Legal Watch No. 72 – June 2024.  

Communication and marketing on social media: what are the rules for professionals?

Social networks constitute a pool of data that can be used to target prospects.

The use of this data, whether publicly accessible on the social network or through the creation of a network of contacts, remains subject to the law.

It must comply with the principles of the GDPR and the European directive on electronic communications (ePrivacy directive).

The rules are different, for example, if you are contacting a company (“B2B”) or a natural person (“B2C”).

People's expectations will also vary depending on whether or not there is a pre-existing relationship: pay particular attention to compiling information on people who are not part of your network of contacts (for example, collecting names of prospects on discussion groups).

It is important to keep three essential principles in mind: transparency, respect for the rights of the people concerned, and responsiveness to their requests.

• Provide information about the data collected.

It is recommended:

• To anticipate the effects of an online communication operation, such as an email campaign, by adding a note at the end of the message explaining in particular the origin of the data and the purpose of the communication.
• To provide an article or a functional link that leads to an information page about the data controller and the rights of individuals.
• To offer a simple means of contact (dedicated email, contact form or private message on social networks) to allow requests for access, rectification or erasure of data.
• Respect the rights of individuals, and obtain their consent where appropriate.

Some prospecting techniques can be more intrusive than others.

On LinkedIn, for example, InMail allows (for a fee) sending messages directly to the inbox of any user who is not a member of your network of contacts.

Some marketing software also allows the import of contacts (including profiles and photos) from social networks such as LinkedIn, Facebook, Twitter, Viadeo, YouTube or Klout for further processing.

These prospecting techniques must comply with the rules of email marketing, as provided for by the GDPR and the ePrivacy Directive.

The following principles are thus recalled:

• Compliance with opt-in, or obtaining prior agreement from the recipient of the advertisement: this is the case for sending "B2C" advertising by email, SMS, MMS, automated calling or fax.
• Respect for opt-out, which allows sending solicitations when the recipient of the advertisement has not objected to it: this is the case for "B2B" advertising sent by email and "B2C" advertising sent by post or telephone.
• Organize the management of requests from the people concerned.

This involves planning for:

• A typical response to internet users who, for example, exercise their right to object and/or request access to their data.
• An internal procedure to process these requests as quickly as possible, the standard time frame provided for by the GDPR being one month.

The responsiveness and effectiveness of the response is important as it contributes to the online reputation of the data controller.

 

The French Data Protection Authority (CNIL) has announced it will be conducting checks in connection with the Olympic and Paralympic Games. in order to guarantee respect for the privacy of the spectators.

It will focus in particular on "augmented" camera devices, QR codes for restricted areas, ticketing services and volunteer data.

The CNIL recorded 167 reports of GDPR violations following the European elections.

It reminds political parties, in the context of the early legislative elections, of the rules to be respected and informs them that it will carry out checks based on the number and nature of the reports that will be received in the context of the elections.

Following the publication of practical guides last April, On June 10, the CNIL published a second series of fact sheets and a questionnaire dedicated to the regulation of the development of artificial intelligence (AI) systems.

 These new tools aim to help professionals reconcile innovation and respect for people's rights, and focus in particular on the legal basis of legitimate interest, transparency, people's rights, data annotation and the security of developing an AI system.

The fact sheets are open for public consultation until September 1, 2024.

Finally, the CNIL examines in a study published on July 4th the development of alternatives to tracking techniques via third-party cookies and on their consequences (see also, below, the questions raised by Google's "privacy sandbox").

 

European institutions and bodies

On July 1st, the European Commission informed Meta of its preliminary findings that its "pay or consent" advertising model does not comply with the Digital Markets Act (DMA, art 5 paragraph 2).

These findings confirm those published by the European Data Protection Board (EDPB) last April.

According to the Commission, this binary choice forces users to consent to the combination of their personal data and does not provide them with a less personalized but equivalent version of Meta's social networks.

