This quarterly LAVOIX newsletter presents a selection of legal news in the field of personal data protection for the period of March-May 2023.
1. CNIL decisions
CNIL terminates proceedings against FREE
In a deliberation dated March 20, 2023, the CNIL closed the injunction procedure that had been announced on November 30, 2022. The injunction concerned the access rights of certain complainants, in particular the identity of a data broker.
The penalty payment was not liquidated, as FREE demonstrated that it was materially impossible to comply fully with the injunction.
This closure of the injunction raises the question of the relevance of the requirement for traceability of the data chain (in line with the principle of transparency) alongside the principles of minimization and limitation of data retention, the latter having been given priority in this case.
CityScoot fined 125,000 euros
The self-service scooter rental company has been flagged by the CNIL for infringement of the principle of minimization, insufficient supervision of subcontracting relationships, and a lack of information and legal basis with regard to the deposit of cookies.
The French Data Protection Authority (CNIL) reiterates the need to classify as personal data any database that combines information relating to an identified or identifiable individual. Geolocation data is qualified as “highly personal data“, in the words of the EDPS (European Data Protection Committee). Lastly, the validity of subcontracting agreements depends on their content, which must include all the mentions required by the GDPR in a sufficiently precise and appropriate manner.
Liquidation of penalty payment against CLEARVIEW AI
The CNIL previously issue a decision on October 17, 2022 against the facial recognition software developer. In view of the persistence of the breaches, the CNIL ordered the company to comply with the GDPR, this injunction being accompanied by a “fine of 100,000 euros per day of delay, to be paid within two months“.
CNIL found that the shortcomings had not been corrected.
By the deliberation of April 17, 2023it therefore liquidated the penalty for a total amount of 5,200,000 euros.
2. CNIL documentation
CNIL publishes a new version of its data security guide
In 17 thematic sheets, CNIL has updated the practical guide to personal data security. This update takes into account its latest recommendations.
Intended for data controllers and subcontractors, this guide explains all the precautions to be taken in this area, including user authentication measures (sheet no. 2), access traceability in multi-user systems (sheet no. 4) and technical IT security measures (sheets nos. 15 and 17).
CNIL publishes a thematic dossier on digital identity
In the form of a thematic dossier, a new medium for the authority, we present the state of play, the issues at stake and the CNIL’s recommendations on digital identity.
Digital identity is defined as “a set of attributes associated with a physical person, enabling that person to be linked to other data“. This includes, for example, Assurance Maladie, France Connect and the new electronic national identity card, known as “France Identité”. The CNIL has issued a positive opinion on the latter, on condition that it is not made compulsory: this system enables the persons concerned to divulge only a selection of information, and would improve the security of procedures.
3. Legal and case law news – France
The French Supreme Court reminds us of the balance between the right to data protection and the right to evidence
To verify the existence of potential wage discrimination, an employee requested a copy of his colleagues’ personal data, i.e. their pay slips.
The social chamber strictly interprets recital 4 of the GDPR, to then apply the right to evidence and holds: “this communication of elements infringing on the personal lives of other employees was indispensable to the exercise of the right to evidence and proportionate to the aim pursued, i.e. the defense of the employee’s legitimate interest in equal treatment between men and women in matters of employment and work“.
72-hour deadline for filing a claim and receiving compensation from your insurer in the event of a cyber-incident
An increasing number of insurance policies cover the risk of cyber-incident. The new article L. 12-10-1 of the French Insurance Code adds a duty to file a complaint with the competent authorities within 72 hours in order to receive compensation.
With a view to simplifying procedures for victims of personal data breaches, this new provision enables exact alignment with Article 33 of the GDPR, which already provided for a 72-hour deadline for notifying the CNIL of such a breach.
Conseil d’Etat orders CNIL to give Google formal notice to dereference a press article
Exercising his right to data deletion, an applicant had referred the matter to the CNIL, which had refused to give Google formal notice to delete a press article dating from 2017 and relating facts from 2014 on a criminal conviction.
In a ruling handed down on April 20, 2023, the Conseil d’Etat overturned the CNIL’s decision. In particular, it ruled that the article did not contribute to public debate, as the person concerned was not particularly well-known, and the article did not describe the current legal situation.
4. Legal and case law news – Europe / International
Public school education broadcast live is subject to the GDPR
In Germany, the live broadcasting of courses via videoconferencing required the consent of students or their representatives, without requesting the consent of teachers to the processing of their personal data. The national administrative court had doubts about the compatibility of the specific national regulation with Article 88 of the GDPR, which concerns the processing of data in the context of employment relationships. It therefore referred the matter to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
In a ruling dated March 30, 2023, the Court confirms that the processing operations at issue are subject to the GDPR. The Court then considers that a national regulation cannot constitute a more specific rule within the meaning of Article 88 (1) of the GDPR if the conditions of Article 88 (2) of the GDPR are not met. Finally, where those conditions are not met, the national court seized must verify that the processing does indeed have a legal basis under the national regulation in question.
The personnel register can be used as a evidence, while preserving the right to protection of personal data.
On March 2, 2023, the CJEU continued its trend of balancing rights: in this case, the right to evidence and the right to data protection.
It holds that the production of the personnel register for tax audit purposes (thus different from the initial purposes of collecting the data in question) may be valid if the conditions of Articles 6(3) and 6(4) of the GDPR are met, namely that it is based on national law and constitutes a necessary and proportionate measure in a democratic society. The national court is required to take into consideration, in each individual case, the interests of the data subjects, and in particular the requirements arising from the principle of data minimization.
The classification of personal data may depend on the entity processing it
The CJEU ruled on April 26, 2023 that the EDPS had criticized the SRB (Single Resolution Board – resolution authority of the European Banking Union) for having communicated data to the firm Deloitte without informing the persons concerned: the firm would have had access to answers to questionnaires, containing alphanumeric codes.
The CJEU considers that this information requirement should have been assessed from Deloitte’s point of view, and not that of the SRB: the EDPS should have investigated whether the firm had legal and feasible means of re-identifying the authors of the comments. In this case, such means would have been, for example, the alphanumeric code correspondence tables.
The CJEU clarifies the contours of the right of access
In a judgment of May 4, 2023the CJEU clarified Article 15, (3) of the GDPR, relating to data subjects’ right of access.
It confirms its interpretation of the scope of documents that can be copied: “the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential[…], where the contextualisation of the data processed is necessary in order to ensure the data are intelligible.[…], the context in which the data are processed is an essential element in enabling the data subject to have transparent access and an intelligible presentation of those data.” (§ 41 and 42)
The referring court also asked for a definition of the term “information” in this article 15, (3). The CJEU replied that such information is necessarily limited to the personal data of the data subject, regardless of form: the fact that it is metadata is irrelevant, subject to verification that it is indeed personal data (§ 49-51).
EDPS adopts guidelines on right of access
These guidelines specify how the right of access, provided for in Article 15 of the GDPR, is to be implemented.
They specify the principles that must guide this right: provision of complete and correct information, time indicators and compliance with cyber-security requirements. They go on to give practical recommendations to data controllers who have to respond to a request for access, in terms of the most appropriate means of access, the format of the information, and the response time.
Supervisory authorities’ reaction to ChatGPT
Several supervisory authorities have taken an interest in the recent conversational artificial intelligence tool, which allegedly collects personal data in order to “train” itself for further development, or fails to restrict access when used by minors.
The British and Italian Authorities have issued warnings, while the Canadian Authority announced that it had opened an investigation.
Article written by: Caroline ALET, Jeanne BRETON, Pierre-Emmanuel MEYNARD and Camille PECNARD