Weekly digest December 20 – December 26, 2021: Facebook data transfer hustle, guide on Germany’s TTDSG, contactless payments, tech buzzwords 2021

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal Processes and Redress: Facebook data transfer hustle, Amazon fine halted, adequacy for South Korea

Despite the CJEU twice declaring that the US does not offer sufficient protection for Europeans’ data from American national security agencies, Facebook, (Meta)’s lawyers continue to disagree, according to internal documents seen by the POLITICO EU newspaper. In July 2020, the CJEU struck down a US-EU data transfer framework, the Privacy Shield, but upheld the legality of another safeguard instrument used to export data out of the EU – Standard Contractual Clauses (SCCs). 

Facebook’s lawyers argue that the EU court ruling relates only to the Privacy Shield data pact, (Art. 45 of the GDPR), and not the SCCs, (Art.46 of the GDPR), the instrument Facebook uses to transfer data to the US. The company also says that changes to US law and practices since the 2020 ruling should be taken into account, namely the US Federal Trade Commission, “carrying out its role as a data protection agency with unprecedented force and vigour.” Finally, the platform’s lawyers note that the 234,998 data requests it received from US authorities in 2020 represents a “tiny fraction” of the total number of users, which Facebook estimates at around 3.3 bln. 

At the same time, Austrian activist and lawyer Maximilian Schrems, who in 2013 started the legal battle against Facebook, states that since the 2020 CJEU judgment the platform has not taken any steps to limit its data transfers. “Instead, it produced a 86 page “Transfer Impact Assessment” under the newly introduced SCCs, coming to the surprising result that the CJEU judgment would not apply to Facebook and transfers could continue as they are”.  Reportedly Facebook’s self-assessment document concluded that relevant US law and practice provided protection of personal data that was essentially equivalent to the level of protection required by EU law.

Also last week:

Luxembourg’s legal judgment halts Amazon’s enormous daily GDPR fine. The Administrative court suspended a 746,000 euro fine the US retailer had to pay each day over suspected data privacy breaches. The court ruled that the data protection regulator’s instructions on how to correct the breaches were too vague. In July the National Commission for Data Protection in Luxembourg, where Amazon’s European headquarters is based, hit the company with a record fine after deciding that its processing of customers personal data for targeted advertising purposes did not comply with the GDPR. Amazon argued the ruling lacked merit and would be appealed. As of today, hearings between the two parties are still ongoing.

The European Commission has adopted South Korea’s GDPR-governed adequacy ruling. The agreement allows for the free flow of personal data between the EU and the Republic of Korea, without further authorization or additional transfer tools. The decision also covers transfers of personal data between public authorities. The agreement stands on the adequate protections afforded to individuals in the EU under Korean law when their data is transferred to the Republic of Korea, including additional transparency and onward data transfer requirements agreed by both parties. These rules are now binding and enforceable by the South Korean data protection authority, PIPC, and the court system, Hunton Andrews Kurth LLP reports. Read the full South Korea adequacy decision here, as well as the latest Q&As on the EU adequacy mechanism.

Official Guidance: TTDSG, card-based payments, COVID status checks

The German Data Conference published their guidance, (in German,) on the Telecommunications and Telemedia Act (TTDSG), which entered into force on 1 December. The document, (open for public consultations), offers operators of websites, apps, and smart home applications assistance in the implementation of the new provisions. The same guide also informs citizens of the key changes in the legal framework, and further clarifies the interplay between the TTDSG, the GDPR and the ePrivacy Directive, namely:

  • TTDSG goes beyond the scope of the GDPR and establishes the consent requirement for storing/accessing information on or from users terminal equipment, regardless of whether the information relates to a person. 
  • cookie, (and similar technologies), user consent can be bundled with the consent for subsequent data processing/transfers, if sufficiently transparent. 
  • TTDSG establishes strict requirements for valid consent with a “reject all” option (with some possible exceptions under anti-fraud/IT security requirements).
  • The aforementioned requirements are applicable only for data processing within the EEA. There must therefore always be additional examinations where the processing involves the transfer to third countries, especially such as the US, where there is no adequate agreement with the EU. 

The guide also explains the rationale behind the “absolutely necessary” cookies, main services, services provided at the user’s demand and the additional functions/services. In the context of websites, users do not have to accept every access to their terminal equipment, in particular the setting of cookies, just because a website or an app has been actively called up. They must first become aware that there are additional services and functions that require access to the terminal device in order to provide them (measurements or analysis of visitors numbers or A/B testing, etc). Also, cookies for any additional functions, such as for storing products in the shopping cart or making a payment, can regularly only be regarded as absolutely necessary in terms of the time dimension when a corresponding user interaction has taken place (when items are actually placed in the cart, or the payment process has been initiated).

The EDPS’s latest TechDispatch section investigates card based-payments, that nowadays go beyond debit cards or credit cards. Contactless payments using Near Field Communication or Quick Response technologies and cardless payments via smartphone apps are just a few examples of new card-based payment methods. The key takeaways include analysis on:

  • payment gateways and processors;
  • balancing interests between anonymity and traceability of personal data;
  • necessity and proportionality of customer identification;
  • processing of special categories of data;
  • GDPR-covered roles and responsibilities; 
  • data retention and surveillance, automated decision making and profiling;
  • data security standards, etc.

