May - June 2022
This bi-monthly LAVOIX newsletter presents a selection of legal news in the field of personal data protection for the period May-June 2022.
1. News from the CNIL
Publication of the 2021 activity report
The CNIL's annual activity report for the year 2021 was published on May 11.
In particular, the report gives an overview of the CNIL's repressive activities, including an unprecedented total of more than 214 million euros in fines and a majority of formal notices concerning cookies. Finally, the report notes the growing involvement of the CNIL in the work of the EDPB and European concerns, including data transfers outside of the EU.
Twenty-two municipalities required to designate a data protection officer
In a deliberation dated May 5, 2022, the CNIL gave formal notice to 22 municipalities to appoint a data protection officer (DPO) with, in particular, the qualities of expertise, independence and sufficient means. This appointment is mandatory for public authorities and organizations according to Article 37 of the GDPR. These formal notices have been made public because of the sensitivity of the missions of the municipalities and the data processed.
The Ministry of Labor, Employment and Integration recently published a study on the DPO profession, highlighting its dynamics and changes between 2019 and 2021. This study notes in particular the increase in the number of DPOs in 2021, the diversification of profiles, and specifies the characteristics of the profession, including the fact that that a majority of them are internal DPOs or DPOs shared between several entities.
Recommendations to make your Google Analytics audience measurement tool compliant with the GDPR
The CNIL publishes recommendations for compliance with the GDPR for websites using Google Analytics audience measurement trackers, given the data transfers outside the EU that they involve and the invalidation in 2020 by the EU Court of Justice of the Privacy Shield (legal framework for data transfer between the EU and the USA).
The CNIL suggests the use of proxyfication, i.e. the use of a proxy server allowing pseudonymization before data export. It considers the following measures necessary to limit data transfer:
• The absence of IP address transfer to the servers of the measurement tool;
• The replacement of the user ID by the proxyfication server;
• Removal of external referrer information from the site;
• The removal of any parameters contained in the collected URLs;
• The reprocessing of information that can participate in the generation of a footprint;
• The absence of any cross-site or deterministic identifier collection;
• The deletion of any other data that may lead to re-identification.
Publication of the first evaluation criteria on wall cookies
The CNIL has published the first criteria for evaluating the legality of cookies wall, i.e. cookie banners that condition "access to a service on the user's acceptance of the deposit of certain cookies on his terminal (computer, smartphone, etc.)". In most cases, access to the site without the acceptance of certain cookies is conditioned by the payment of a sum of money.
The criteria for evaluating the legality of cookies wall are as follows:
• The proposal of a real and equitable alternative allowing access to the site;
• In the case of a paying alternative, the price must be reasonable and take into account adapted consumption modes (not necessarily in the form of a subscription). For example, the creation of an account must pursue specific objectives that are transparent to the Internet user;
• The cookies wall must be limited to the purposes that allow a fair remuneration of the service.
Responsibility with regard to the GDPR in the context of a public order
The CNIL publishes a guide on public procurement, intended for economic operators of public contracts and administrations.
This guide is intended to facilitate the qualification of data controller, sub‑processor or joint controller, and specifies the sharing of responsibilities between the administration and economic operators. The recommendations are adapted to the subject matter of public procurement contracts and the nature of the related processing.
2. Legal and case law news - France
The Paris Court of Appeal rejects a former employee's request to be given access to her entire professional e-mail account
In a decision dated May 12, 2022 (CA Paris, Pôle 6, chambre 2, May 12, 2022, n°21/02419), the Paris Court of Appeal confirmed a decision of the Labour Court of Melun (Conseil de Prud'hommes de Melun) which had dismissed a former employee's claims against her former employer, requesting the communication of her entire personal file, including the entire content of her professional e-mail.
The Court of Appeal took into account the fact that it was materially impossible to grant this request, as the employer had since destroyed her e-mail box in accordance with the deadline set out in its personal data policy.
The CNIL imposes a fine of 1million euros on TOTALENERGIES ELETRICITE ET GAZ FRANCE
The sanction was pronounced by a deliberation of June 23, 2022 of the CNIL restricted formation.
The CNIL condemned the energy supplier for two series of breaches:
• Failure to allow people to object to the use of their data for commercial prospecting purposes: the energy contract subscription form mentioned that the subscriber accepted that their data be used for commercial prospecting purposes, without offering the possibility to refuse;
• Failure to provide information, particularly to those contacted by telephone, and to respect the exercise of rights, as the company did not respond to requests to exercise rights within the appropriate timeframe.
However, in setting the fine, the Authority took into account the efforts made by the company throughout the proceedings to comply with the requirements of the GDPR.
The Council of State confirms the 35 million euros fine imposed by the CNIL on Amazon
In a decision dated June 27, 2022, the Conseil d'Etat rejected Amazon Europe Core's appeal and confirmed the penalty imposed by the CNIL) on December 7, 2020, namely a fine of 35 million euros for the automatic deposit of cookies on the terminal of the Internet user visiting the amazon.fr website, without prior consent, and for the inadequacy of the information contained in the cookie banner.
The Conseil d'Etat considered that the breach of article 82 of the French Data Protection Act was characterized, and noted the absence of impact of the divergent positions of other European authorities in interpreting the conditions and modalities of the collection of consent with respect to the applicable law. It was also held that the amount of the penalty was proportionate, taking into account the seriousness of the breach, the scale of the processing carried out thanks to the cookies, the potentially sensitive nature of the data obtained, the financial advantage gained by Amazon and its worldwide turnover.
3. Legal and case law news - Europe & international
EDPB issues guidelines on the calculation of GDPR fines
The purpose of these guidelines is to harmonize the penalties imposed in Europe, thanks to a methodology intended for the supervisory authorities. Fines are calculated in five steps:
• Identification of processing operations;
• Determining the starting point for calculating the fine;
• Assessment of aggravating and mitigating circumstances with regard to the behaviour of the person concerned;
• Identification of relevant legal maximums for different offenses;
• Analysis of whether the final amounts calculated are consistent with the requirements of effectiveness, deterrence and proportionality.
EDPB issues guidelines on the use of facial recognition by public authorities
In order to respond to the increasing use by public administrations and to the risks related to the protection of fundamental freedoms, the EDPB issues its guidelines for public policy makers and drafters of legislation.
In particular, the EDPB specifies that a DPIA (data protection impact assessment) is required before the processing of data can begin. In addition, the EDPB calls for a ban on certain forms of processing such as remote biometric identification of individuals in publicly accessible spaces, facial recognition by artificial intelligence that classifies individuals according to their biometric data into groups based on their ethnicity, gender, political or sexual orientation, inference of emotions, processing of personal data carried out in a law enforcement context through massive data collection.
New Privacy Shield: effective date announced for early 2023
The new legal framework for data transfers between the EU and the US, which is supposed to replace the Privacy Shield invalidated in 2020 by the EU Court of Justice, is expected in the first quarter of 2023 according to Reuters.
Belgium: press group sanctioned for its cookie management
It was found that two websites managed by the group did not comply with the criteria since consent was not required prior to the collection of data, the user was not sufficiently informed of the processing and the consent was equivocal (pre-ticked boxes).
United Kingdom: reform of personal data legislation
In a communication dated May 10, 2022, the British government outlined the upcoming legislation on personal data protection.
The stated goals include taking advantage of the Brexit to create a global legal framework on data, modernize and give greater powers to the supervisory authority, and facilitate access to health data.
Article by: Caroline ALET, Alix CAPELY and Camille PECNARD