Weekly digest April 25 – May 1, 2022: class actions authorised in EU data protection cases

TechGDPR’s review of international data-related stories from the press and analytical reports.

Legal processes and redress: consumer data class actions, digital content and services, CCPA & CPRA

The ECJ ruled that consumer protection associations may bring representative actions against infringements of personal data protection. Such class actions may be brought independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect, the judgement in Meta Platforms Ireland states. Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against Meta Platforms Ireland, alleging that it had infringed, in the context of making available to users free games provided by third parties, rules on the protection of personal data and rules on unfair commercial practices and consumer protection. Here are some of the main court findings:

• the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation;
• a consumer protection association, such as the Federal Union, falls within the scope of the concept of a “body that has the standing to bring proceedings” for the purposes of the GDPR in that it pursues a public interest objective;
• the infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of a rule on the protection of personal data.

Meanwhile, new Belgian rules on consumer guarantees and digital content and services, entering into effect in June, were analysed by the CMS Law-Now blog. Belgium has reinforced the position of consumers buying physical and digital goods by placing a higher liability on resellers and producers. The guarantee provisions for digital content and digital services apply to a traditional sale in consideration of price, and now also extend to transactions where the consumer “pays” by providing access to their personal data.

Digital content is defined as “data which are produced and supplied in digital form”, while a digital service is either “a service that allows the consumer to create, process, store or access data in digital form”, or “a service that allows the sharing of or any other interaction with data in digital form uploaded or created by the consumer or other users of that service.” The seller must also provide security updates necessary to keep the goods in conformity for the period of time that the consumer can reasonably expect. This piece of EU-wide legislation has a number of data protection implications including core principles such as the requirements for data minimisation, data protection by design, and data protection by default. Read the legal text here.

JD Supra News&Insights has published an analysis on California consumer-focused privacy regulations – the existing California Consumer Privacy Act, (CCPA), and the new California Privacy Rights Act, (CPRA), which will go into effect in 2023. They are similar, but there are some key additions to the latest piece of legislation:

• Data inventories must now include B2B and employee data, (eg, the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information). 
• Consumers have the right to correct their personal information. 
• Organisations must conduct regular Privacy Impact Assessments and annual cyber risk assessments. 
• Record retention requirements are more stringent and must be disclosed, (specific information on the 11 categories of personal data and the retention periods). 
• Front-end privacy notices will need to be updated to reflect new consumer rights, etc.

Official guidance: cross-border cooperation, oral contracts’ recordings, DPIAs

The EDPB has published its statement on enforcement cooperation. The document emphasises that data protection authorities reiterate their commitment to close cross-border cooperation and agree to further enhance it in the following manner:

• identifying cross border cases of strategic importance in different Member States, (cases affecting a large number of data subjects in the EEA, cases dealing with a structural or recurring problem in several member states, cases related to the intersection of data protection with other legal fields);
• exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at EDPB level;
• the EDPB will propose a template for data subjects’ complaints, to be used by regulators on a voluntary basis;
• the EDPB will continue to improve its IT cooperation tools, with the support of the European Commission.

Finally, the EDPB states that in the coming years, it will be crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market (Data Act, DMA, DSA, AI Act, DGA). A clear distribution of competencies among the regulators will need to be ensured, as well as efficient cooperation. 

The French regulator CNIL issued guidance on ‘The recording of telephone conversations in order to establish proof of the formation of a contract’, (in French). An organisation wishing to record telephone conversations for evidentiary purposes must, as a data controller, demonstrate that it has no other means to prove that a contract has been concluded with the data subject. Thus, it is necessary to distinguish the contracts which can be concluded orally from those for which the agreement must necessarily be materialised by a written act. In short:

• For written contracts, registration is not necessary.
• For contracts that can be concluded orally, if conversations are recorded, the principle of data minimization must, in any event, be respected.
• Recordings cannot be permanent or systematic.
• Only conversations relating to the conclusion of a contract may be recorded.
• When people agree to enter into a contract by telephone, the recordings of the telephone conversations can be processed on the basis of the legal basis of the contract (Art. 6 of the GDPR). 
• The collection of banking data needs the implementation of a device to quickly interrupt or delete the recording of the telephone conversation when the consumer pronounces this data, except for statutory requirements.
• On registration, the professional must inform the persons concerned the whereabouts of all the recordings and their data subject rights. 
• This information should be provided in two stages: by means of an oral mention, at the beginning of the conversation,  and by a reference to a website, (and a “legal notices” tab for example), or a “legal notices” button on the telephone to obtain exhaustive information.

Moldova’s data protection authority the NCPDP published its approved list of processing operations that are subject to data protection impact assessment, Data Guidance reports. The data controller must conduct a DPIA of the highest quality, such as: 

• systematic and extensive evaluation of personal aspects or scoring, including the creation of profiles and forecasts; 
• automatic decision-making, including processing that produces legal effects or which affects in a similar way to a significant extent; 
• systematic monitoring, including processing, is used to observe, monitor, or control the data subject, (data collected through networks or large-scale systematic monitoring of an area accessible to the public);
• processing of the personal data of vulnerable persons, including children;
• large-scale processing of personal data, including special categories of data of at least 5,000 individuals; data presenting high risks for at least 10,000 individuals; and any other data of at least 50,000 individuals; and 
• video surveillance in public areas, stadiums, and markets.

