Weekly digest April 11 – 17, 2022: France’s CNIL to simplify investigation and enforcement of minor cases

TechGDPR’s review of international data-related stories from press and analytical reports.

Photo by Arisa Chattasa on Unsplash

Legal Processes: CNIL investigation and enforcement, EDPB procedural rules 

The French data protection authority CNIL announced a reform of its corrective procedures: towards simplified investigation and enforcement actions. A simplified procedure was created in particular for less complex cases. This reform will allow the CNIL to respond better to the increasing number of complaints since the GDPR came into force. Right now the CNIL must respond to numerous complaints, (more than 14,000 in 2021), and there is a constant increase in the number of corrective measures it pronounces, (18 sanctions and 135 formal notices issued in 2021). Thus cases that are not very complex or serious will be subject to a simplified sanction procedure: any case will follow the same steps as the ordinary sanction procedure, (for time limits, adversarial procedure), but the implementation methods are simplified:

  • The president of the CNIL chooses a restricted committee, (5 members and a chair).
  • The president appoints a designated rapporteur, who is in charge of the investigation.
  • The chair of the restricted committee, (or a member they appoint), decides alone and no public meeting is organised, unless requested.
  • The penalties likely to be pronounced in this context are limited to a fine of a maximum 20,000 euros and an injunction with penalty capped at 100 euros per day of delay. These sanctions cannot be made public.

The ordinary procedure has also been adjusted and clarified on certain points, in particular: a) extended deadlines for submitting observations, b) the possibility for a new rapporteur to use investigative work carried out by a previous rapporteur; c) the possibility for the president of the restricted committee to decide alone that there is no longer any need to proceed with the case, (eg, if the organisation has disappeared since the start of the sanction procedure).

Finally, the CNIL can now send formal notices that do not require a written response from the organisations. In this case, the organisation is required to comply within the set deadline, but no longer has to send evidence to the CNIL within this same deadline. Compliance may be verified by other means, for example during a subsequent inspection. The full infographic, (in French), on the CNIL’s renewed penalty procedures can be found here

The EDPB similarly published its latest procedural rules, restating its mission and guiding principles, procedures and working methods as mentioned in the GDPR, the Police and Criminal Justice Data Protection Directive, and other applicable legislative instruments under EU law. The board shall act independently, and apply  appropriate measures to ensure confidentiality when required, and promote cooperation between supervisory authorities and endeavour to operate where possible by consensus. With regard to the processing of personal data by EU institutions and bodies, the board shall appoint a data protection officer.

Among other provisions, the European Commission shall have the right to participate in the activities of the board without voting rights. Additionally, the board may invite external experts, guests or other external parties to take part in a plenary meeting and may set the agenda. The board may also decide to grant a non-EU country data protection authority the status of an observer, if it is in the interest of the board and certain qualitative conditions are met. You can read the full document here.

Official Guidance: the use of web fonts, post-pandemic data

The Bavarian data protection authority, (BayLfD), recently published a statement on the use of web fonts, Data Guidance reports. It specified that a website operator, by integrating the external third-party service, acts as a controller within the meaning of the GDPR. They co-decide on the means and purposes of the processing, and let the third-party provider receive personal data from users. The website operator’s responsibility is limited to the collection and transmission of user data. However, a) no data, (eg, IP addresses), may be transmitted to third-party servers before consent has been given, and b) it must be clearly stated which data is being processed, to whom it is being transmitted, and for what purpose. Finally, the safest data protection solution would be to integrate fonts into a website through self-hosting rather than external hosting. 

Meanwhile, the Baden-Württemberg data protection authority, (LfDI Baden-Württemberg), announced as soon as the COVID-19 pandemic is over it will review all pandemic-related restrictions. The regulator will approach healthcare providers, such as test centre operators and pharmacies, but also other companies and public bodies that have stored 3G evidence of their employees and customers. In addition, it will insist on the deletion or blocking of this sensitive data. Additionally, the regulator stated that health information, such as information on employees’ pregnancies or autoimmune diseases, must not be used inappropriately, for example to terminate employment contracts or to deny promotion, Data Guidance reports. 

Investigations and Enforcement actions: IAB Europe’s action plan, Frontex cloud, dismissed CCTV footage case

Photo by Kelly Sikkema on Unsplash

The Interactive Advertising Bureau (IAB) Europe submitted an action plan to comply with the latest investigation and enforcement by Belgium’s data protection authority, (APD), towards the Transparency & Consent Framework (TCF). The submission of the action plan was needed in the two-phase remediation period foreseen in the decision and should enable a version of the TCF with a broader compliance functionality to be rolled out over a 6-month period under the supervision of the APD. The action plan outlines how IAB Europe, in its capacity as managing organisation of the TCF, will deliver in-depth discussions amongst IAB Europe member companies that implement the TCF and convene in the existing TCF working groups and other instances, as well as IAB Tech Lab. These instances are multi-stakeholder, bringing together:

  • publishers, 
  • ad tech intermediaries, 
  • agencies, and 
  • consent management platforms.  

