Weekly digest November 22 – November 28, 2021 “Privacy, DP, and Compliance news in focus”

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal Processes and Redress

The EU Parliament Internal Market and Consumer Protection Committee has adopted its position on the Digital Markets Act (DMA). The document sets not-to-do rules for companies with “gatekeeper” status and significant market capitalization in the EU, (online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services). It says, among other measures, that a gatekeeper shall, “for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising”, (eg, A/B testing), except if there is a clear, explicit, renewed, informed consent, in line with the GDPR. In particular, personal data of minors shall not be processed for commercial purposes, marketing, profiling and behaviourally targeted advertising. If a gatekeeper does not comply with the rules, the Commission can impose fines of not less than 4% and not exceeding 20% of its total worldwide turnover in the preceding financial year”. The DMA file is due to be voted on by MEPs in December. The negotiations with EU governments will begin shortly after that.

The EU Commission presented a proposal on transparency and targeting of political advertising and electoral rights. The proposed rules would require any political advert, such as on the Facebook platform, to be clearly labelled and distinguished from organic contents, and include information such as who paid for it and how much. Political targeting and amplification techniques would need to be explained publicly in unprecedented detail and would be banned when using sensitive personal data without explicit consent of the individual. The rules on political adverts must be approved by both the EU Parliament and Council, and are likely to enter into force by 2024.

The CJEU ruled on “inbox advertising” for the purposes of direct marketing. The display in the electronic inbox of advertising messages in a form similar to that of a real email gives “a likelihood of confusion that could lead a user who clicks on the link corresponding to the advertising message to be redirected, against his or her will, to an internet site displaying that advertisement”. In the related case two competing electricity suppliers distributed advertisements, via an advertising company, consisting of displaying banners in the email inboxes of users of a free email service. Those messages were not visually distinguishable in the list from other emails in the user’s account except for the fact that the date was replaced by the word “advertising”. The Court reiterated that the  “ePrivacy” Directive protects subscribers against intrusion into their privacy by unsolicited communications, automated calling machines, telefaxes, emails, or SMS. However such communication would be compatible with recipients’ prior consent. An email service is offered to users in the form of two categories, namely, a free email service funded by advertising and, second, a paid-for email service, without advertising. Thus, it is important to determine whether the user concerned, having opted for the free email service, was duly informed of the precise means of distribution of such advertising and in fact consented to receiving advertising messages.

Official Guidance

Stiffening anti-Covid measures by governments across the EU lead to employers being authorised to collect employees’ vaccination status data. In Germany,  recent legislation obliges employers to monitor compliance with the so-called 3G/2G rules on a daily basis by means of verification checks, and they must also document them on a regular basis. Employees are required to provide proof of their vaccination, recovery, or testing status upon request. The law explicitly states that employers may process employees personal data for the above purposes. The federal data protection regulator, the BfDI, supports the introduction of a legal basis for such queries in the workplace. Nevertheless, the law, in its opinion, does not provide enough protective measures for the data of the employees concerned. There are no pseudonymisation measures and no obligation of the inspecting person to maintain confidentiality. In the opinion of the BfDI, it would be sufficient to check employees’ data for access control and then delete it after or at the end of the respective day. Finally, the law does not specify the purpose of storing these, soon to be very large, amounts of data.

“Turn off the microphone, (on your smartphone), turn on privacy”, says the Italian regulator Garante, which offers suggestions to avoid “prying listeners”. Smartphone sensors – and microphones in particular – can remain active even when we are not using our device. In this way they could be used to collect information, which can also be used for different purposes by third parties: for example for marketing activities. Apps which, among the access permissions requested at the time of installation, also include the use of the microphone, are a widespread phenomenon. “Too often, as users, we grant these permissions without thinking too much and without informing ourselves sufficiently about the use that will be made of our data.” The regulator has launched an investigation on the most downloaded apps to check if they acquire data through the microphone.

For several years, several digital stakeholders have been developing alternatives to third-party cookies for targeted advertising. The French regulator CNIL’s guide explains the basics behind “necessary” first-party cookies, “behavioural” third-party cookies, and alternative techniques used to bypass the growing restrictions against tracking made by browsers, such as “fingerprinting”, “single sign-on”, “unique identifiers” or  “cohort based targeting”. The CNIL reminds developers that these technologies must always be compliant with the data protection legal framework, the GDPR and ePrivacy Directive, regarding consent and the rights of data subjects to protect their communications and terminal equipment. In particular, the operations necessary for the constitution of an individual or group profile and the provision of targeted advertising, require the prior consent of the user, whether or not personal data are processed, insofar as they are not directly part of the service requested by the user. In order to ensure that the use of these technologies respects users’ privacy the CNIL asks for a minimum set of rules:  

  • enabling users to keep control over their personal data;
  • exercisability all data subjects’ rights, through user-friendly interfaces;
  • non-processing of sensitive data;
  • determining responsible(s) (data controller/processor) for the implementation of these techniques within the ad tech supply chain.

Data Breaches, Investigations and Enforcement actions

SmarterSelect, a US-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket, TechCrunch reports. The data spill, discovered by a cybersecurity company, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes and invoices for approximately 1.2 million applications to funding programs. These files contained name, email address, phone number, student photos, Social Security numbers, parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations, descriptions of poverty etc. The company acknowledged the warning before revoking public access to the bucket in October. It’s not known whether SmarterSelect has notified those affected, nor whether it has alerted the relevant state attorney general.

