Both companies based their processing of personal data on consent obtained by data brokers. The CNIL considered that the data collection forms were misleading, so that the consent could not be considered valid, and that the data processing was now being carried out without a legal basis.
Consent is considered valid when it is free, specific, informed and unambiguous (articles 4 and 7 of the GDPR). Therefore, the highlighting of certain buttons in a way that is disproportionate to the options for not transmitting personal data and that strongly influences the user’s consent does not constitute valid consent.
2. CNIL documentation
CNIL reviews its repressive action for 2023.
The French Data Protection Authority published its enforcement statistics. It issued 42 sanctions, with fines amounting over 89 million euros. This year, the CNIL focused primarily on data security violations.
Without systematically involving sanctions, the CNIL also issued 168 formal notices, compared with 147 the previous year. Its repressive action enabled it to investigate over 16,000 complaints and carry out 340 inspections.
CNIL announces its priority control themes for 2024.
In a public communication dated 8 February, 2024, the CNIL announced the themes on which it will be focusing soon.
These will include data collection for the Olympic Games, data collected online from minors, loyalty programs and dematerialised sales receipts, and data subjects’ right of access (action coordinated by the EDPB with the CNIL’s European counterparts, with a view to harmonisation).
CNIL updates its cybersecurity guide
In March 2024, the CNIL published a new version of its guide to personal data security, to help data controllers and processors comply with the obligation arising from Article 32 of the GDPR.
The guide is structured around 25 sheets: 5 new sheets have been added compared with the previous version, on the cloud, mobile applications, artificial intelligence, APIs and data security management.
3. Legal and case law news – France
The Conseil constitutionnel rules that the remote activation of electronic devices without the owner or possessor’s knowledge violates the right to privacy.
In a decision dated 16 October, 2023, the Conseil constitutionnel (French Constitutional Council) ruled on the Ministry of Justice’s 2023-2027 Orientation and Programming Act, censuring article 6 of the Act.
Article 6 authorised the remote activation of electronic devices without the owner or possessor’s knowledge, for the purposes of real-time location, sound recording and image capture.
The Conseil constitutionnel ruled that this measure was not proportionate to the aim pursued.
CNIL’s rejection decision resulting from its silence for three months.
In a ruling handed down on 24 July, 2023, the Conseil d’Etat (French highest administrative jurisdiction) rejected two appeals lodged against the CNIL on grounds of misuse of power.
The first action challenged the CNIL’s implicit rejection of its complaint, while the second sought the annulment of the explicit decision closing the complaint. The Conseil d’Etat recalled that the CNIL’s silence on a complaint during three months is equivalent to a decision to reject the complaint. Contrary to the claimant’s assertion, it considered that the CNIL responded to all its requests.
Finally, with regard to the request for annulment of the decision, the Conseil d’Etat recalled, before rejecting the applicant’s appeal that the CNIL has broad discretionary powers with regard to requests for access. Thus, the Conseil d’Etat ruled that the CNIL had not tainted its decision with an error of assessment in considering that the employer had responded in full to the applicant’s request for access to its personal data.
The Conseil d’Etat dismisses Clever Cloud’s appeal
On 21 December 2023, the CNIL issued a decision authorising Microsoft to host healthcare data as part of the Health Data Hub.
A number of associations and companies, including Clever Cloud, lodged an appeal against this decision, in its capacity as a company marketing a secure cloud data hosting solution. On 22 March 2024, the Conseil d’Etat issued a summary judgment. It stated that none of the applicants had provided a solution that met the technical and time constraints of the Health Data Hub, that the authorisation granted by the CNIL did not prevent the development of alternative solutions, that the processing would comply with the principle of minimisation, and that the data would be stored in France. The request to suspend the authorisation was therefore rejected.
4. News from other data protection authorities
Dutch data protection authority fines Uber 10 million euros.
In a decision dated 11 December, 2023, the Dutch authority fined Uber 10 million euros on the basis of Articles 12 and 13 of the GDPR.
More than 170 French drivers complained to the Ligue des droits de l’Homme (Human Rights League) about difficulties in exercising their rights to protect their personal data. The Ligue des droits de l’Homme then lodged a complaint with the CNIL. As Uber has its European headquarters in the Netherlands, this complaint was forwarded to the Dutch authority.
The fine follows the company’s failure to disclose all information relating to data storage periods for European drivers, and to name the non-European countries in which it shares such data. The Dutch authority also found that Uber had hindered the efforts of data subjects to exercise their rights.
The Italian authority warns against anonymization by aggregation.
In a decision dated 18 July, 2023, the Italian authority pointed out that anonymization through data aggregation does not guarantee against new identification of individuals.
Thus, in order to guarantee the anonymization of data that could be published during research projects, the number of statistics shared had to be significantly lower than the number of variables intended for disclosure.
The distribution of a limited number of statistics avoids the possibility of identifying the individual subjects in the sample using mathematical calculations.
TikTok fined 345 million euros by the Irish authorities.
In a decision dated 1 September, 2023, the Irish authority sanctioned TikTok after finding a breach by the company of Articles 5(1)(a), 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e) of the GDPR.
The penalty comes following an investigation carried out between July and December 2020 during which the Irish authority found several breaches of the GDPR. Indeed, minors’ profiles were made public by default and “pop-up” windows made it more difficult to access privacy settings.
The decision also highlights the fact that the “Family Pairing” mode enabling parents to link their TikTok profile with that of their child was not strict enough. TikTok did not check whether the parent’s account was actually that of the parent.
The CNIL has already fined the company 5 million euros in 2022 for data processing linked to cookies and trackers.