Investigations and enforcement actions: lawful rejection of access rights, AI-based speech signal processing, contract change without consent

The Danish regulator Datatilsynet found a municipality’s rejection of a subject access request lawful, according to Data Guidance. Specifically, it found that a municipality’s assessment to reject a former employee’s request for access to personal data was lawful and in accordance with Art. 12 (5-b) and 15 of the GDPR. Here are some facts of the case:

• the request was made after the termination of the employment contract;
• it was to access all communications in which the employee was mentioned;
• a municipality had asked the complainant to specify their request as the desired material was extensive, which the complainant refused to do;
• the information requested, which included letters and emails that had been signed or sent by the complainant, could be considered personal data; 
• the information was mainly a description of the function the complainant performed during employment and thus is not, to a great extent, information ‘about’ the complainant. 

• It used the results of the analysis to determine which customers should be called back by analysing the emotional state of the caller.
• An AI-based speech signal processing software automatically analyzes the call based on a list of keywords and the caller’s emotional state. 
• The software then established a ranking of the calls serving as a recommendation as to which caller should be called back as a priority.
• The data controller based the processing on its legitimate interests to retain its clients and to enhance the efficiency of its internal operations.
• For years it had failed to provide to the data subjects proper notice and the right to object because it had determined that it was not able to do so. 
• The only lawful legal basis for the processing activity of emotions-based voice analysis can only be the freely given, informed consent of the data subjects.
• Though the bank had carried out a Data Protection Impact Assessment, and identified that the processing was of high risk to the data subjects, it had failed to present substantial solutions to address these risks.

Spain’s privacy regulator the AEPD fined a company 150,000 euros for lack of appropriate technical and organizational measures, (Art. 32 of the GDPR). A customer complained that their contract was changed without their consent. However, the company claimed that it had received a call from a person who claimed to live at the claimant’s address and was able to provide details necessary to pass verification, which thereby resulted in the changes to the contract. The regulator concluded  that security procedures which require data such as names, surnames, telephone numbers, and addresses might be available to third parties and used for fraudulent purposes. Finally, the AEPD noted that the contract was modified without the claimant’s consent in violation of Art. 6 of the GDPR, Data Guidance reports. 

Audits: video gaming and minors’ safety online

The UK privacy regulator the ICO has published an age-appropriate Design Code Audit Report for Fireproof Studios, (a gaming company). The scope of areas covered by this audit was determined following a risk-based analysis of Fireproof’s processing of children’s personal data. It was agreed that the audit would focus on the following areas:

• Governance, transparency, and rights  
• Diligence and Data Protection Impact Assessments 
• Minimisation and sharing, age assurance 
• Detrimental Use 
• Privacy settings and controls 
• Geolocation tracking 
• Profiling, cookies, nudge techniques  
• Connected Toys and Devices and AI Online Services

The overall opinion of the audit result is very high on all points:

• Fireproof does not process personal information in-game.
• It has limited the collection of personal data to when it is necessary to provide a customer support function to children and other users. 
• It has made deliberate design choices to not make use of dark nudge techniques, not to profile users, and to not include in-game content detrimental to children. 
• This has facilitated compliance with the Code’s standards and as a result children are afforded a high level of protection when interacting with Fireproof’s games.
• Fireproof process personal data when providing customer support. The information gathered for the purposes of providing support cannot be linked to any in-game information gathered by Fireproof, such as the length of the session.  

However, some room for improvement exists in identifying and documenting a lawful basis for processing and conditions for processing special category data, along with ensuring privacy information is updated to reflect the identified lawful basis and the rights available to children.

Big Tech: Google’s removal of PII, Amazon’s search algorithms, Microsoft’s reports on privacy and cyberwar in Ukraine

Google is extending its privacy policy, giving users for the first time the right to demand the removal of personally identifiable information, (PII), like phone numbers, secret login credentials, or e-mail addresses from search results that can be used in identity theft. Demanding PII removal from search results may take time however, as Google warns users on the removal request page, because of “…preventative measures being taken for our support specialists in light of COVID-19…”.

Amazon has refused to describe its product search system and algorithm inputs to Australian competition regulators. As part of an ongoing five-year review of big tech that last year saw Alphabet’s Google and Facebook fined, a report said Amazon and similar large marketplace platforms prioritised, in rankings and presentation, own-brand products over competitors.

Microsoft published its latest privacy report. The report summarises several trends since October 2021, including the desire of both individuals and organisations for greater control over their data; a surge in the development of comprehensive privacy laws in jurisdictions around the world; and increasing calls by governments and businesses to keep personal data resident in their jurisdictions.  MS gives its customers control over their data through the Microsoft privacy dashboard. Another new initiative by MS was Microsoft Priva, MS’s first product specifically designed to address privacy issues for large organisations.

Additionally, the latest blog post from Microsoft’s Corporate Vice President, Customer Security & Trust Tom Burt reviews the publication of the MS Digital Security Unit’s first report on the cyberwar in Ukraine. It details more than 237 operations, (some of them are ongoing and not fully traced yet), against Ukraine involving at least six pro-Russian nation-state attacks. Nearly 40 operations are classed as destructive, (eg, threatening critical infrastructure and civilian welfare), and there is a high level of correlation between these attacks and battlefield initiatives. 

Techniques have included phishing, wiper malware, use of unpatched vulnerabilities, and compromising upstream IT service providers. Attackers have often tweaked their malware from target to target to avoid detection. The report also includes specific recommendations for organizations that may be targeted by Russian actors as well as technical information for the cybersecurity community.