Legal Watch No. 61 – July 2023.

APIs at the heart of personal data sharing.

Application programming interfaces, commonly called "APIs" in reference to their English name "application programming interface", are frequently used to facilitate the sharing of information between public or private organizations.

This data sharing is supported by the legislator, as confirmed by the European digital sovereignty strategy: this aims to develop a single data market "by supporting responsible access, sharing and reuse, in compliance with the values of the European Union and in particular the protection of personal data."

It complements the European strategy on artificial intelligence.

APIs, if they integrate data protection from the design stage of the sharing system, can provide a favorable technical framework, in compliance with the GDPR.

The CNIL therefore encourages their use in a recommendation adopted on July 7th.

She particularly emphasizes the importance of a level of security commensurate with the risks of reuse, and of data sharing limited to the minimum necessary.

The recommendation targets three types of actors: data holders, API managers, and data re-users.

The data holder is characterized by the fact that it controls data in a technical or organizational way.

An API manager is the organization in charge of some or all of the technical components on which data sharing is based.

Finally, the data reuser is any organization planning to access or receive data via APIs for its own use.

The CNIL (French Data Protection Authority) emphasizes that the same organization can hold several roles, such as when the data controller develops an API themselves: they are then also the API administrator and must follow the recommendations relating to both roles. Identifying one's specific role in the use of an API is therefore essential.

Each category is geared towards measures that enable it to achieve the desired level of security and comply with data protection principles.

The stakeholders are encouraged to cooperate in putting these recommendations into practice.                              

• Data holders will need to pay particular attention to informing re-users, the accuracy and integrity of the data, and data security (separation and availability, authentication, logging).
• API managers will focus on documentation, data minimization, exercising rights regarding data sharing, and security (communications, information systems security, logging).
• Re-users have specific obligations regarding informing the people concerned, minimizing data and also security (risk management, securing keys, logging).

The recommendation addresses specific cases of data sharing, for example between social networks and researchers, or the opening up of government data.

The qualification of the different actors does not prejudge their status as data controller or data processor within the meaning of the GDPR.

However, some guidelines can be drawn: the data holder will generally be responsible for the sharing processing, insofar as he has freely decided on the purposes and means of the processing or when he has been legally compelled to implement it.

The re-user will often be a "recipient" within the meaning of the GDPR.

For its part, the API manager will act as a subcontractor, that is, on behalf of and under the instructions of the data holder and/or the reuser.

The CNIL's recommendations should soon be complemented by the welcome publication of practical cases on the Commission's website.

 

And also

• On July 27, the CNIL published a call for contributions regarding its work on AI.

On this occasion, she gives an initial update on the progress of her work following the publication of her action plan on artificial intelligence on May 16, and launches a call for contributions to inform her thinking, ahead of the first publications planned for the fall.

• The CNIL is also proposing a new "sandbox" to support three projects using artificial intelligence (AI) for the benefit of public services.

The call for projects is open until September 30, 2023.

• As part of its action plan on mobile applications, the CNIL is publishing and submitting for public consultation a draft recommendation, intended to clarify the obligations of the various actors in this ecosystem, to facilitate their compliance and to promote the implementation of good practices.
• More than sixty European NGOs wrote to European Commissioner Thierry Breton on July 26 to ask him for clarification regarding his recent comments suggesting that blocking online platforms could be an applicable and justified measure under the Digital Services Act (DSA).

These comments followed remarks by the President of the Republic raising the possibility of blocking access to social media platforms in the context of public order disturbances.

NGOs believe that these comments could encourage the arbitrary blocking of online platforms by governments around the world.

They ask the European Commission to ensure that the implementation and application of the DSA by Member States does not lead to an overly broad interpretation of these measures, which would run counter to its regulatory objectives and violate the EU Charter of Fundamental Rights.

• On June 26, the Council of State ruled that the right of rectification can be used to correct data after a change of identity, but not retroactively to correct documents prior to the change of identity: this prior data cannot in fact be considered inaccurate.
• The National Assembly unanimously adopted on June 28 the "bill to establish a digital majority and to fight against online hate.

The project was also unanimously adopted by the Senate on June 29, 2023.

The text establishes a digital majority at 15 years old, the age from which a minor will no longer need parental consent to register on a social network.

 

European institutions and bodies

• On July 10, the European Commission adopted its adequacy decision for the "EU-US data protection framework", concluding that the protection guaranteed by the United States for transferred data is comparable to that offered in the EU.

The new framework came into effect on July 11.

According to the Commission, the American commitments introduce "new binding guarantees to address all the concerns raised by the European Court of Justice, in particular by limiting US intelligence services' access to EU data to what is necessary and proportionate and by establishing a Data Protection Court."

Unsurprisingly, Max Schrems considered that the new transatlantic framework for the protection of personal data is largely a copy of the "Privacy Shield" and that he will challenge the decision in court.

For its part, the European Data Protection Board (EDPB) has published an information note to guide the companies and individuals concerned.

• On July 4, the European Commission published its "Proposal for a regulation laying down additional procedural rules for the application of the GDPR" intended to ensure consistent application of the regulation in cross-border cases.

In a message on Twitter, the EDPB welcomed the Commission's swift response to its requests for clarification.

The proposed regulation is, however, criticized by some NGOs who point out that it risks limiting citizens' participation in complaints they file with DPAs in cases of misuse of their data.

• Connected devices, such as surveillance cameras, refrigerators, and smart TVs, could soon offer better protection against cyberattacks.

EU member states have recently agreed on a common position regarding security requirements for the aforementioned digital products.

The proposed cyber resilience law would introduce mandatory requirements for the design, development, and production of devices.

• In a judgment dated July 4, 2023, the Court of Justice of the European Union took a position in a dispute between Meta and a German competition authority.

