Legal Watch No. 78 – December 2024. 

What are the prospects for data protection in 2025?

The new year continues with the gradual implementation of the European Union's "digital package".but also new legislation aimed at strengthening the protection of personal data in the face of the challenges posed by cyber threats.

As artificial intelligence becomes increasingly prevalent in businesses, we can anticipate a shift in decision support towards more autonomous systems that leave less room for human judgment, with the risks that such use entails in terms of data quality and protection.

The AI regulation governs these new practices, although it will be necessary to wait until August 2026 for all of its provisions to be applicable..

As we will see in the news below, its implementation is already the subject of guidelines, as evidenced by the recent opinion of the European Data Protection Board (EDPB).

Data controllers will also have to take into account the Digital Services Regulation (DSA), which has been applicable since February 17th.which imposes new obligations, particularly regarding transparency, content moderation and user protection.

According to the French Association of Data Protection Officers (AFCPD), these regulations introduce overlaps and require DPOs to maintain, with considerable difficulty, an overview to ensure consistent compliance. The association cites the example of HR data processing, which can shift from a non-sensitive to a sensitive category depending on the technologies used, such as AI.

"These interactions raise fundamental questions about the harmonious management of legal obligations."

In terms of security, the European regulation on cyber resilience (Cyber Resilience Act, CRA) entered into force on December 10, 2024, and the majority of its provisions will be applicable in 2027.

The aim of the CRA is to strengthen the protection of consumer and business data against cyber threats. This legislation imposes obligations on manufacturers, developers, and retailers of connected products regarding cybersecurity assessments and information.

In the same context, the European regulation on digital operational resilience (Digital Operational Resilience Act, DORA) will be applicable from January 17th..

It imposes strict requirements to ensure the digital resilience of financial institutions, and to manage operational risks related to information technology, particularly risks associated with external suppliers.

The European directive concerning the security of network and information systems (NIS2) has in principle been applicable since October 17, the date on which it should have been transposed into French law.

The text broadens its scope compared to the NIS1 directive, and specifically targets infrastructures and entities essential to the proper functioning of economic and societal activities in the internal market.

A three-year period is planned for full compliance, but a minimum should be put in place quickly, namely registration with ANSSI of the regulated entity, notification of incidents and demonstration of investments in security solutions.

As the transposition law has not yet been adopted, uncertainties remain today regarding the identification of regulated entities and the concrete steps to be taken.

There is also some uncertainty surrounding the timeline of several European projects: what about the long-running ePrivacy project?

While the Commission published its first draft regulation in January 2017, the process is awaiting the European Parliament's position at first reading.

This text is generating lively discussions regarding the application of the principle of consent to cookies and the confidentiality of communications.

We should also mention the potential impact of the Trump presidency on the "Data Privacy Framework" and, more broadly, on data exchanges between the European Union and the United States.

Finally, the GDPR could undergo some updates, particularly concerning data transfers, coordinated investigations by data protection authorities (DPAs), and its alignment with the (future) ePrivacy Regulation.

Last but not least, we are witnessing the development of collective action in the EU: As we reported last month, the NGO noyb can now bring collective actions in any member state.

There are currently 43 other qualified entities in the EU, including the Irish Civil Liberties Council and the Finnish Data Protection Ombudsman, who currently chairs the EDPB.

Noyb indicated that it planned to file the first legal actions in 2025.

A risk of litigation that should be taken seriously by companies.

 

      

In a decision published on January 1st in the Official Journal, The CNIL is concerned about the planned updates to the information systems of France Travail.

The law for full employment of December 2023 provides for a renewed support pathway for job seekers which is based in particular on the analysis of data and its sharing with many regional and local organizations.

The CNIL recommends security measures adapted to the risks.

The CNIL is preparing a GDPR certification for subcontractors : In order to build a suitable framework, it is opening a public consultation until February 28th.

The certification should help guide data controllers in choosing their subcontractors, "by ensuring that the processing carried out by the subcontractor has been assessed as complying with the criteria of a standard recognized by the CNIL".

In a press release dated December 12, 2024, The CNIL announced it would issue formal notices to website publishers to modify their cookie banners deemed misleading.

The authority reminds users that cookies can only be placed after they have given their consent.

Furthermore, refusing cookies should be as simple as accepting them.

It is worth recalling that several DPAs, including the Belgian authority, have already taken a strict position by demanding that the two proposals for acceptance and rejection be at the same level with the same degree of visibility.

