Weekly digest January 24 – January 31, 2022: GDPR jurisdictional reach, US surveillance laws, DP Engineering

TechGDPR’s review of international data-related stories from press and analytical reports.

Photo by Amélie Mourichon on Unsplash

Legal Processes and Redress: GDPR jurisdictional reach, CNIL’s regulatory win over Google, CJEU case laws summary

A recent UK Court of Appeal decision emphasizes the broad geographic scope of both the EU GDPR and the UK GDPR, but also ongoing uncertainty regarding the jurisdictional reach, according to the JD Supra publication. In the given case, the court had allowed a claim for contravention of the GDPR to be served on various US parties. In particular, the claimant commenced proceedings against a US-based news outlet for a series of articles and social media posts making a number of “unflattering” allegations about the claimant. In deciding whether to grant permission (to serve a claim outside of the UK jurisdiction) the court had to determine whether the claimant’s allegations that the GDPR applied had a real prospect of success. 

Of particular note was the intention of the defendant to offer goods/services to EU/UK individuals when considering whether a data controller has an ”establishment” in the EU/UK. In the given case the platform expressly solicited european subscriptions (available in sterling and euros) and had secured a number of UK/EU subscribers (albeit only 6). However the court stated that the UK Information Commissioner should be invited to participate in the case to assist the court when it comes to make a final determination. You can read more details of the case in the original judgment.

In France, the Council of State confirmed the competence of the CNIL to impose sanctions on cookies outside the one-stop shop mechanism. The decision follows an appeal by Google LLC and Google Ireland Ltd against the 100 mln euros fine imposed by the CNIL in 2020. The case relates to dropping advertising cookies on the users computers through the google.fr webpage and its search engine without prior consent or satisfactory information. In its decision, the CNIL found a couple of violations of national legislation transposing the ePrivacy Directive, (The Data Protection Act). The Council of State noted that the cookies in question were being implemented within the activities of Google France, and the CNIL was competent under the above law. It therefore did not have to refer the case to the Irish Data Protection Authority, which is the lead authority for Google companies under the GDPR’s one-stop shop mechanism. Read the full decision (in French) here

The Court of Justice of the European Union, (CJEU), has published a fact sheet on personal data protection, including the EU legal framework and the court’s judgements and opinions in such areas as: a) compatibility of secondary EU law with the right to the protection of personal data; b) processing of personal data within the meaning of ePrivacy Directive; c) main data protection concepts such as lawful processing, controllership; d) transfer of personal data to third countries; e) protection of personal data on the internet, intellectual property rights, user consent; f) the competent supervisory authorities, territorial application of EU legislation, etc.

Official Guidance: US surveillance laws, right of access, Connected TV, NRP data, Information security vs IT security 

In Germany the Data protection Conference has published, (only in German), its expert opinion on US surveillance laws. In particular, for the applicability of Section 702 of the US Foreign Intelligence Surveillance Act (FISA), the term “electronic communication service provider” does not only include classic IT and telecommunications companies, but also companies such as banks, airlines, hotels or shipping service providers. Additionally, it is not necessary in every case for the services to be made available to the public. It may be sufficient, for example, for a company to provide an email service to its employees. Moreover, request arrangements for some datasets may relate to all data in the company, even when the communication service has nothing to do with the main entrepreneurial activity. The report also deals with the questions of whether European companies operating in the US are subject to problematic US law and whether FISA 702 applies extraterritorially. 

The EDPB has published its recently adopted Guidelines on data subject rights – Right of access. The right of access to data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights, and is further developed by more specific and precise rules in Art. 15 of the GDPR. However, the right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice. The right of access includes three different components:  

  • Confirmation as to whether data about the person is processed or not. 
  • Access to this personal data, and  
  • Access to information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.

The EDPB guide includes numerous examples and illustrations for data controllers on how to interpret and assess the request, how to answer it, checking limits and restrictions, how to provide access, timing and format, how to deal with requests made by a third party, etc.

Photo by Glenn Carstens-Peters on Unsplash

The Interactive Advertising Bureau Europe has published its guide to Connected TV (CTV) targeting and measurement solutions. Some contextual flags and metadata segments allow app publishers or CTV channel providers to create identifiers by channel, by genre, or by context for targeting purposes. According to the report, this is still in its infancy but is one of the fastest growing areas across the CTV landscape, (eg, Comscore have already launched more advanced CTV cookie-free audience targeting in Europe based on meta-data, content ID and app bundle IDs). According to the guide, these contextual segments use a “crosswalk between audience behaviours and privacy-friendly contextual signals empowering brands to target CTV content that is the strongest predictor of audience behaviours without user-level identifiers”. Read the full document here.

