Data Protection November-December 2021
This bimonthly LAVOIX newsletter presents a selection of legal news in the field of personal data protection for the period November-December 2021.
1. CNIL decisions
The CNIL fines Google 150 million euros and Facebook 60 million euros for failing to comply with their cookies obligations
In a decision dated December 31, 2021, the French Data Protection Authority (CNIL) found that Google LLC and Google Ireland Ltd. failed to comply with their obligations regarding cookies.
The CNIL received several complaints about the refusal of cookies on the websites google.fr and youtube.com available to users located in France.
The CNIL fined Google LLC 90 million euros and Google Ireland Ltd 60 million euros.
In a decision dated December 31, 2021, the CNIL considered that Facebook Ireland Ltd committed a similar breach and imposed a fine of 60 million euros.
The CNIL fines Free Mobile 300,000 euros for breach of data subject rights and personal data security
On December 28, 2021, the French Data Protection Authority (CNIL) ruled that the cell phone operator Free Mobile failed to comply with data subject rights, privacy by design and data security obligations.
The CNIL received several complaints concerning difficulties encountered by data subjects in exercising their right to access or object to receiving marketing messages.
Following an on-site inspection and an inspection of documents, the CNIL found that Free Mobile failed to comply with the GDPR.
As regards breaches of data subject rights (right of access and right to object), the CNIL found that Free Mobile did not reply to data subjects’ requests in due time, and that it did not take into account data subjects’ requests to stop receiving marketing messages.
As regards security breaches, it found that Free Mobile failed to ensure the protection of data by design, since Free kept sending invoices to users who terminated their subscription. It was also found that Free Mobile failed to provide users with a clear password that was neither temporary nor dedicated to one-time use, and that was not required to be renewed.
CNIL fines Slimpay 180,000 euros for insufficient protection of personal data and failure to notify a data breach
On December 28, 2021, the French Data Protection Authority (CNIL) ruled that Slimpay, a certified payment company that offers recurring payment solutions, had committed several data security breaches.
The CNIL found that Slimpay failed to comply with the obligation to provide a formal legal framework for the processing operations carried out by a processor, due to the absence of all or part of the mandatory provisions of Article 28 of the GDPR within the agreements concluded between Slimpay and its processors.
The CNIL also found several data security breaches, as well as a breach of the obligation to inform data subjects of a personal data breach. The CNIL was notified of this breach.
2. CNIL documentation
The CNIL publishes a guide for data protection officers
The CNIL published in November 2021 a practical guide gathering the main knowledge and good practices intended to help organizations and support DPOs.
This guide addresses four points (the role of the DPO, the appointment of the DPO, the exercise of the DPO's function, the support of the DPO by the CNIL) illustrated by concrete cases, answers to the most common questions, and provides a template of a mission letter.
The CNIL publishes a practical guide for associations
In November 2021, the CNIL published a new GDPR awareness guide for associations, dedicated to support them in their compliance process.
This guide explains the main applicable principles to comply with and provides a corresponding action plan, giving practical examples according to different sectors (charity, sports, social, etc.).
The CNIL adopts a reference framework for health data warehouses
In November 2021, the CNIL adopted a reference framework on the processing of personal data implemented for creating data warehouses in the health sector, following a public consultation.
Health data warehouses are database that are intended to be used for research, studies or evaluation in the health field. The processing associated with these warehouses may be subject to prior authorization by the CNIL.
This reference framework is dedicates to data processors who wish, in the context of their public interest missions, to collect data and re-use them for the purposes mentioned above.
This reference framework allows organizations wishing to implement a data warehouse compliant with the reference framework not to seek prior authorization from the CNIL, provided they comply with this text.
The CNIL publishes a new GDPR guide for developers
In December 2021, the CNIL published a new version of its guide to assist developers in web or application project development.
