This LAVOIX newsletter presents a selection of legal news in the field of personal data protection for the period January – February 2023.
1. CNIL decisions
The CNIL sanctions the social network TIKTOK for infringing the rules applicable to cookies
In a decision dated December 29, 2022, the CNIL fined TIKTOK 5 million euros on the basis of Article 82 of the French Data Protection Act.
The CNIL accused TIKTOK of not allowing users to refuse cookies as easily as to accept them, and of not having informed them about the purposes for which cookies were collected. In this case, several clicks were necessary to refuse the cookies while only one click allowed to accept them. La CNIL sanctionne le réseau social TIKTOK pour atteinte aux règles applicables en matière de cookies
APPLE fined €8 million for non-compliant ad personalization methods
The digital giant has been sanctioned by the CNIL on December 29, 2022 for a breach of Article 82 of the French Data Protection Act.
The company would not have complied with its obligation of information: when a user went to the Apple Store, their identifiers were automatically read and used to personalize the advertisements displayed on the application, without their prior consent. These identifiers were not necessary for the provision of the Apple Store service and therefore could not be used without the user’s prior consent.
In calculating the amount, the CNIL took into account, among other things, the scope of the processing limited to the Apple Store, the number of users concerned, the benefits derived and the compliance undertaken during the procedure.
VOODOO fined 3 million euros for failing to obtain user consent
On December 29, 2022, the CNIL condemned the smartphone games company for failing to comply with Article 82 of the French Data Protection Act and ordered it to obtain the user’s consent to use his or her technical identifier for vendor (“IDFV”) for advertising purposes. The IDFV allows a publisher of an application on the Apple Store to track a user’s browsing habits on the applications in order to personalize the advertisements made to them.
This conviction is accompanied by a penalty of 20,000 euros per day of delay.
The CNIL gives notice to two institutions for breach of the GDPR
Two schools in the field of post-secondary education were served with a formal notice by the CNIL, at the end of 2022, following a complaint, to comply, within two months, with the GDPR concerning, among other things, the retention period, insufficient information to students regarding the collection of their data and the security measures implemented.
Regarding the data retention period, the schools did not provide for a minimum retention period. In addition, the security measures for passwords were considered insufficient and did not comply with the CNIL recommendations.
2. CNIL documentation
The CNIL publishes the annual report on its enforcement activities in 2022
In 2022, the CNIL issued 21 sanctions, including 19 fines and two decisions to collect a penalty payment, for a total amount of 101,277,900 euros.
The decisions issued mainly concern failure to inform individuals, failure to respect their rights, failure to cooperate with the CNIL, breaches of personal data security, poor management of cookies and breaches relating to commercial prospecting.
The CNIL’s restricted panel handed down 17 of these sanctions under the simplified procedure introduced in early 2022 to accommodate the increase in complaints.
The CNIL also sent 147 letters of formal notice and studied 18 European cases.
Regarding the balance of sanctions imposed since the entry into force of the GDPR, the Data Protection Act and the ePrivacy Directive, the CNIL has issued fines for a cumulative amount of 500 million euros against companies of all sizes and in all sectors.
The CNIL assists recruiters in complying with the GDPR
On January 30, 2023, the CNIL published a Recruitment Guide to accompany professionals in the recruitment process, to help them comply with the GDPR and to face the rise of new technologies in the professional environment with the aim of protecting the privacy of candidates.
The guide is divided into two parts, one of which presents the fundamental principles of personal data protection in the form of fact sheets and the other offers more specific and practical questions and answers.
3. Legal and case law news – France
A contract for the development of a website can be cancelled on the basis of the GDPR
On January 12, 2023, the Commercial Chamber of the Grenoble Court of Appeal ruled that a contract for the provision of services could be cancelled for error on an essential quality of the website, as the contracting company could “legitimately expect that the website would not illegally collect personal data“.