The Spanish data protection authority the AEPD fined Vodafone España 50,000 euros for violation of national legislation on Information Society Services and Electronic Commerce. The complainant issued claims with the AEPD against continuous receipt of promotional communications from Vodafone to the complainant’s phone number. The sending of promotion communications had continued a year after the complainant exercised their right to cancellation of services and deletion of their data, which Vodafone did not adequately respond to.The aggravating factors to the violation were:

  • the intentional nature of the infringement;
  • the duration of the offence;
  • the repetitive nature of the infringement; and
  • the nature and amount of damage caused to the complainant, as he/she had to proceed with the claim to the AEPD twice. 

The Spanish regulator has also fined Unión Financiera Asturiana 9,000 euros for violation of Art. 6 of the GDPR, following the unlawful processing of a complainant’s personal data in the course of business activities. Unión Financiera had wrongfully processed the claimant’s personal data instead of blocking it, as they had requested, thus processing the personal data of the complainant without a legal basis. The company did not verify the data processing had been cancelled, simply indicating to the claimant that the data was blocked without detailing the actions taken, and later claimed that there had been no intention by the claimant to request the deletion of their personal data. This prompted the claimant to raise a complaint with the AEPD, DataGuidance reports.

Opinion

The EDPB adopted a letter to The European Union Agency for Cybersecurity, (ENISA), concerning the European Cybersecurity Certification Scheme for Cloud Services’ (EUCS) compatibility with the Schrems II decision. In the letter, the regulator reiterates that the final certification scheme should be consistent with the obligations, including specific criteria for encryption and key management, to ensure protection against threats represented by access from authorities not subject to EU legislation and not offering an adequate level of personal data protection. As an illustration, the EDPB included in the letter its latest Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Big Tech

Italy’s antitrust regulator the AGCM has fined Alphabet’s Google and iPhone maker Apple 10 mln euros each for “aggressive practices” linked to the commercial use of user data. The authority stated the two tech groups did not provide “clear and immediate information” on how they collect and use the data of those who access their services. Both Google and Apple said they disagreed with the antitrust decision and that they would appeal against it. The watchdog added that when users set up their account with Google, the system was designed in such a way that the terms and conditions on data usage were set up to be accepted. In the case of Apple, users do not have a choice on the issue, the antitrust regulator added. The fine is the maximum amount the watchdog can apply in these cases, the regulator said.

WhatsApp is rewriting its privacy policy as a result of a huge data protection fine earlier this year. Following an investigation the Irish data protection watchdog issued a €225m, (£190m), fine – the second-largest in history involving the GDPR – and ordered WhatsApp to change its policies. WhatsApp is appealing against the fine, but is amending its policy documents in Europe and the UK to comply. Previously WhatsApp users complained about an update to the company’s terms that many believed would result in data being shared with parent company Facebook, which is now called Meta. Many thought refusing to agree to the new terms and conditions would result in their accounts being blocked. The new privacy policy contains substantially more information about what exactly is done with users’ information, and how WhatsApp works with Meta.

With Tesla’s latest Full Self-Driving release, it’s asking drivers to consent to allowing it to collect video taken by a car’s exterior and interior cameras in case of an accident or “serious safety risk”. Tesla has gathered video footage as part of FSD before, but it was only used to train and improve its AI self-driving systems. According to the new agreement, however, Tesla will now be able to associate video to specific vehicles. “By enabling FSD Beta, I consent to Tesla’s collection of VIN-associated image data from the vehicle’s external cameras and Cabin Camera in the occurrence of a serious safety risk or a safety event like a collision,” the agreement reads. The new policy and footage data likely covers the automaker’s liability in case someone tries to blame a crash or incident on the system, when driver error may be to blame. Despite the name, FSD is not an autonomous system. Tesla’s instructions tell drivers to remain alert and prepared to retake control of critical functions at any given time.

Google has pledged more restrictions on use of data from its Chrome browser. Britain’s competition regulator the CMA has been investigating Google’s plan to cut support for some third-party cookies – an initiative called the “Privacy Sandbox” – because it is worried it will impede competition in digital advertising. Google has said its users want more privacy when they are browsing the web, including not being tracked across sites. Other players in the $250 billion global digital ad sector, however, have said the loss of cookies in the world’s most popular browser will limit their ability to collect information for personalising ads and make them more reliant on Google’s user databases. Google agreed earlier this year to not implement the plan without the CMA’s sign-off, and said the changes agreed with the British regulator will apply globally.

Chinese regulators have pressed ride hailing giant Didi Global Inc to devise a plan to delist from the New York Stock Exchange due to concerns about data security. China’s Cyberspace Administration, (CAC), has asked the management to take the company off the U.S. bourse due to worries about leakage of sensitive data. In July the CAC ordered app stores to remove 25 mobile apps operated by Didi – just days after the company listed in New York. It also told Didi to stop registering new users, citing national security and the public interest. Didi, which has about 377 million annual active users in China, provides 25 million rides a day to users in the country who sign into its app with a phone number and password. Its apps also offer other products such as delivery and financial services. Reportedly Didi is preparing to relaunch its ride-hailing and other apps in China by the end of the year in anticipation of the end Beijing’s cybersecurity investigation into the company.

Book a free consultation to discuss your DPO needs and the most suitable package

Request your free consultation