DATA PROTECTIONJanuary-February 2022
This bimonthly LAVOIX newsletter presents a selection of legal news in the field of personal data protection for the period January-February 2022.
1. Legislative and case law news – France
CNIL’s repressive action in 2021: a peak year
On the European Data Protection Day on January 28, 2022, the CNIL (French data protection Authority) has assessed its repressive action for 2021.
The total amount of fines imposed in 2021 reached more than 214 million euros, an increase of 55% compared to 2020.
In 2021, the CNIL issued 18 sanctions, 15 fines and 135 formal notices. Half of the sanctions concern a breach of personal data security.
Validation by the Conseil d’Etat of the fine imposed by the CNIL against Google regarding cookies
In a decision dated January 28, 2022, the Conseil d’Etat validated the fine imposed by the CNIL against Google on December 7, 2020 for several failures to comply with the French data protection Act (“Loi informatique et libertés”) regarding cookies.
Google LLC and Google Ireland argued the CNIL did not have jurisdiction to impose such a sanction and referred to the one-stop-shop mechanism, which would have reserved exclusive jurisdiction to the Irish data protection Authority.
In line with its decision of March 4, 2021, the Conseil d’Etat clarifies that the one-stop-shop mechanism provided for by the GDPR is not applicable to cookies-related matters, which are governed by the French data protection Act.
The Conseil d’Etat confirms the violations of Article 82 of the Act imposed by the CNIL, concerning the placing of cookies without prior consent of the user, the lack of information of the user and the partial failure of the proposed mechanism to decline cookies.
Formal notice from the CNIL concerning the use of Google Analytics
The CNIL has received complaints from the NOYB association regarding the transfer to the United States of data collected during visits to websites using Google Analytics.
The CNIL noted that Google Analytics implies a transfer of data to the United States in violation of Articles 44 et seq. of the GDPR, drawing the consequences of the Shrems II ruling of the Court of Justice of the European Union (CJEU), which invalidated the Privacy Shield.
The CNIL has issued a formal notice to a website manager to comply with the GDPR, to stop using Google Analytics as it is, and to use if necessary a tool that does not imply any transfer outside the EU.
The Austrian Authority issued a similar decision on January 13, 2022.
CNIL clarifications on the re-use by a processor of data entrusted by a data controller
In January 2022, the CNIL clarified the terms for the re-use of data by a processor, adding to the guidelines already established regarding the relationship between data controller and data processor.
The re-use of data is subject to a prior compatibility test, intended to determine whether the further processing is compatible with the initial purpose for which the data was collected in the first place. The authorization cannot be given in advance or in general, and must be in writing.
Once authorization has been obtained, the controller is obliged to inform the data subjects of the existence of the further processing, and the processor (who is now the controller itself) is obliged to ensure that the processing complies the GDPR.
Introduction of a new simplified CNIL sanction proceeding for cases considered of minor concern
Law No. 2022-52 of January 24, 2022 on criminal liability and internal security introduced a new CNIL sanction mechanism through a new article 22-1 inserted into the existing data protection Act.
This provision modifies the powers of the Chairman of the restricted panel for cases considered to be of minor concern. The Chairman will be able to rule alone and take three types of measures: to order the production of the requested elements in case of failure to respond to a previous formal notice, to impose a penalty-payment of €100 per day of delay, and to impose an administrative fine up to €20.000.
This new proceeding meets the increase in the number of complaints received by the CNIL.
The CNnum debates new rights and duties
The national council for digital matters (CNnum) published on January 13 a paper outlining solutions to solve the problems arising from the attention economy, which is the foundation of digital platforms through data collection and personalized advertising.
As part of this initiative, the CNnum is debating the creation of new rights for internet users and obligations for digital platforms, such as the establishment of a right to be informed about attentional capture devices, the strengthening of the right to disconnect, and the creation of a right to interoperability between platforms.
2. Legislative and case law news – Europe and international
Draft regulation on data (“Data Act”)
On February 23, 2022, the European Commission published its draft regulation on data, known as the “Data Act”, in favor of a fair and innovative data economy.
The objectives of the Data Act include ensuring fairness in the digital environment, fostering the development of a competitive data market, opening up opportunities for data-driven innovation and making data more accessible to all.
EDPS guidelines on the right of access
On January 18, the European Data Protection Supervisor adopted its guidelines on the right of access for data subjects, which are discussed during a six-week public consultation.
The guidelines aim to clarify the scope of the right of access, the information that the controller must provide to the data subject, the layout of the access request, the modalities of access and the notion of manifestly unfounded and excessive requests.
EDPS guidelines on data breaches
On January 3, the EDPS published eighteen practical case studies as guidelines to assist data controllers in dealing with personal data breaches in accordance with Articles 33 and 34 of the GDPR.
The EDPS covers the main threats that data controllers may face, classified in six categories: ransomware, data exfiltration attacks, internal human risks, loss or theft of paper documents, mailing errors and social engineering.
For each practice, the EDPS outlines the prerequisite measures to be implemented, the risk assessment methodology, the mitigating measures and the concrete obligations of the controller.
Belgian Authority sanctions IAB Europe
The Belgian Authority fined the IAB Europe €250.000 for non-compliance with GDPR regarding its “Transparency and Consent Framework” standard used by digital advertising players to bring their ad profiling tools into compliance with the GDPR.
The Authority sees the legal basis on which the IAB relies, namely the consent of Internet users, as an insufficient guarantee. Without banning the tool, the Authority orders corrective measures. The IAB has indicated that is has appealed the decision.
EDPS injunction to the European Parliament over data transfers outside the EU
The EDPS found that a website launched by the European Parliament to allow members and staff of the Parliament to book appointments for covid-19 tests was not compliant with the GDPR, in particular regarding transfers of personal data outside the EU to the United States, without demonstrating an equivalent level of protection.
This control comes after a complaint. The European Parliament has been ordered to correct its website within one month.
Sanction of the Greek phone operator COSMOTE
The Greek Authority has sanctioned on January 31, 2022 the phone operator COSMOTE with a fine of 6 million euros. COSMOTE collected traffic data from subscribers and first stored them for a period of 90 days from the date of the call, and then stored them in a pseudonymized way for another 12-month period.
The Authority considered that this processing violated the principles of legality and transparency of processing, did not demonstrate sufficient security measures, and was implemented following an impact assessment which evaluation was inaccurate.