These preliminary findings do not prejudge the outcome of the investigation.

Meta now has the opportunity to exercise her right to a defense and to respond in writing.

The Commission will conclude its investigation within 12 months of the opening of the procedure, on March 25, 2024.

Should the Commission's preliminary findings ultimately be confirmed, the Commission could impose fines of up to 10 % of Meta's total worldwide turnover and 20 % in the event of repeated infringements.

Under the Data Governance Regulation (DGA), the European Commission has published the list of the first "data intermediaries" notified to it by Member States.

Data intermediaries function as neutral third parties that connect individuals and businesses with data users.

Five companies were registered, three of which are in France: AGDATAHUB, Hub One DataTrust, and M-ITRUST. The other two were notified by Finland and Hungary (via the AFCDP).

The EDPB launched the "AI Auditing" project on June 27th : this aims to help data protection authorities (DPAs) inspect AI systems by defining a methodology in the form of a checklist to audit an algorithm and proposes tools that would improve their transparency.

The European Data Protection Supervisor (EDPS) published its guidelines on "generative artificial intelligence and the protection of personal data" on June 3. in order to provide EU institutions, bodies, offices and agencies with practical advice and instructions on the processing of personal data when using generative artificial intelligence systems, and to facilitate their compliance with the requirements of the legal framework for data protection.

The International Working Group on Data Protection in Technology (IWGDPT) adopted a working document on facial recognition technology on June 5.

The document describes the possibilities of use in the private and public sectors and presents both the risks and practical recommendations for an application compliant with data protection.

On June 20, the Court of Justice of the European Union (CJEU) ruled in case C-590/22 that The fear of a data subject that their personal data has been disclosed to third parties is sufficient to give rise to compensation, if this fear, with its negative consequences, is duly proven.

It is not necessary to establish that this data has actually been communicated to third parties to justify this compensation (via GDPR news).

The Court also considered on June 20, in Joined Cases C 182/22 and C 189/22 – Scalable Capital, that The moral harm caused by a personal data breach is not, by its very nature, less important than physical harm..

Furthermore, for an event to be classified as identity theft, personal data must have actually been misused by a third party.

In a judgment of June 6 (Bersheda and Rybolovlev v. Monaco), the European Court of Human Rights held that the investigations carried out by the investigating judge on a lawyer's mobile phone and the massive and indiscriminate retrieval of personal data – including data which had been previously erased by the applicant – exceeded the jurisdiction of this judge, and were not accompanied by safeguards to ensure respect for the status and professional secrecy of the applicant as a lawyer.

Under pressure from civil society and the European body responsible for implementing the Digital Services Act (DSA), LinkedIn has removed ad targeting based on users' sensitive personal data from its platform..

This type of targeting was considered to be in violation of the DSA.

The company Meta confirmed in mid-June that it was pausing its plans to train its AI systems using user data in the EU and the UK.

The project targeted user data from Facebook, Instagram, and Threads.

This decision follows action by the Irish Data Protection Commission, which is acting on behalf of several DPAs across the EU and in particular the Hamburg authority.

 

News from European member countries.

Belgian APD imposed a fine of 172,000 euros on June 3rd on a company that had not complied with a request to delete data and continued to send direct marketing emails.

The data controller's arguments aimed at shifting the blame onto the DPO were not taken into account by the DPA: it is the data controller's responsibility to respond to access requests and to ensure that the DPO has sufficient resources.

In GreeceThe APD imposed fines of 400,000 and 40,000 euros respectively on the Ministry of the Interior and a Member of the European Parliament for sending unsolicited political communications, the email addresses of the persons concerned having been provided to the MEP by the Ministry of the Interior.

In Luxembourg, The APD considered that the use of video surveillance to justify the dismissal of an employee violated the principle of purpose limitation of the GDPR if it had originally been installed to ensure the safety of employees.