However the submission of the action plan is without prejudice to IAB Europe’s appeal of the decision. It contests a number of findings in the decision, in particular the findings that IAB Europe acts as a data controller of the TC String, (digital signals created to capture data subjects’ choices on how their personal data can be processed), and as a joint controller for the dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol.  

The UK Information Commissioner’s Office, (ICO), has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care, (DHSC). The leaked CCTV images showed the former Secretary of State for Health and Social Care and his former aide engaged in behaviour contravening social distancing rules. The regulator launched a criminal investigation after it received a report of a personal data breach from the DHSC’s CCTV operator, (EMCOR Group plc).  The ICO had a legal duty to carry out an impartial assessment of security within governmental offices. Forensic analysis revealed that the leaked images were most likely obtained by someone recording the CCTV footage screens with a mobile phone. Six phones retrieved during the execution of search warrants did not contain the relevant CCTV footage. The ICO concluded that there was insufficient evidence to charge anyone with criminal offences under the Data Protection Act 2018.

The EDPS issued a reprimand to the European Border and Coast Guard Agency, (Frontex), for moving to the cloud without proper data protection assessment. This constitutes a breach of the data protection legislation, applicable to Union institutions, offices, bodies and agencies. The EDPS found that Frontex:

  • moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing;
  • failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution, (Microsoft 365), was the outcome of a thorough process whereby the existence of data protection compliant alternative products and services meeting Frontex’s specific needs were assessed;
  • failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes;
  • breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default.

In addition to the reprimand, the EDPS ordered Frontex to review its DPIA, and ROPA.

Data Breaches: tax authority, visa service, medical practice, fashion industry, airport temperature checks

The Dutch Data Protection Authority, (AP), has imposed a fine of 3.7 mln euros on the tax authorities  for years of illegal processing of personal data in the Fraud Signalling Facility, (FSV). This was a blacklist on which the tax and customs administration kept records of fraud, with often major consequences for people who were wrongly on the list. 

The UK Home Office’s visa service apologises for an email address data breach. The private contractor running the service sentan  email to applicants containing more than 170 email addresses. Some of the email addresses appeared to be private Gmail accounts, while others belonged to lawyers from a variety of firms.

In the US, Christie Business Holdings Company, (Christie Clinic), a major medical practice in Illinois, informed 500,000 individuals that their personal information was potentially compromised in a data breach. Christie Clinic said the data breach occurred last year, when a third party gained unauthorized access to a single business email account, likely in an attempt to intercept financial transactions.

The fashion industry also has been in breach of privacy lately. Luxury brand Louis Vuitton is facing a class-action lawsuit filed in New York by a customer who alleged its “Virtual Try-On” feature violates the Illinois Biometric Information Privacy Act. The feature is used for eyewear. Users provide an image of their face, which the customer alleged is collected and stored without knowledge or consent, IAPP News reports. Meanwhile, the UK branch of cosmetics giant Shiseido has reportedly fallen victim to a data breach involving personal details belonging to former and current employees. Some of them have reported being victims of fraud, with their personal data being used to open fraudulent businesses as well as take out bank loans and insurance. Shiseido is known to use single sign-on authentication provided by CyberArk Identity for its 30,000 employees worldwide, an IT PRO article reveals. 

Photo by CHUTTERSNAP on Unsplash

The Belgian data protection authority fines the airports of Brussels and Charleroi for Covid temperature checks. These airports did not have a valid legal basis to process travellers’ health data. Since data of this type is sensitive, it cannot in principle be processed, except in a very limited number of exceptions, (Art. 9.2 of the GDPR). Processing for reasons of public health or important public interest is part of these exceptions, based on a legal standard that is clear, precise and whose application is foreseeable for the data subjects. The regulator observed shortcomings in terms of the information provided to travellers and the quality of the impact analyses of the existing protocols.

Big Tech: online data brokerage, WhatsApp for work and school

American TV chat show host John Oliver gave 25 minutes to the Data Brokerage industry, personal data and privacy as the “unregulated” sector’s profile rises into the mainstream. He typically uses even more colourful language in his dissection of the problems, that include political interests in using personal data being partially behind the lack of regulation, and potentially life-threatening situations made possible by data abuse. 

With end-to-end encryption built in WhatsApp is testing Communities, a new feature for larger groups tailored for organisations like schools, and work. The Meta Platforms-owned company says it is comparable to other private messaging services like Microsoft Teams and Slack. But before the launch, major changes are coming to WhatsApp’s Groups feature. Group administrators will now have censorship powers over all chat. Communities, once launched, will also have upgraded safeguards like forwarding limits, and a range of anti-abuse tools.

Book a free consultation to discuss your DPO needs and the most suitable package

Request your free consultation