This article brings together selected regulatory guidance, recent decisions and insights from the Data Protection Authorities (“DPAs”) in Belgium, France, Ireland and the UK as well as from the European Data Protection Board (“EDPB”) and the EU Courts.
Belgium (Autorité de protection des données / Gegevensbeschermingsautoriteit – “APD/GBA”)
The APD/GBA’s main efforts in 2023 will focus on Cookies and the role of Data Protection Officers (“DPOs”). The Compliance Department and the Litigation Division will also continue with supervisory measures regarding “data brokers”. (Source APD/GBA.) (For other initiatives regarding data brokers see UK (Information Commissioner’s Office) below.) ~
“France (La Commission Nationale de l’Informatique et des Libertés – “CNIL”)
On 29 December 2022, the CNIL fined Apple Distribution International 8 million euros for failing to collect the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers (Cookies) used for advertising purposes on their terminals.
Following a complaint concerning personalization of on-line advertisements (“ads”) in the App Store, the CNIL carried out several investigations in 2021 and 2022. It found that under version 14.6 of the iPhone operating system, when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were automatically placed on the user’s handset without obtaining consent. In practice, the advertising targeting settings (available from the “Settings” icon of the iPhone) were pre-checked by default even though, they were not strictly necessary for the provision of the App Store service. Reportedly, Apple has stated that it is “disappointed” with the decision and plans to appeal. ~
On 19th December 2022, the CNIL imposed a penalty of 60 million euros on Microsoft Ireland Operations Limited. Following a complaint, the CNIL carried out several investigations on the bing.com website in September 2020 and May 2021. It found that when users visited the site, cookies used, among other things, for advertising purposes were placed on their terminal without their consent. As a result, the CNIL fined Microsoft Ireland Operations Limited €60 million taking account of the scope of the processing, the number of data subjects and the indirect advertising profits generated from the data collected via the cookies. (Source CNIL.) ~
Ireland (Data Protection Commission / An Coimisiún um Chosaint Sonraí – “DPC”)
On 23 December 2022, the DPC launched an own-volition inquiry in relation to multiple international media reports highlighting that one or more collated sets of Twitter users’ personal data were available on the internet. (On 5 January ‘The Register’ reported that information concerning more than 200 million Twitter users was freely available for anyone to download.) The datasets are reported to map Twitter IDs to email addresses and/or telephone numbers of the associated data subjects. In the DPC’s opinion one or more provisions of the GDPR and/or the 2018 Irish Data Act may have been, and/or are being, infringed regarding Twitter Users’ personal data. ~
On 4 January 2023 the DPC announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with its Facebook and Instagram services. (Meta Ireland was previously known as Facebook Ireland Limited). In its final decisions the DPC has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service). Further, Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.
These decisions are based on complaints that by making the accessibility of its services conditional on users accepting updated Terms of Service, Meta Ireland was “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. Meta Ireland contended that personalised advertising was part of the contract concluded when users accept its Terms of Service
Following disagreements between the DPC and certain Concerned Supervisory Authorities from other EU Member states, the matter was referred to the EDPB under the dispute resolution process foreseen in the GDPR. The EDPB found that, as a matter of principle, Meta Ireland was not entitled to rely on contract as providing the lawful basis for its processing of personal data for the purpose of behavioural advertising.
Accordingly, its final decisions of 31 December 2022, the DPC has found that Meta Ireland was not entitled to rely on “contract” as the lawful legal basis for the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on that contractual basis amounts to a contravention of Article 6 of the GDPR.
Subsequent press reports state that Meta believes it complies fully with GDPR by relying on contractual necessity for behavioural advertising, given the nature of the services provided by its platforms, and that it will appeal the substance of the DPC’s decision. (Source DPC.) ~
On 13 December 2022 the European Commission issued a draft adequacy decision for the United States which reflects the assessment by the Commission that the United States now ensures an equivalent level of protection for personal data transferred from the EU to US following signature of a US Executive Order by President Biden on 7 October 2022, together with regulations issued by the US Attorney General Merrick Garland. The draft adequacy decision has been published and transmitted to the European Data Protection Board (EDPB) for its opinion. ~
In the meantime, please recall that as of 27 December 2022, old standard contractual clauses (“SCCs”), including those signed before June 2021, can no longer be used to lawfully transfer data to a third country. (This is particularly relevant to data transfers to the USA in the absence of a current ‘Adequacy Decision’ from the EU Commission.)
When the Standard Contractual Clauses (“SCCs”) were updated by the European Commission on 4 June 2021 data exporters and importers were allowed to continue to rely on the previous SCCs for a further fifteen (15) months after which they are required to either • switch to the 2021 updated SCCs or • rely on another transfer mechanism. ~ (Source EU Commission.) ~
It may surprise you to learn that digital vehicle license plates for commercial vehicles are street legal in California, Arizona, Michigan and the state of Texas. Several other states are reported to be piloting the technology. In a 11 January 2023 report entitled ‘How to track equipped cars via exploitable e-ink platemaker’ The Register notes that reverse engineers discovered vulnerabilities in the system allowing them to track each plate, reprogram them or even delete them. Apparently, that vulnerability was reported and patched – but the problem appears to have only been treated as a data security issue – without considering the wider data protection issues that would certainly arise in the EU. (Source: The Register 11 January 2023.):
UK (Information Commissioner’s Office – “ICO”)
Until November 2022 the ICO website said that regulatory reprimands would not usually be published. In The Information Commissioner’s, John Edwards, speech to the UK National Association of Data Protection Officers on 22 November 2022 he announced that policy would change. The ICO is now publishing all reprimands that it issues, unless there is a good reason not to (such as matters concerning national security for example). A list of reprimands is available on the ICO website and is backdated to 1 January 2022.