The CJEU held that a competition authority can find a violation of the GDPR and, without replacing the data protection authority, remains free to draw its own conclusions from the perspective of the application of competition law.

The CJEU also notes that Facebook is likely to process "sensitive" data from user activity without the user necessarily having wanted to make it public, which excludes the exemption from consent.

The Court also ruled out Meta's recourse to the necessity of performing a contract and legitimate interest to justify the personalization of content.

Finally, it observes that Facebook's dominant position in the social networking market raises concerns about the validity of consent, and that it is up to the operator to prove that consent is indeed freely given.

Meta announced on August 1st that it intends to change the legal basis used for its targeted advertising in Europe: the company will ask for users' consent.

This change is a direct consequence of the decisions of the EDPB and of national and European judicial authorities.

• In the context of discussions on the draft European regulation on media freedom, 80 civil society organizations, media organizations, publishers and broadcasters, as well as trade unions, are calling on the European Parliament to ban the deployment of spyware against journalists, without exception.
• On July 3, civil society groups and Internet experts also wrote to Commissioners Jourova and Reynders to express their deep concern about the UK government's proposed Data Protection and Digital Information (DPDI) Bill, which would turn the UK into a "leaky valve" and undermine the data protection rights of European citizens.

 

News from European member countries.

• The Belgian Data Protection Authority (APD) considered that a pharmacists' association, by indefinitely retaining data relating to disciplinary sanctions imposed under an old regulation, violates, among other things, the principles of legality, purpose limitation, data minimization, accuracy and retention limitation.

The association was fined 30,000 euros.

• According to the Belgian Data Protection Authority, a data controller based in the United States whose activity includes the organisation of conferences in Europe is subject to the GDPR and must, among other obligations, appoint a representative in Belgium.
• The Latvian Data Protection Authority (APD) considered that the use of a unique personal identifier was insufficient to clearly identify a data subject and prevent the unlawful disclosure of special categories of data by the national health service provider.

The use of additional criteria, such as the name of the person concerned, was necessary.

• The Spanish Data Protection Agency (APD) has fined a security guard 10,000 euros for capturing images from a prison's CCTV system and disseminating them via WhatsApp, in violation of Article 6 of the GDPR.
• In a decision dated June 22, the Italian Data Protection Authority (APD) fined Italy's motorway company one million euros for failing to identify its role as data controller in the context of the use of cashback services.
• The Icelandic Data Protection Authority (APD) has fined the Office of the National Medical Examiner approximately 82,000 euros for multiple GDPR violations following a security breach on its Heilsuvera website, which offers an online healthcare system and prescription portal.
• After auditing four companies that were using Google Analytics on their websites, the Swedish Data Protection Agency ordered these companies to stop using the tool.

Two of the companies were fined administratively, while another voluntarily stopped using the tool.

The audits were carried out following complaints from the organization noyb, accusing the companies of illegally transferring personal data to the United States in violation of European legislation.

• Following the CJEU ruling mentioned above, the Norwegian Data Protection Authority declared behavioral advertising on Facebook and Instagram illegal.

For the next three months or until it can prove its compliance with Norwegian law, the social media company is no longer allowed to use this approach.

 

• In mid-July, the White House presented interim measures in the form of voluntary commitments for "safe, secure, and transparent development and use of AI."

Amazon, Anthropic, Google, Inflection, Meta, Microsoft and OpenAI have agreed to prioritize research on the societal risks posed by AI systems and to encourage the discovery and reporting of problems and vulnerabilities.

However, according to some academic experts, these agreements are far from sufficient.

"The United States continues to offer voluntary measures, while the European Union is about to adopt the most comprehensive AI legislation we have seen to date," said Brandie Nonnecke, founding director of the Citris Policy Lab at the University of Berkeley.

• Meanwhile, the Federal Trade Commission (FTC) is investigating OpenAI about how ChatGPT works, with detailed questions about its financial revenues, how models are trained and data is processed, security risks and procedures, the generation of content about individuals, external attacks to manipulate the LLM ("prompt injections") and the protection of personal data.
• OpenAI has discontinued its tool for distinguishing between human-generated and AI-generated text: "As of July 20, 2023, the AI classifier is no longer available due to its low accuracy rate." The company is continuing its research to develop a more effective tool.
• Amazon has agreed to pay more than $30 million to settle two lawsuits brought by the FTC for violating the privacy of users, including children, through its Alexa voice assistant and Ring doorbell cameras.

Amazon was accused of retaining Ring video recordings and Alexa voice recordings, along with associated geolocation data, for several years without consent and despite consumer requests to delete this data.

• Singapore's Infocomm Media Development Authority has announced a partnership with Google to support a "tech sandbox" initiative.

This initiative will help companies to "protect user privacy and provide them with tools that allow them to continue accessing data without third-party cookies."

The IMDA-Google partnership is open to all companies based in Singapore.

• The South African information regulator issued a notice of infringement and an administrative fine of 5 million rand (approximately 240,000 euros) to the Department of Justice and Constitutional Development on July 3 for non-compliance with the Personal Information Protection Act (POPIA).

The regulator had issued an injunction in May, asking the ministry to renew certain IT security licenses (anti-virus, anti-intrusion, SIEM) and to initiate disciplinary proceedings against the officials concerned.

• In Vietnam, a decree on the protection of personal data came into effect on July 1st.

It notably provides for the carrying out of impact assessments of data transfers and the appointment of a data protection officer for the processing of sensitive data.

• Meta subsidiaries Onavo and Facebook Israel were fined 20 million Australian dollars on July 26 in Australia for failing to adequately warn VPN users that their data would be collected for commercial purposes.

The sanction imposed by the Australian ACCC (Competition and Consumer Protection Authority) is the largest ever imposed in Australia regarding privacy protection.