In the Netherlands, A court has banned Microsoft, LinkedIn and Xandr from placing tracking cookies on third-party websites without user consent and has imposed a fine of 1,000 euros per company for each day of non-compliance with the decision.

The court held that these platforms remained responsible for collecting valid consent, even when they entrust this collection to third-party websites that integrate their tracking technologies.

In DenmarkThe APD reprimanded the city of Copenhagen for failing to prevent the potential access to the personal data of 3.7 million people by 37,500 unauthorized employees.

Latvian APD imposed a fine of 1,000 euros on a company offering photography services in an amusement park.

The company took photos of visitors based on implied consent, which could not be considered a positive action.

In ItalyThe APD has fined a company 100,000 euros for the illegal processing of telephone numbers for telemarketing purposes.

The APD considered that a data controller cannot transfer its responsibility and obligations under the GDPR to the subcontractor by means of a contractual clause.

Swedish ODA Avanza Bank AB was fined 1,318,955.55 euros (15 million SEK) for violating Article 5(1)(f) and Article 32 of the GDPR, the accidental activation of two Meta Pixel functions having resulted in the unauthorized transfer of personal data to Meta Pixel.

In Poland, the ODA fined a company 54,600 euros after the loss of a USB key containing unencrypted employee data led to a data breach.

June 13th, The NGO NOYB has filed a complaint with the Austrian Data Protection Authority (APD) against Google's practices regarding the collection of personal data via its "privacy sandbox".

The NGO points out that, since Google announced in September 2023 that it would gradually remove third-party cookies from its Chrome browser, users have been progressively encouraged to activate a so-called "ad privacy feature" which in reality would allow Google to track them.

On June 4, NOYB also filed a complaint in Austria against Microsoft, whose "365 Education" services allegedly violate children's data protection rights.

According to the NGO, when students wanted to exercise their rights under the GDPR, Microsoft stated that schools were "responsible" for their data, even though schools have no control over Microsoft's systems.

The Eu Travel Tech association filed a complaint at the end of May with the French and Belgian data protection authorities against Ryanair, concerning its recent implementation of a requirement to process customers' biometric data to access booking management and online check-in functions.

The association considers that this biometric verification process violates the principles of legality, fairness and transparency of the GDPR (via the AFCDP).

 

The OECD published on June 26 a report on AI, data governance and privacy protection.

This report reviews national and regional initiatives and suggests potential areas for collaboration.

By advocating for better international cooperation, the report aims to guide the development of AI systems that respect and support privacy.

The OECD also published on June 19 a working document entitled "towards digital safety by design for children".

The document focuses on actions to be taken by digital service providers, and proposes eight key measures, including practical tools, measures to promote a culture of security and damage mitigation strategies.

These elements are illustrated by case studies, which highlight the need to adopt approaches adapted to the context.

The California Privacy Agency (CPPA) and the CNIL have signed a declaration of cooperation, on June 25, 2024, in Paris.

The CNIL indicates that the two authorities intend to combine their efforts to strengthen the protection of personal data of French and Californian citizens.

Nvidia (one of the leading suppliers of semiconductors for AI computing), Microsoft, and OpenAI are reportedly the subject of a antitrust investigation in the United States.

According to a Politico report, the Department of Justice (DOJ) and the Federal Trade Commission (FTC) will cooperate on this issue. The DOJ will focus on Nvidia, and the FTC will examine the partnership between Microsoft and OpenAI to determine whether they have an unfair advantage.

Japan adopted a law on June 12 similar to the European Digital Markets Regulation (DMA).

The text would include "obligations to ensure interoperability, transparency and data portability".

The law will come into effect at the end of December 2025.

The American company Dropbox announced in early May that it had been the victim of a cyberattack.

The malicious intrusion concerns its secure electronic document signature platform, Dropbox Sign, formerly HelloSign.

The stolen data includes names, email addresses, encrypted passwords, payment information, and authentication information.

The company claims to have reset the passwords of all users and disconnected all sessions (via AFCDP).