The transfer and the generalised and undifferentiated automated processing of Passenger Name Record (PNR) data are compatible with the fundamental rights to respect for private life and to the protection of personal data, according to the CJEU Advocate General, (Pitruzzella). By contrast, a generalised and undifferentiated retention of PNR data in a non-anonymised form can be justified only where there is a serious, actual and present or foreseeable threat to the security of the Member States, and only on condition that the duration of such retention is limited to what is strictly necessary. The PNR Directive requires the systematic processing of a significant amount of air passengers data entering and leaving the EU (in the fight against terrorism and serious crime). It also provides Member States with the possibility to apply the directive to intra-EU flights. That is not to forget the importance of an independent supervisory authority in verifying the lawfulness of that processing, conducting investigations, inspections and audits and dealing with complaints lodged by any person concerned. 

The Swedish Authority for Privacy, IMY, published a blogpost, (in Swedish), on differences between Information security and IT security. Although information today is to a very large extent produced and provided via IT systems, information security concerns all types of information, including, for example, information in paper format. Information security is usually divided into two legs: administrative security and technical security. Data protection is often associated with various technical measures such as firewalls, encryption and the like, but administrative security is at least as important:

  • Technical security is typically divided into two parts: physical and IT security. Physical security is things like alarms, code locks to office rooms, safes to protect sensitive information stored on IT equipment or in paper format. IT security is about everything from VPN connections and antivirus to intrusion detection and backup.
  • Administrative security is about ensuring that there are appropriate policies, routines and instructions in place that describe how information should be handled in the organization, for example how employees should handle information, but also how to manage permissions to different IT systems. 

Data Breaches, Investigations and Enforcement actions: failed proof of consent, multi factor authentication, encryption

The Spanish data protection agency AEPD has punished Garlex Solutions, (an energy supply consultancy), with a 15,000 euro fine over insufficient legal basis for data processing. The claimant received a phone call by the claimed entity with an offer to “renew” an electricity supply contract. She subsequently received an SMS with a link to an electricity supply contract with Aldro Energia, in which their personal data appeared. The claimant stated it was obtained and processed without their consent. The defending party said that the claimant was contacted with the objective of offering very good conditions for the supply of electricity by Aldo Energia, for which the defendant is a contracted marketer. The usual procedure is to explain the offer and only if the person is interested and provides their data, is the link to a pre-contractual deal sent. The AEPD ruled against, as the burden of proof always lies with a data controller, the claimed entity could not provide documentation proving that it had the consent of the claimant to use her personal data and send her a pre-contract. Even if the company obtained the claimant’s data, it did not obtain her consent for its treatment and therefore incurs a violation of Art. 6 of the GDPR. 

Datatilsynet issued the notification of an approx 200,000 euro fine to the Storting – Norway’s parliamentary administration for not implementing two-factor authentication, DataGuidance reports. In 2020, the Storting was exposed to data breaches, but since then has not implemented appropriate technical and organizational measures to achieve a sufficient level of security. The attackers had downloaded data, including personal information from email accounts, about elected representatives and the Storting’s employees, including, among other things, bank and account information, date of birth, as well as health information. Possible consequences for those affected by the attack could be the misuse of identity, the misuse of payment cards and the use of information for extortion. The Norwegian regulator believes that if two-factor authentication had been carried out at an earlier stage, the chance of a successful attack would have been considerably smaller. The Storting has three weeks to provide feedback with their views on the case and then Datatilsynet will assess the feedback and make a final decision.

The Swedish regulator IMY issued administrative sanction fees totaling 180,000 euros against the Uppsala Region after finding that the regional and hospital boards had not taken appropriate security measures when handling sensitive personal data.The IMY has received two reports of personal data incidents including sensitive personal data sent without encryption to recipients in and outside Sweden. This concerns emails with patient data that have been sent automatically to the relevant healthcare administrations within the region, and manually – to researchers and doctors within the region, as well as the storage of patient data in the hospital’s e-mail server. The investigations also show that the processing of personal data in both cases took place in violation of the region’s own guidelines, and also indicate shortcomings in the organizational measures to protect the data against unauthorized access. 