This guide contains 18 thematic sheets offering advice and best practices at every stage of development. For example, the guide helps developers to identify and minimize personal data, secure sites/applications/servers, take into account the legal bases in the technical implementation, manage the exercise of data subject rights and storage periods, analyze cookies on sites/applications, and prevent computer attacks.
This open source guide is available on GitHub. It is published under the GPLv3 license and under an open license 2.0, allowing everyone to contribute to it.
3. Legislative and case law news – France
The French Supreme Court specifies the conditions for using video surveillance images as evidence obtained in an illicit manner by an employer
In a decision dated November 10, 2021, the Labour Law Chamber of the French Supreme Court has balanced the protection of personal data and the right to evidence in the context of a dismissal procedure.
An employee was dismissed for gross misconduct based on facts recorded by video surveillance images. The employer had notified the installation of the cameras after their installation and specified the use of the video surveillance system for security purposes only.
The Court of Cassation specifies that the unlawfulness of a means of evidence "does not necessarily entail its rejection from the debates".
It indicates that the judge must "assess whether the use of this evidence has undermined the fairness of the proceedings as a whole, by balancing the right to respect for the employee's personal life and the right to evidence, which may justify the production of elements infringing an employee's personal life, provided that such production is essential to the exercise of this right and that the infringement is strictly proportionate to the aim sought".
Integration in the Consumer Code of concepts relating to the protection of personal data
Order No. 2021-1734 of December 22, 2021 amends the Consumer Code in order to incorporate concepts relating to the protection of personal data with respect to the provision of digital content without a physical medium or a digital service (Articles L. 221-I, III and L. 221 26-1, I and II).
The provisions of this order will come into force on May 28, 2022.
This is in line with the integration into the Consumer Code of the concept of personal data and corresponding obligations of professionals, in particular within the preliminary article, as well as articles L.111-1 and L.112-4-1 (information obligation) and L. 217-6 (lack of conformity), applicable as of January 1, 2022.
The French Parliament (Assemblée nationale) adopts at first reading the bill for the implementation of a "cyberscore”
On November 26, 2021, the National Assembly adopted at first reading the bill "for the implementation of a cybersecurity certification of digital platforms intended for the general public", adopted by the Senate in October 2020.
The text suggests the insertion of a new article L.111-7-3 in the Consumer Code, in order to impose new cybersecurity obligations on major digital platforms, messaging services and video conferencing sites, whose activity would exceed one or more thresholds defined by decree.
These operators would have to inform Internet users of the results of the audit, after a security audit would be carried out by service providers qualified by the ANSSI, on the "security and location of the data they host, directly or through a third party, and on their own security".
The result of the audit would be "presented to the consumer in a readable, clear and understandable way and [would be] accompanied by a complementary presentation or expression, by means of a colorful information system", similar to the Nutriscore for food products.
4. Legislative and case law news – Europe
EDPB’s draft guidelines on international data transfers
On November 18, 2021, the European Data Protection Board (EDPB) published draft guidelines on the articulation between Article 3 of the GDPR (territorial scope) and Chapter V of the GDPR (transfers of personal data outside the EU), subject to consultation until the end of January 2022.
This text aims to help professionals identify whether a processing operation constitutes a transfer to a third country or an international organization and, consequently, whether they are required to regulate this transfer in accordance with Chapter V of the GDPR.
The EDPB identified three cumulative criteria to qualify such a transfer. The controller or processor must be subject to the GDPR under Article 3. That controller or processor ("exporter") must disclose by transmission or otherwise make the data available to another controller or processor ("importer"). The importer must be located in a third country or be an international organization, regardless of whether that importer is subject to the GDPR for that processing.
The ECJ considers advertisement displayed in an email inbox as marketing communications
In a decision dated November 25, 2021, the European Court of Justice (ECJ) states that the display of advertising messages in an electronic inbox in a form similar to that or real emails should be considered as a "use [...] of email for the purposes of direct marketing" within the meaning of the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC).
The ECJ considers that such communications constitute "persistent and unwanted solicitations" in the absence of consent given by the user prior to such display.