Personal data: can the use of a fundamental right be traded?

Legal Watch No. 54 – December 2022

Personal data: can the use of a fundamental right be traded? Commenting on the proceedings against Meta, the parent company of Facebook, WhatsApp, and Instagram, could become tiresome, as it attracts the wrath of data protection authorities. 

The company has in fact been the most heavily sanctioned of the GAFAM companies since the GDPR came into force, and has just been fined another €390 million.

However, the recent decisions of the European Data Protection Board (EDPB), which were implemented by the Irish data protection authority at the beginning of this year, deserve our attention for more than one reason.

On the one hand, because they constitute the epilogue of a war of words between the Irish data protection authority and its European counterparts, and on the other hand because they clarify the legal framework for advertising profiling in a context that goes beyond the specific case of Meta.

The decisions adopted by the EDPB on 6 December were adopted within the framework of the European dispute resolution procedure (Article 65 of the GDPR). between national data protection authorities.

These were followed by the publication on 4 January of the Irish authority's final position, which aligns with the EDPB's conclusions.

As the leader in this matter, Ireland found itself at odds with its peers on issues concerning several data processing operations carried out by Facebook, WhatsApp and Instagram.

The decisions adopted by the EDPB resolve the dispute on three main points: the legal basis for processing (Art. 6 GDPR), the principles of data protection (Art. 5 GDPR) and the use of corrective measures, including fines.

The point of particular interest to us is the question of the legal basis for the company's processing, with Meta considering – with the support of the Irish authority – that user data could be collected for the purposes of behavioral advertising (or service improvement in the case of WhatsApp), using the legal basis of contract performance.

It should be noted that until the GDPR came into force, Meta legitimized behavioral advertising by obtaining user consent.

The company amended its general conditions on May 25, 2018 to include this advertising targeting purpose, which is now considered an integral part of the service it offers, and de facto limits users' control over the use of their data.

The company argued that it did not need to obtain consent because this online targeting is part of the service it provides to users.

Let us recall that consent, like the necessity of data in the context of the execution of a contract, are among six legal bases of article 6(1) of the GDPR allowing to justify the lawfulness of a processing.

Are these legal bases interchangeable?

The European doctrine on this matter is clear, and has just been confirmed: contractual necessity must be interpreted narrowly and the data collected must be strictly necessary for the service provided, as is the case, for example, with the collection of credit card data for online payment.

In its opinion of 8 October 2019 on online services, the EDPB already considered that behavioural advertising is not a necessary element of online services.

An online retailer that wishes, for example, to create profiles of a user's tastes and lifestyle choices based on visits to its website cannot rely on the execution of a purchase contract to create these profiles.

Even if profiling is specifically mentioned in the contract, this fact alone does not make it “necessary” for the performance of the contract.

If the online retailer wishes to carry out this profiling, it must rely on another legal basis.

This position was confirmed by the EDPB in its guidelines of 13 April 2021 on the targeting of social media users.

However, it is noted that a growing number of online services present themselves as free, while in reality they are paid for by user data, which constitutes the counterpart of the online service.

Can we therefore “pay with our data”?

This question of data contractualization is not new, but it arises with certain acuity today.

Even if the advertisements serve to support the service, processing for direct marketing purposes is in principle considered to be different from the objective purpose of the contract between the data subject and the service provider, which implies that the user must remain free to consent or not to advertising targeting.

In 2017, the European Data Protection Supervisor warned in an opinion on contracts for the provision of digital services "against any new provision that would introduce the idea that people can pay with their data in the same way they can pay with money.

Indeed, fundamental rights, such as the right to the protection of personal data, cannot be reduced to the sole interests of consumers, and personal data cannot be considered as a simple commodity.

Some will consider that paying with your data does not mean giving up your fundamental rights.

We should also note the CNIL's ambiguous position on the subject of "paywalls" which make access to a website conditional on payment for users who refuse the use of cookies, with the Commission stating on its website that it examines these issues on a case-by-case basis.