New York’s Attorney General announced a 600,000 dollar agreement with EyeMed Vision Care that resolves a 2020 data breach that compromised the personal information of approximately 2.1 mln consumers nationwide, including tens of thousands in New York state. EyeMed experienced a data breach in which attackers gained access to an EyeMed email account with sensitive customer information. The compromised information included consumers’ names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information. The intrusion permitted the attacker access to emails and attachments with sensitive customer information dating back six years prior to the attack. The attacker also sent approximately 2,000 phishing emails from the compromised email account to EyeMed clients, seeking login credentials for their accounts. The investigation found that EyeMed had failed to implement:

  • multi factor authentication for the affected email account, (the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information);
  • adequate logging of its email accounts, which made it difficult to investigate security incidents.
Photo by Kevin Ku on Unsplash

Data Security: DP Engineering

The EU Agency for Cybersecurity, ENISA, published its report on Data Protection Engineering. The document can be perceived as part of data protection by Design and by Default. It aims to support the selection, deployment and configuration of appropriate technical and organizational measures in order to satisfy specific data protection principles as set out in Art. 5 of the GDPR. The guide helps with the selection of the anonymization and pseudonymisation schemes, data masking and privacy-preserving computations, access, storage, transparency, intervenability and user control tools, connection with the DPIA, and privacy enhancing technologies. The report provides conclusions and recommendations for relevant stakeholders.

Big Tech: WhatsApp privacy policy, Google’s legal fails and victories, Big data & media sector

Consumer complaints have prompted the EU Commission to give WhatsApp until the end of February to clarify changes to its privacy policies. It is unclear if the new rules infringe EU consumer protection laws. Spearheaded by the European Consumer Organisation, (BEUC), the complaint adds WhatsApp has been unfairly pressuring users to sign up to the new policies, which include sharing some data with Facebook and other companies under the Meta umbrella. When the privacy update was announced it was condemned worldwide, with some abandoning the service for other platforms like Telegram and Signal.

Plaintiffs struggling with California’s voluminous Invasion of Privacy Act in an attempt to bring a class action against Google have had their hopes definitively dashed. A Federal judge has denied them any further route forward under another of the Act’s many articles. Two claims were dismissed, notably ruling a users’ disabling of Google tracking their browsing activity via a button did not contractually oblige Google to do so, as the act of clicking did not unilaterally create a contract between Google and the user, despite the possibility, the judge noted, that the consumer might assume it did. More details in the article by Jurist.org.

Meanwhile Arizona just got hotter for Google, where a judge has ruled in favour of the state’s Attorney General, and will send a lawsuit to jury trial, according to Reuters. Lawyers for parent company Alphabet tried to get the case, which focuses on allegations Google deceived clients with misleading smartphone location tracking settings, thrown out of court. Four other state Attorney Generals have launched similar lawsuits, building on the Arizona case, which was filed in 2020.

The UK Department for Digital, Culture, Media & Sports has also published an analytical report on how user data shapes the media sector. It appears that upstream providers of digital devices, several large tech companies, are able to exert control over how data can be shared, accessed and used by other organisations, including media businesses. Here are some examples from the report:

  • Currently, many media businesses rely on third party cookies to gather data on user behaviour beyond their own website/app.
  • Google’s announcements, (and subsequent delays), of their intention to restrict use of third party cookies via their services is of great concern to many media organisations. Google’s ‘Privacy Sandbox’ will likely end up driving more business in Google’s own direction. 
  • Social media and tech platforms host and distribute a huge amount of the content that press publishers produce. When this happens, these host/distributor platforms have access to first party user data. The publishers, unless the consumer is asked for additional consent, do not.
  • Some TV organisations felt that data about their shows and viewers was being ‘ringfenced’ by the companies who control the operating systems on TVs—the TV manufacturers and large tech firms. The companies, such as Amazon, Google or Apple, were perceived to have a huge amount of control both over what people see and what data is available to the other media providers whose content is watched on them. 
  • Smart speakers and third-party listening platforms were creating a barrier to data access by traditional radio groups, etc. Read the full report here.

Book a free consultation to discuss your DPO needs and the most suitable package

Request your free consultation