In July 2018 the ICO launched an investigation into the data broking sector, specifically the provision of offline direct marketing services by key data brokers including the three largest credit reference agencies (“CRAs”) – Equifax, Experian and TransUnion. Although it concluded its investigation into the data broking activities of the CRAs, ICO stated that it has continued to investigate other organisations in the sector.
Amongst other things, the ICO points out that you must have an appropriate lawful basis under the UKGDPR (and indeed the GDPR) for processing personal data. This means that if you intend to seek personal data from a data broking service, or if you seek ‘postcode’ level data to add to the records of your customers (ie presumed attributes based on social and lifestyle factors of people who live in a particular postcode or area) you must be able to demonstrate what your lawful basis for processing is before you obtain the data.
The ICO came back to data broking in a 10 January 2023 post on ‘LinkedIn’ stating: “Simply accepting a data broker’s assurances that the data they supply is compliant isn’t enough. Before you use any data broking service, you must undertake appropriate due diligence to ensure that […] the personal data being offered to you complies with data protection law and the [UK] Privacy and Electronic Communications Regulations (PECR)”. ~ (Source ICO.) ~This may indicate that further decisions on this subject can be expected from ICO in the near future.
In a 19 December 2022 Press Release, the European Commission states that it has informed, Facebook’s parent company, Meta, of its preliminary view that the company breached EU antitrust rules by distorting competition in the markets for online classified ads. The Commission takes issue with Meta tying its online classified ads service, Facebook Marketplace, to its personal social network, Facebook. The Commission is also concerned that Meta is imposing unfair trading conditions on Facebook Marketplace’s competitors for its own benefit. Accordingly, it has sent a so-called ‘Statement of Objections’ to Meta.
A ‘Statement of Objections’ is a formal step in Commission investigations into suspected violations of EU antitrust rules. The Commission informs the parties concerned in writing of the objections raised against them. Sending a ‘Statement of Objections’ and opening of a formal antitrust investigation does not prejudge the outcome of the investigations.
If the Commission concludes, after a company has exercised its rights of defence, that there is sufficient evidence of an infringement, it can adopt a decision prohibiting the conduct and imposing a fine of up to 10% of the company’s annual worldwide turnover.
Controllers and processors could continue to rely on the earlier Standard Contractual Clauses (“SCCs”) for international data transfers, for contracts that were concluded before 27 September 2021, until 27 December 2022, provided that the processing operations forming the subject matter of the contract remain unchanged. (See further ‘USA’ above) ~ (Source: EU Commission.) ~
European Data Protection Board (“EDPB”)
On 6th December 2022, the EDPB adopted three dispute resolution decisions on the basis of Art. 65 GDPR concerning Meta Platforms Ireland Limited (“Meta Ireland”). The binding decisions address important legal issues arising from the draft decisions of the Irish DPC as lead supervisory authority (“LSA”) regarding Meta Ireland’s platforms, Facebook, Instagram and WhatsApp services.
(The Facebook and Instagram draft decisions concerned, in particular, the lawfulness and transparency of processing for behavioural advertising. The WhatsApp draft decision concerned notably the lawfulness of processing for the purpose of the improvement of services.)
In its binding decisions, the EDPB settles, among others, the question of whether or not the processing of personal data for the performance of a contract is a suitable legal basis for behavioural advertising, in the cases of Facebook and Instagram, and for service improvement, in the case of WhatsApp. (See also ‘Ireland – DPC’ above.)
The EDPB will publish its decisions on its website after the Irish DPC has notified its national decisions to the data controller Meta Ireland. ~ (Source: EDPB.) ~ Following publication of the DPC’s press release concerning its Facebook and Instagram decisions (see above) the EDPB’s publication of those decisions should be forthcoming shortly. (At the time of writing the Irish DPC had not issued a press release concerning its WhatsApp decision.)
General Court of the EU (“GCEU”)
On 7 December 2022, the GCEU dismissed an action brought by WhatsApp Ireland against a 2021 binding decision of the EDPB as inadmissible. In doing so the General Court was ruling for the first time, on an application for annulment of a binding decision of the EDPB, adopted under the GDPR provisions.
On 28 July 2021, the EDPB resolved a dispute about a draft decision of the Irish DPA concerning WhatsApp Ireland Ltd’s (“WhatsApp Ireland”) GDPR transparency obligations to both users and non-users of its service by issuing a binding decision. In particular, the EDPB instructed the Irish DPA to amend its draft decision regarding infringements of transparency and increase its proposed fine. Following which, the Irish DPA imposed a fine of €225 million on WhatsApp Ireland.
WhatsApp applied to the EU General Court for annulment of the contested decision and, in parallel proceedings, also challenged the decision before a national court in Ireland. The GCEU dismissed the action before it as inadmissible, but also stated that the validity of the contested decision may be examined by a national court hearing an action against the final decision that closed the procedure at the national level.
In principle, the GCEU’s decision of inadmissibility could still be challenged by an appeal (limited to points of law), brought before the EU Court of Justice.
Disclaimer: This general memorandum may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions.