DATA PROTECTIONMarch-April 2022
This bimonthly LAVOIX newsletter presents a selection of legal news in the field of personal data protection for the period March-April 2022.
1. News from the CNIL
The CNIL publishes a practical guide for data protection officers (DPO)
The CNIL develops four concepts in the form of concrete questions and reflection methodologies: the role of the DPO, the appointment of the DPO, the exercise of the DPO’s functions, and the support of DPO’s by the CNIL.
A model letter of mission (page 45) and a user’s guide to the DPO appointment tool (page 47) are attached.
Three organizations are given formal notice for the disclosure of marketing data between partners without obtaining consent
The CNIL has issued a formal notice to three organizations that were collecting and transmitting the contact details of individuals to partners wishing to carry out marketing communications by texts and emails, without obtaining prior consent of data subjects.
The CNIL stated that the targeted organizations have three months to comply.
The CNIL has fined DEDALUS Biologie 1.5 million euros (leakage of medical data of nearly 500,000 people)
By decision of April 15, 2022, the company DEDALUS, which develops and markets software solutions for biological analysis laboratories, was fined by the CNIL 1.5 million euros for breach of its obligation to ensure data protection under Article 32 of the RGPD, as well as under Article 29 (obligation of the processor to follow the instructions of the controller) and Article 28 of the RGPD (obligation to provide a legal framework for the relationship between the processor and the controller).
This sanction follows a data breach reported in February 2021, which led to several CNIL controls and a blocking by the Paris judicial court of access to the site disclosing the data in question following a CNIL referral.
The injunction pronounced against SPARTOO is closed
In addition to paying a fine of 250,000 euros, the company had to comply with the GDPR in order to respect the principles of minimization (Article 5.1, c) of the GDPR), limited data retention (Article 5.1, e) of the GDPR), the purpose of processing (Article 5.1, b) of the GDPR), the information of employees and customers (Article 13 of the GDPR), as well as the adoption of appropriate security measures (Article 32 of the GDPR).
The CNIL considered that the measures taken were adequate and therefore suspended the injunction.
The CNIL publishes tools on AI to help professionals comply with the GDPR
The CNIL supports professionals implementing personal data processing with tools based on artificial intelligence. Therefore, it has decided to make available specialized guides and articles, to be extended and updated, notably on artificial intelligence, GDPR compliance specific to this field and self-assessment methods.
Data controllers and processors are invited to use clearer terminology
In order to comply with the principle of transparency, Article 12 of the GDPR requires that information be provided in "concise, transparent, understandable and easily accessible terms".
The CNIL thus provides precise details and examples, considering that the public may misunderstand legal terms.
2. Legal and case law news – France
Whistleblowers' reports are subject to the GDPR
The whistleblower system had been improved by Law No. 2016-1691 of December 9, 2016 on transparency, fight against corruption and modernization of economic life.
Law No. 2022-401 of March 21, 2022 aiming to improve the protection of whistleblowers modifies the provisions of the 2016 law, in particular concerning the processing of personal data, by specifying that "alerts may only be kept for the time strictly necessary and proportionate to their processing and to the protection of their authors, the persons they target and the third parties they mention, taking into account the deadlines for any additional investigations" (article 5 of the 2022 law modifying article 9 of the 2016 law).
The labor law chamber of the Cour de cassation holds that the GDPR does not require the refusal to communicate to the accountant the requested documents
By a decision of March 9, 2022, the Cour de cassation clarified the jurisdiction of the accountant with regard to his request for communication of a non-nominative personnel database. The labor law chamber holds that the GDPR cannot establish a valid basis for refusing to communicate to the accountant the requested documents. Rather, it is necessary to verify whether these documents exist, and then whether their compilation is mandatory for the company.
French health insurance communicates on a personal data breach concerning amelipro
In a press release dated March 17, 2022, the French National Health Insurance indicated that it had suffered a personal data breach on its amelipro service for healthcare professionals.
The Health Insurance has taken a number of security measures to stop the breach, including banning the affected IP addresses and resetting the accounts of health professionals. This communication meets the obligation to notify data subjects of any data breach (Article 34 GDPR). The CNIL has also been notified of the breach (Article 33 RGPD).
3. Legal and case law news – Europe & international
EDPB issues new guidelines on the application of Article 60 of the GDPR
Article 60 of the GDPR establishes a one-stop-shop mechanism allowing a designated supervisory authority to conduct investigations into cross-border data processing, while cooperating with its European counterparts, who remain the complainant's point of contact.
In its guidelines published on March 14, the EDPB (European Data Protection Board) aims to clarify Article 60 and the contours of the cooperation procedure between the lead supervisory authority and the other supervisory authorities involved, completing its analysis with a summary guide to the one-stop shop procedure.
EDPB warns about dark patterns
Dark patterns are rigged interfaces integrated with other interfaces. The objective of these tools is to deceive the user by pushing him to make decisions that are not well thought out and harmful to himself, to the benefit of the company that created the interface. The dark patterns allow in particular to collect personal data, for example by hiding information or by strongly inciting the user's consent, thus contravening article 5 of the GDPR. Cookie acceptance banners can constitute dark patterns.
The EDPB has therefore published guidelines on the use of dark patterns on social networks, offering recommendations for data controllers and also for users of social networks, through practical cases.
Privacy Shield replacement agreement in principle
Pursuant to Article 45 of the GDPR, the Privacy Shield was an adequacy decision taken in 2016 by the European Commission and framing transfers of personal data between the European Union and US-based controllers or processors. The ECJ had invalidated this decision on July 16, 2020 by a so-called "Schrems II" ruling, considering that the level of protection offered to European nationals was not high enough.
On March 25, 2022, the European Commission and the United States reached an agreement in principle, putting forward new guarantees of the necessity and proportionality of American surveillance policies.
The certification system would be maintained, accompanied by effective control procedures, and a dedicated court would be created to receive complaints from European citizens.
The ECJ confirms that consumer protection associations can take legal action against the alleged author of a breach of the GDPR
The case concerns the Meta platform against which a German consumer protection association had sought legal action.
The ECJ applied Article 80, §2 of the GDPR and held, in a judgment of April 28, 2022, that consumer associations have standing to bring an action even in the absence of a mandate and without prior individual identification of the person concerned by the infringement of the GDPR.
The Irish CNIL fines Meta
Noting a violation of Articles 5 (transparency of information) and 24 of the GDPR (obligations of the controller), the Irish Supervisory Authority fined Meta Platforms, formerly Facebook Ireland Limited, €17 million in a decision dated March 15, 2022. The investigation took place in the light of twelve personal data breaches, following which the Authority verified whether the company had put in place proper technical and organizational measures.
The fine was imposed under the one-stop-shop procedure provided for in Article 60 of the GDPR, as the processing operations concerned were cross-border. The Irish Authority therefore acted as the lead Authority and its decision is in line with the positions of the other Authorities involved in the investigations.
Belgian CNIL fines Zaventem and Charleroi airports twice for temperature checks using thermal cameras
In the context of the health crisis, the two Brussels airports had implemented a temperature control of passengers via thermal cameras identifying those exceeding a body temperature of 38°C. The Belgian supervisory authority sanctioned them for lack of legal basis (Article 6 of the GDPR). The Authority had taken action its own initiative when it learned through the press of the existence of this processing.
As this was health data, and therefore sensitive data, airports were required to demonstrate a clear legal basis and to implement the processing following a DPIA (Data Protection Impact Assessment), a tool to make data controllers accountable in the case of high-risk processing. The urgency of the health crisis was not sufficient to justify such processing: the two airports were fined 200,000 and 100,000 euros respectively.