Key takeaways from December and January include:
- Cookies: Businesses should consider reviewing their cookie compliance following major CNIL fines against Microsoft (€60 million) and TikTok (€5 million) calling for companies to ensure user consent is paramount and that refusing cookies is as easy as accepting them;
- More on cookies: Websites are advised to implement user-friendly cookie consent mechanisms such as prominent “reject” buttons and forgo the use of pre-ticked opt-in boxes, per the Cookie Banner Task Force report, adopted by the European Data Protection Board (“EDPB”);
- GDPR access rights: Controllers responding to data subject access requests may be expected to disclose the specific recipients of the individual’s personal data, and not just categories of recipients, following a recent European Court of Justice (“CJEU”) judgment and Swedish court ruling;
- User Consent: Businesses may wish to review their consent flows in light of CNIL fines against Apple (€8 million) and Voodoo (€ 3 million), ensuring consent is obtained for all trackers and identifiers used for advertising purposes with easily accessible and changeable settings;
- Tech advertising: Companies relying on contractual necessity as the lawful basis for processing personal data to deliver personalized advertising or for service improvements and generalized security may want to consider alternative lawful bases following Irish DPC fines against Facebook (€210 million), Instagram (€180 million), and WhatsApp (€5.5 million);
- ICO transparency changes: Organisations face an increased publicity risk from data breach notifications and enforcement action following the UK ICO’s new practice of publishing records of breach notifications, complaints, reprimands, and audits;
- Identity theft: Data protection obligations and identity theft prevention controls should be considered together, as highlighted by the Spanish AEPD’s recent €30,000 fine against a telecom provider for processing an identity theft victim’s data without consent; and
- Employee monitoring: Employers should ensure that employee monitoring practices are appropriately assessed and consider a lawful basis other than consent, following recent enforcement by the Estonian AIK and Italian Garante that extends a trend amongst DPAs rejecting employer reliance on consent.
These developments, and more, covered below.
CNIL fines Microsoft €60 million and TikTok €5 million for alleged unlawful cookie practices
What happened: On 19 December 2022, the French CNIL fined Microsoft Ireland Operations Ltd €60 million for:
- depositing cookies serving multiple purposes, including targeted advertising and avoiding advertising fraud, when users connected to bing.com without the users’ consent; and
On 29 December 2022, the CNIL fined TikTok UK and Ireland as joint controllers €5 million for failing to:
- inform users in a sufficiently precise manner about cookie purposes.
When calculating the fine, the CNIL cited the large scale of the data processing and the high proportion of minors (38% were between 13 and 17) as aggravating factors.
EDPB’s cookie banner task force report highlights user-friendly design choices
What happened: In January 2023, the EDPB adopted a final report on the Cookie Banner Task Force’s work. The Task Force was convened in September 2021 following hundreds of cookie banner-related complaints from the European Center for Digital Rights.
Intended to reflect a “minimum threshold” for compliance with the GDPR and ePrivacy Directive, as implemented in the EU Member States, the report emphasises the need for informed consent from users. Best practices include:
- placing a reject button that is prominent enough within the cookie banner to draw user attention;
- not using pre-ticked boxes to obtain opt-in consent;
- avoiding deceptive design choices, such as misleading colours and contrasts;
- implementing a clearly visible icon or link that allows users to withdraw consent at any time;
- not using multi-level banners that may mislead users to believe refusing cookies is not possible;
- classifying cookies as “essential” or “strictly necessary” only when they serve essential or necessary purposes under the ePrivacy Directive or the GDPR; and
- ensuring reliance on the notion of “legitimate interests” for subsequent data processing activities only where an overriding legitimate interest exists.
What to do: Organisations may want to map their existing cookie banner design against the report’s recommendations to ensure alignment with the latest regulatory expectations embodied in the Report.
CJEU and Swedish Court find that controllers must disclose specific information about personal data recipients upon request
What happened: On 12 January 2023, the CJEU found that controllers must be as precise as possible in providing data subjects with information about the recipients of their personal data when asked in a data subject access request. Disclosing only categories of recipients was held to be inadequate in response to a request for the specific recipients.
Relatedly, a Swedish Court upheld the Swedish IMY’s 2022 reprimand of Klarna Bank AB for failing to disclose information regarding the specific recipients of personal data to a requesting data subject; providing the categories of recipients only was insufficient.
What to do: Companies should ensure that their existing data subject access request procedures outline that, in keeping with the draft EDPB guidelines, the response should name the specific recipients, unless it is only possible to indicate the categories of recipients or the request is manifestly unfounded or excessive, in which case such exceptions should be justified and documented.
CNIL fines Apple €8 million and Voodoo €3 million for using advertising and technical identifiers on devices without prior consent
What happened: On 29 December 2022, the CNIL fined Apple Distribution International €8 million for failing to collect the consent of French iPhone users (iOS 14.6) before depositing or writing identifiers later used for advertising purposes on their phones. The CNIL found that this practice was not strictly necessary for the provision of the service, the identifiers should not have been deposited without the user’s consent, and the user had to perform a large number of actions to deactivate this setting. When calculating the fine, the CNIL considered the number of affected users and the significant profits made through targeted advertising using these identifiers, while acknowledging that Apple has since reached compliance.