Finnish authorities penalise failure to define personal data retention period
The Finnish online retailer Verkkokauppa.com was fined 856,000 euros by the Finnish authorities on 6 March 2024.
The company required users to create an account before making a purchase on the site, and did not define any data retention period. The authority considered that the fact that customers could request the deletion of their data at a later date was not sufficient and did not satisfy the obligation to limit processing resulting from article 5.1-e) of the GDPR.
5. Legal and jurisprudential news – Europe and international
The CJEU rules on the safety obligation and the right to compensation of the persons concerned.
As part of a cyber-attack, several million people had fallen victim to the disclosure of their personal data on the internet. The CJEU clarifies that a data breach is not sufficient to characterize a breach of the data security obligation, as the GDPR introduces a risk management regime. On the other hand, it is up to the data controller to prove compliance with the GDPR with regard to the security measures chosen (Articles 5 and 24 of the GDPR).
The CJEU also rules on compensation for non-material damage, considering that the fear of potential misuse of personal data through the loss of control over the data alone constitutes moral damage (Article 82 of the GDPR) (CJEU, 14 December, 2023, C-340/21).
Clarification of the system of administrative fines and qualification of data controller even in the absence of direct processing.
The CJEU has reiterated that any person who influences the processing of data for his or her own purposes, and thus participates in determining the purposes and means of that processing, may be considered a controller (Article 4 of the GDPR) even when he or she has not processed the data himself or herself.
The same decision specifies that an administrative fine can only be imposed on a data controller if it is established that it has committed, deliberately or negligently, a breach of the GDPR (Article 83 of the GDPR). This is the case where the controller could not have been unaware of the infringing nature of its conduct, whether or not it was aware of the infringement (CJEU, 5 December, 2023, C-683/21).
According to the CJEU, a credit “score” is a decision based exclusively on automated processing where that decision produces significant effects.
The CJEU rules for the first time on the application of Article 22 of the GDPR as applied to “scoring”. The question was therefore to determine whether this practice fell within the regime of decisions based on automated processing of personal data.
By qualifying the result of calculating a person’s creditworthiness as a decision, the CJEU holds that this “scoring” processing is indeed profiling, entailing significant effects (namely the conclusion, performance or termination of a contractual relationship with a third party) for the data subject, subject to Article 22 of the GDPR (CJEU, 7 December, 2023, C-634/21).
The provision of Vehicle Identification Numbers (VINs) by car manufacturers to independent operators is a “legal obligation” within the meaning of the GDPR.
The CJEU classifies VINs as personal data within the meaning of Article 4 GDPR, once there are reasonable means of linking them to an identified or identifiable natural person. It deduced that VINs must be processed in compliance with the GDPR, involving in particular their availability to independent market operators to enable them to manage vehicle repair and maintenance. This provision is a legal obligation within the meaning of Article 6§1 of the GDPR (CJEU, 9 November, 2023, C-319/22).
The data controller must provide the data subject with an initial copy of the data free of charge.
The CJEU holds that the data controller must provide the data subject with an initial copy of his or her data free of charge, without demanding reasons for the access request. In accordance with Article 15 §3 of the GDPR, the right to obtain a copy of data implies that a faithful and intelligible reproduction of all such data is provided. In the case of health-related data, the copy must reproduce data from the medical file, containing information relating in particular to diagnoses, test results, opinions of treating physicians, or any treatment or intervention administered.
However, the CJEU points out that this right is not absolute and must be balanced with the economic interests of data controllers (misuse of the right of access, manifestly unfounded or excessive request) (CJEU, 26 October, 2023, C-307/22).
EDPS makes Meta’s ban on targeted advertising without prior consent permanent
Under the urgent procedure provided for in Article 66 of the GDPR initiated by the Norwegian Data Protection Authority, the EDPS concludes that Meta is in breach of Article 6 §1 due to the use of personal data, including information relating to users’ location and interactions with advertising content, for targeted advertising purposes. The EDPS makes Meta’s ban on targeted advertising without prior consent permanent (EDPS, urgent binding decision, 7 December, 2023, 01/2023).
Adoption by the European Parliament and entry into force of the Data Act
Regulation (EU) 2023/2854 of 13 December, 2023 on fair access to and fair use of data came into force on 11 January, 2024 and will be applicable from 12 September, 2025. It comes in the context of the development of the “Internet of Things” and aims to establish harmonized rules to enable a fair distribution of the value of data generated by these products and related services.
The CJEU rules on IAB Europe’s liability
IAB Europe proposes a cookie acceptance system, made available to its members to facilitate the management of consent. In particular, this system contains rules on consent itself, binding technical rules, and rules on how data is stored.
The CJEU held that the result is that the IAB is jointly responsible for determining the purposes and means of processing with the members of the organization. However, this responsibility does not extend to subsequent processing by third parties of user preferences for the purposes of targeted advertising (CJEU, 7 March 2024, C-604/22).
The oral communication of personal data is subject to the GDPR
Endemol Shine Finland made an oral request for the disclosure of data on a third party’s current or past criminal convictions. The Finnish national court refused to disclose the data.
The CJEU held that such oral communication constitutes processing of personal data within the meaning of the GDPR, so that the request for communication of criminal convictions can only be granted if the applicant can demonstrate a specific interest (CJEU, 7 March 2024, C-740/22).
The EDPB issues its opinion on the “consent or pay” model
On 17 April 2024, the European Data Protection Board (EDPB) issued its opinion on paywalls, i.e. the system whereby the only alternative to processing personal data for targeted advertising purposes is for users to pay for the service.
The EDPB considered that this system did not allow for genuine consent and recommended that online platforms provide another alternative, for example a free option devoid of behavioral advertising, such as contextual advertising.