On December 5, 2024, the CNIL (French Data Protection Authority) imposed a fine of €240,000 on the company Kaspr. in particular for having collected on LinkedIn the contact details of users who had nevertheless chosen to limit their visibility.

The Commission orders the company to delete this data or, failing that, if it is impossible to distinguish this data, the visibility of which has been limited, from other data, to inform users "within 3 months, of the processing of their data and the possibility of objecting to it".

In addition to the illegal collection of contact details and the lack of transparency in processing, the CNIL also criticizes Kaspr for retaining data for five years, a period deemed excessive for professionals who frequently change jobs.

On November 14, the CNIL fined the telecommunications company Orange €50,000,000 for inserting advertisements into email inboxes and installed cookies on users' devices without their consent.

The company was ordered to bring its practices into compliance or face additional fines.

On February 10 and 11, France will host the Summit for Action on Artificial Intelligence (AI).

In this context, the CNIL, the University of Paris-Saclay and the University of Caen-Normandie will bring together experts and researchers on January 23 to discuss ways to prevent disinformation, fraud and breaches of privacy, while taking advantage of AI.

On December 11, the French AI Observatory also organised, in preparation for the AI summit, a seminar on the effects of AI development on work and employment.

Discussions focused in particular on the challenges related to the explainability of decisions made by AI.

On January 3, the Court of Auditors published a report on the IT security of healthcare facilities.

She notes that "in 2023, 10% of cyberattack victims in France were healthcare facilities. Their vulnerability is linked in particular to the increased interconnection of their information systems with the outside world and to chronic underinvestment in digital technology."

These attacks can have serious effects on the functioning of institutions and on patient care.

Public authorities reacted belatedly by funding a five-year prevention and protection program. This momentum must be maintained.

The Ministry of Health has expressed concern about the development of the "Health" service, a new feature of the Doctolib application. which proposes to centralize the medical information of insured persons.

This feature appears to be copying "My Health Space", the digital health record set up by the State in the law of July 24, 2019 relating to the organization and transformation of the health system.

On December 12, the NGO noyb filed a complaint against the French social media platform BeReal due to the "dark patterns" used by the company to obtain user consent.

When users open the application, they are faced with a pop-up window asking them to say "yes" or "no" to the use of their personal data for advertising purposes: if users click "accept", they will never see the consent banner again.

However, if they reject the targeting, the banner will appear every day until they accept.

 

European institutions and bodies

The EDPB adopted an opinion on AI models on December 18th. This opinion analyzes:

• How to assess and demonstrate that an AI model is anonymous;
• If legitimate interest can constitute a legal basis for the training or use of AI models;
• The consequences when an AI model is trained using illegally processed personal data.

According to the Committee, the question of whether an AI model is anonymous must be assessed on a case-by-case basis: it must be virtually impossible (“very unlikely”) to (1) directly or indirectly identify the individuals whose data was used to create the model, and (2) extract this personal data from the model through queries.

The notice provides a list of methods for demonstrating anonymity.

Regarding legitimate interest, the opinion provides guidance for DPAs assessing whether this legal basis is appropriate.

Finally, when an AI model has been developed from unlawfully processed personal data, this could affect the legality of its deployment, unless the model has been duly anonymized.

The European Data Protection Supervisor (EDPS) has adopted a decision finding that the European Commission unlawfully targeted European citizens by showing them advertisements based on "sensitive" personal data concerning their political opinions.

The NGO noyb, which initiated the complaint, indicates that in the context of the debates surrounding the draft regulation on the control of online discussions ("Chat control"), the European Commission identified the Netherlands as a member state that it wished to influence politically.

To this end, she posted messages on Twitter/X indirectly promoting this regulation to liberal or left-leaning users.

 

News from the member countries of the European Union.

German car manufacturer Volkswagen found itself under investigation on the eve of the new year after a revelation by the media outlet Spiegel, accusing it of having exposed the geolocation data of more than 800,000 vehicles in Europe to public access.

This information made it possible to know the position of nearly 500,000 vehicles with an accuracy of 10 centimeters.

In France, more than 50,000 vehicles from the Volkswagen, Audi, Skoda and Seat brands are said to be affected.

In Germany too, a Hamburg-based service provider was fined 900,000 euros by the local data protection authority for retaining personal data for up to five years after the due date.