In the UK, the Information Commissioner’s office advised organisations about how to look after customers’ personal data when completing COVID status checks. The provisions require data collectors to be clear, open and honest with people about what they are doing with the personal information:

  • display your privacy notice on your website, social media or email it alongside any event information, put up posters around your venue’s entrance;
  • follow the government guidance to determine whether you should carry out purely visual checks, or a digital scan;
  • use only official governmental apps to scan QR codes;
  • don’t create any of your own lists or records with your customers’ status;
  • make sure staff can answer questions about how data will be used and stored;
  • ensure that your staff treat the information that they are checking confidentially;
  • keep up-to-date with the latest advice from the government and the ICO.

Data Breaches, Investigations and Enforcement actions: gamers’ videos, children’s learning data, ex-employee email box

Gaming giant Ubisoft has confirmed an intrusion into its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” However, Ubisoft did not comment about how many people were affected by the incident: “The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on social media profiles.” Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team also urged players to enable two-factor authentication and to reset passwords.

The Icelandic data protection authority has found the City of Reykjavík guilty of multiple violations of the GDPR, following its failure to comply with data protection obligations in processing children’s personal data, DataGuidance reports. The investigation started over one of the City of Reykjavík’s primary schools’ use of the Seesaw Learning app. The regulator found that the City of Reykjavík failed to process personal data in a fair and transparent manner, noting that:

  • The processing of personal information was not based on a valid consent. 
  • It was possible to identify registered students for longer than necessary. 
  • The system processed the personal data of parents and guardians of students in order to direct them to marketing. 
  • The personal information of students was transferred to the US and processed there, without sufficient safeguards. 
  • The municipality failed to clarify which of the parties was responsible for the processing, demonstrate any existing data processing agreements or to complete DPIA. 

The City of Reykjavík was requested to close the accounts of school children in Seesaw and ensure that all their personal information is deleted from the system, but not before a copy of the information has been handed over to the children or, as the case may be, kept in schools. 

The Belgian Data Protection Authority, (DPA), issued a reprimand to a company following violations of Art. 5, 6 and 13 of the GDPR. The organisation had kept the complainant’s email address and mailbox active, leading to the possibility a third party could read received emails and respond in the complainant’s name, after the complainant’s employment agreement had terminated, DataGuidance reports. The complainant’s email address was still in the company’s system in January 2020, despite the fact that the employment agreement with the complainant had ended in 2019. Furthermore, the complainant had not received information about further use of their mailbox and email address, besides being told that they no longer would have access to it. The Belgian DPA did not issue a monetary penalty in this case, considering publication of the reprimand would constitute a sufficient warning.

Opinion: ICO’s regulatory powers

The UK Information Commissioner’s Office, (ICO), has launched a consultation to gather the views of data controllers, their representatives and the public on how it regulates the laws it monitors and enforces. People will have 14 weeks to comment on three documents:

  • The Regulatory Action Policy that reinforces the proportionate and risk-based approach to enforcement, and explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.
  • Statutory Guidance that specifies the ICO’s legal obligations to publish guidance to help organisations navigate the law.
  • Statutory Guidance on The Privacy and Electronic Communications Regulations, (PECR), that explains how the ICO enforces the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focuses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law. 

The forms for written responses are available here.

Big Tech: Google and Meta fines in Russia, Meta/Giphy deal, Alibaba-cloud, tech buzzwords 2021

A Moscow court on Friday said it was fining Alphabet’s Google about 90 mln euros for what it said was a repeated failure to delete content Russia deems illegal, the first revenue-based fine of its kind in Russia. The court also fined Meta more than 20 mln euros on the same grounds. Russia’s communication watchdog Roskomnadzor said that Facebook and Instagram failed to remove two thousand pieces that violate Russian laws whereas Google keeps 2,600 pieces of banned content. Moscow has also demanded that 13 foreign and mostly US technology companies, which include Google and Meta, be officially represented on Russian soil by January 1 or face possible restrictions or outright bans.

Facebook owner Meta has appealed against the UK’s ruling that it must sell its animated images platform Giphy. The company does not support the finding that buying Giphy in 2020 constituted a threat to its rivals or could impact competition in display advertising. It is the first time the British regulator, the CMA, has blocked a major digital acquisition. Half of the traffic to Giphy’s huge library of looping videos comes from Facebook, Instagram and WhatsApp. Its GIFs are also popular with users of TikTok, Twitter and Snapchat. The CMA was concerned Meta could limit access or force rivals to provide more user data. Meta argued it would not change the terms of access for competitors, nor collect additional data from the use of GIFs, which have no online tracking mechanisms such as pixels or cookies. Meta also pointed out that Giphy has no presence, employees, offices or revenues in Britain. The CMA noted that UK users look for 1 billion GIFs a month on Giphy, and 73% of the time they spend on social media was on Meta’s Facebook, Instagram and WhatsApp.

Chinese regulators suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address a cybersecurity vulnerability. Reportedly Alibaba Cloud did not immediately report recently discovered vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator, but notified the US based Apache Software Foundation. In response the Chinese government suspended partnership with the cloud unit, to be reassessed in six months. This latest measure highlights Beijing’s desire to strengthen control over key online infrastructure and data in the name of national security. The Chinese government has also asked state-owned companies to migrate their data from private operators such as Alibaba and Tencent to a state-backed cloud system by next year.

Finally, to end the year, Reuters tech team published a guide to 2021’s tech buzzwords. So, if you’re still drawing a blank as 2021 wraps up – metaverse, web3, social audio, NFTs, tech decentralization, DAOs, “stonks”, gameFI, altcoin, FSD beta, fabs and net zero are all made crystal clear in this quick guide for everyone whose digital lexicon may be in need of an upgrade. 

Book a free consultation to discuss your DPO needs and the most suitable package

Request your free consultation