In this case, the site allowed access to personal data without the information or consent of the individual, contrary to the site’s privacy policy. As a result, the contracting company was liable without having been informed of this by the service provider, even though this information was crucial to the conclusion of the contract.
4. Legal and case law news – Europe / International
META sanctioned by the Irish Data Protection Commission
The Irish Authority has issued two sanctions against the Meta group for unlawful processing and lack of transparency, with regard to the general terms and conditions of services providing for a contractual legal basis for processing, in particular for the distribution of personalized advertising.
It was considered that the legal basis for processing could not be contractual. These sanctions were allowed following the resolutions taken by the EDPB and published on January 12, 2023, regarding Instagram and Whatsapp.
The sanctions reached 210 million euros and 180 million euros. The Meta Group was given notice to comply with the GDPR within three months.
The Court of Justice of the European Union (CJEU) clarifies the scope of the information obligation
In a ruling dated January 12, 2023, the European judge recalled that every person has the right to know to whom their personal data has been disclosed. This right derives from the obligation to inform provided for in Article 15, §1, c) of the GDPR.
The Court clarifies, with regard to the right of access and the principle of transparency, that the controller has the obligation to provide the data subject with the identity of the specific recipients to whom the data have been disclosed. If the controller demonstrates that the access requests are manifestly unfounded or excessive, it may indicate only the categories of recipients involved.
The CJEU holds that the civil and administrative remedies provided for by the GDPR may be brought simultaneously
A second ruling of January 12, 2023 validates the simultaneous, concurrent and independent filing of two appeals before an administrative court and a judicial court, pursuant to Articles 77, 78 and 79 of the GDPR and this, with regard to the right to an effective remedy before a court.
It is therefore up to the Member States to ensure that the practical arrangements for exercising these remedies respect this fundamental right.
The CJEU upholds the non-compliance of the systematic collection of biometric data of an accused person
The Court ruled on January 26, 2023 that Bulgarian national law, concerning the collection of genetic and biometric data of persons under investigation, integrated into a police file was not compliant with Directive (EU) 2016/680 of April 27, 2016.
These data are qualified as sensitive, and must therefore benefit from an increased protection regime. They can only be processed if absolutely necessary, in accordance with the principles of lawfulness and minimization.
The Court concluded that a forced and systematic collection of genetic and biometric data of any person under investigation does not comply with European Union law.
The CJEU clarifies the status of the Data Protection Officer (DPO)
In a ruling on February 9, 2023, the CJEU ruled on the protected status of the DPO, particularly in the event of conflicts of interest. It held that a conflict of interest can be characterized “where a data protection officer is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor“. This clarification must now be taken into account by data controllers and processors when choosing their DPO.
The same ruling also allowed national legislation to provide only for the dismissal of a DPO who is a member of staff for just cause, even if the dismissal is not related to the performance of that officer’s tasks.
This ruling should be seen in conjunction with a recent decision of the French Conseil d’Etat, which had defined the DPO’s conflict of interest in a casuistic manner.
The new standard contractual clauses of the European Commission have entered into force
As of December 27, 2022, the updated version of the standard contractual clauses proposed by the European Commission must be used, or even signed again when the old version served as the basis for the lawfulness of the transfer outside the European Union.
This update is a result of the Schrems II ruling of July 16, 2020, in which the CJEU clarified that the importer and exporter of data must provide for additional measures if they find that in practice the safeguards provided by the standard contractual clauses are not sufficient.
Publication of the guidelines on “dark patterns” or deceptive designs
The EDPB has published the final version of its guidelines on dark patterns.
The guidelines are intended to help designers and social network users recognize these deceptive practices. The EDPB points to overloading the site with requests, encouraging users to unintentionally authorize data processing, prompting user choice by appealing to their emotions, or hindering data management by making certain actions difficult.
Article written by: Caroline ALET, Jeanne BRETON, Claire GOURJON, Pierre-Emmanuel MEYNARD and Camille PECNARD