For the APD, "it is unacceptable that actors working in the digital sectors have not developed a coherent deletion procedure" (via the AFCDP).

In Spain, the APD sanctioned a car garage that had added its customer file to a WhatsApp group, making the data of 150 customers (phone numbers, names and photos) visible to all members of the group.

The APD found an infringement of Article 6(1) of the GDPR, which requires a valid legal basis for any processing of personal data, and imposed a fine of 3,000 euros on the company.

Spain has decided to ban the use of "Google Workspace for Education" in schools.

This decision was made on the basis of a report by the Spanish Data Protection Agency (APD), which considers that there is "an invasive collection of personal information".

This report was prepared at the request of the Ministry of Education.

The Irish Data Protection Commission (DPC) announced on December 17 that it had fined Meta €251,000,000 for failing to prevent a data breach that compromised the data of millions of Facebook users and for failing to adequately document the breach.

Two days after the EDPB published its opinion on AI, the Italian data protection authority imposed a fine of €15,000,000 on OpenAI on December 20.

She believes that the company used internet users' personal data to train ChatGPT "without having an adequate legal basis and violated the principle of transparency and related information obligations towards users."

The investigation launched in late 2023 by the APD further reveals that the firm did not provide an adequate age verification system to prevent users under 13 from being exposed to inappropriate AI-generated content.

Open AI will also need to launch a communication campaign in the country on various media to raise public awareness of how ChatGPT works and to remind them of their rights.

Can we still use the OpenAI model and the ChatGPT API to provide our own generative AI services?

The Italian decision leaves the question open by specifying that it will have to be decided by the Irish authority, under the mechanism of Article 56 of the GDPR.

The Italian Data Protection Authority (APD) also took a position on November 13 regarding the publication of photos of minors on Facebook, recalling that the agreement of both parents was necessary.

In this particular case, the father of a child under 14 years old had shared his photo on Facebook to show his resemblance to his half-brother who also appeared in the photo.

The child's mother, divorced from the father, unsuccessfully asked him to remove the photo from Facebook, and filed a complaint with the APD.

The Dutch authorities also warned the National Archives on December 6 against publishing the Netherlands' war archives online.

These documents contain files on people suspected of collaborating with the occupier during World War II, including sensitive data such as religion, political affiliation, health or ethnicity of people sometimes still alive.

Even though they have undeniable value, the way the National Archives want to make the data public online violates the Archives Law and the GDPR, according to the APD.

She therefore calls for better control of the conditions of access to data.

On December 18, the APD fined Netflix for failing to properly inform its customers about the processing of their data between 2018 and 2020.

Furthermore, the information provided by Netflix was unclear on certain points.

For this reason, the APD imposed a fine of €4,750,000 on the streaming service.

Since then, Netflix has updated its privacy statement and improved its information.

In Sweden, the APD fined a landlord 200,000 SEK (€17,366) for placing eighteen cameras in the common areas of a residential building and for failing to respond to a request for information.

 

A study, “Tracking Indoor Location, Movement and Desk Occupancy in the Workplace”, published in November, analyzes employee behavior monitoring and profiling technologies using motion sensors and WIFI infrastructure inside company premises.

This study focuses on the potential implications for employees in Europe and examines the most widespread solutions offered by Cisco, Juniper, Spacewell, Locatee and other similar technology providers.

Cisco claims to have so far processed 17.2 trillion "location data points" collected via more than three million wifi access points installed in 250,000 buildings worldwide.

The study briefly addresses how workers resisted the installation of motion detectors by their employers (via the AFCDP).

Following legal proceedings initiated by WhatsApp in 2019, a judge in California declared the Israeli company NSO Group, the creator of the Pegasus spyware, guilty of hacking at the end of December.

This ruling is considered “historic” by opponents of this industry.

According to Will Cathcart, director of WhatsApp, “NSO Group claims to serve governments responsibly, but we have discovered that over one hundred human rights defenders and journalists were targeted in an attack last May; these abuses must stop.”

The US government revealed in early December that China had hacked 8 American operators (including AT&T, Verizon and Lumen Technologies).

The spying concerns the new RCS format for sending SMS messages between an iPhone and an Android smartphone.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have stated that the hacking campaign, dubbed Salt Typhoon by Microsoft, is one of the biggest breaches in history.

The hackers gained access to call recordings, live phone calls from specific individuals, and even classified court orders.

Authorities advise using secure and encrypted messaging applications to prevent private communications from being exposed.