The CNIL also fined smartphone video game publisher Voodoo €3 million for using a technical identifier for advertising without the user’s consent. While Voodoo offered an option to deactivate advertising tracking, when deactivated, Voodoo used the user’s technical identifier anyway and processed information linked to their browsing habits for advertising purposes—without the user’s consent and contrary to what was indicated to the user. The number of affected individuals, financial benefits obtained as a result of the processing, and the company’s recent annual turnover were considered in calculating the fine.
What to do: Businesses should consider verifying their processes to obtain consent for any trackers and identifiers used for advertising purposes. Businesses should not rely on pre-checked boxes and ensure that settings are easily accessible and changeable.
Irish DPC finalises investigations into Facebook, Instagram, and WhatsApp
What happened: On 4 January 2023, the Irish DPC issued a press release confirming that it had finalised two investigations into Meta Ireland, following intervention by the EDPB in December 2022. Both investigations concerned the lawful basis relied on for the processing of user data to deliver personalised advertising. The EDPB upheld parts of the Irish DPC’s original determination, but following intervention from several DPAs, also determined that Meta could not rely on its contractual basis argument to deliver personalised advertising and directed the DPC to increase the corresponding fines to €210 million (in the case of Facebook) and €180 million (in the case of Instagram).
The DPC subsequently issued a press release confirming that it had finalised a similar investigation into WhatsApp Ireland and issued a €5.5 million fine. The DPC incorporated an EDPB finding that WhatsApp could not rely on its contractual basis argument to require users to agree to data use for “service improvements” and “security,” with a carve out for “IT security,” reflecting a narrower view of the nature of contractual services than the DPC originally found.
What to do: Businesses may wish to review where they rely on contractual necessity as the lawful basis for processing personal data to deliver personalized advertising or for service improvements and generalized security, and consider where alternative lawful bases may be necessary to ensure such reliance is consistent with the EDPB’s emerging expectations.
UK ICO kicks off transparency push
What happened: The UK ICO’s new policy of publishing all reprimands from January 2022 and onward on its website, following a November 2022 announcement by UK Information Commissioner John Edwards on the subject, expands upon the ICO’s developing approach to publishing details of regulatory submissions.
Reprimands will be published unless there is a good reason not to. The Commissioner explained the change on reprimands as motivated by a desire to ensure greater accountability and to inform the rest of the economy about the reasons for the enforcement action. The publication of reprimands will provide additional insight into the ICO’s regulatory expectations and priorities, and potential consequences for non-compliance.
This reflects a marked change from a prior policy to “not usually” publish reprimands but aligns with the ICO now publishing quarterly data sets about the nature of “data protection complaints” it received, self-reported breaches that did not involve investigatory follow up, cyber incidents and investigations that involved ICO inquiries, and individualised audit findings, among others.
What to do: Organisations should keep the ICO’s publication practices in mind when seeking insight into ICO expectations and enforcement practices, when considering publicity risks associated with data subject complaints, breach notifications, and enforcement action, and when it may be in the organisation’s interest to challenge an ICO action.
Spanish AEPD fines telco €30,000 for GDPR violation arising out of consumer identity theft
What happened: The Spanish AEPD fined telecommunications provider Orange Espagne, S.A.U. (“Orange”) for data processing without informed consent. Orange established a mobile telephone contract and SIM card without adequately verifying the customer’s data, resulting in identity theft and data processing of a victim’s personal data without consent.
The AEPD fined Orange €50,000, reduced to €30,000 following an acknowledgement of guilt and voluntary payment.
Highlighting the importance of coordination between data protection and fraud prevention functions, the AEPD outlined remedial measures broadly applicable to consumer businesses, including:
- ensuring controls are in place to manage the risk of identity theft throughout the product/service lifecycle;
- verifying customer information against public data sources (e.g., national census);
- monitoring to detect suspicious concentrations of unpaid customers, accounts or e-commerce transactions;
- designating internal teams to exclusively escalate complaints regarding unrecognised orders, suspicious transactions and asset solvency; and
- using external identity check platforms at the registration stage to reject or accept applications.
What to do: Companies should consider revisiting both existing data processing and fraud prevention policies and procedures to ensure these align with the AEPD’s suggested measures, especially those related to identity checks and validation at the inception of the product-service lifecycle.
DPAs continue objections to employee monitoring on the basis of consent
What happened: In December 2022, Italy’s DPA, the Garante, and Estonia’s DPA, AKI, announced decisions against two companies for unlawful employee monitoring. Both regulators rejected reliance on consent as the lawful basis for the monitoring.
The Garante fined Sportitalia €20,000 for using a biometric fingerprint collection attendance system. Sportitalia claimed it sought informed consent and offered an alternative badge system to those who did not consent, but the Garante believed the company failed to provide sufficient information to employees and did not permit withdrawal of consent.
The AKI ordered hotel company OÜ Laidoneri KV to cease use of CCTV cameras to monitor its employees pending a legitimate interest assessment, finding that signage was inadequate and, going further than the Garante, found that consent was not a lawful basis for processing personal data in an employment relationship. Here, where there was no need for the monitoring to fulfil a contractual or legal obligation, only legitimate interests might suffice as a lawful basis.
What to do: As we covered previously here, here, and here, workplace monitoring practices continue to be scrutinised closely. Companies may wish to review their monitoring practices to ensure that an appropriate lawful basis is established, and that employees are provided sufficient information. Given the range of views on whether consent to monitoring can be freely given in an employment context, employers may wish to consider alternative lawful bases. The EDPB guidelines on video monitoring and UK ICO draft guidance on employee monitoring may serve as useful guides.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.