Should we therefore expect Meta to charge users who refuse advertising profiling?

As the NGO NOYB, which brought the complaint against Meta, rightly points out, the dispute settled by the EDPB only concerns this profiling, and has no impact on other forms of advertising such as contextual advertising, based on the content of a page.

The EDPB's position will certainly have an impact on Meta's finances, but does not rule out advertising entirely.

On the contrary, it should restore healthy competition between Meta and other online service providers, as well as between companies subject to Irish law and those established elsewhere in Europe.

And also

France:

On December 19, 2022, the CNIL sanctioned the company MICROSOFT IRELAND OPERATIONS LIMITED to the tune of 60 million euros for illegal use of cookies on its search engine “bing.com”.

The company is accused of not having implemented a mechanism allowing people to refuse cookies as easily as accepting them.

The CNIL justifies this amount by the scope of the processing, by the number of people concerned and by the profits that the company derives from advertising revenue indirectly generated from the data collected by cookies.

On November 30, 2022, the CNIL imposed a penalty of 300,000 euros against the company FREE.

The inspections revealed several breaches, particularly in the rights of the persons concerned (right of access and right to erasure) and in data security: the Commission highlighted the weak strength of passwords, the storage and transmission of passwords in clear text, and the recirculation of around 4,100 poorly reconditioned "Freebox" boxes.

It further rejected the argument that the controller's sources of personal data should be considered "trade secrets".

In a publication dated December 5, 2022, the CNIL recalls the rules to be respected when selling a customer file for commercial purposes: the file must only contain the data of active customers and for a maximum period of three years after the end of the commercial relationship, only the data of customers who have not opposed the transmission of their data or who have consented to it may be sold, and the purchaser must ensure that the rights of individuals are respected (in particular, clear information and consent to electronic prospecting).

The CNIL finally sanctioned this January 4 APPLE INTERNATIONAL DISTRIBUTION up to 8 million euros for not having collected the consent of French iPhone users using the old version of iOS 14.6 before depositing and/or writing identifiers used for advertising purposes on their devices.

Europe:

The Swedish Presidency of the Council of the EU published its priorities for the next six months on 14 December: digital technology is not at the top of the agenda., given current debates regarding economic and energy security and resilience in the context of the Russo-Ukrainian conflict.

Sweden nevertheless specifies that it will continue the work started regarding the data regulation ("Data Act"), the "privacy and electronic communications" regulation as well as the proposal for a regulation relating to a European health data space.

The European Commission published on December 13, 2022, its long-awaited draft adequacy decision regarding the level of data protection in the United States.

This decision aims to provide a lasting legal basis for EU-US transfers following the “Schrems II” decision of the Court of Justice of the EU dating from July 2020, which invalidated the “Privacy Shield”.

Before a final decision can be adopted, the draft still needs to be reviewed by the European Data Protection Board (EDPB) and approved by the committee of representatives of the EU Member States.

The European Parliament also has a right to review adequacy decisions.

The European Commission published on 15 December 2022 a declaration on digital rights and principles for the digital decade.

The declaration aims to guide policymakers in their vision of digital transformation along the following lines: a citizen-centered digital transformation, supporting solidarity and inclusion, a reminder of the importance of freedom of choice in interactions with algorithms and artificial intelligence systems, and increased safety, security and empowerment, especially for children and young people, while guaranteeing the right to privacy and control of individuals over their data.

After a year of investigation, the EU Ombudsman has published her decision dated 19 December 2022, concerning the complaint by the Irish Council for Civil Liberties (ICCL) against the European Commission for failure to adequately monitor Ireland's application of the GDPR.

This decision emphasizes the need for better monitoring by the European Commission of the progress of each Big Tech case brought before the Irish Data Protection Commission.

In a judgment dated December 8, the Court of Justice of the European Union clarified the conditions under which European citizens can obtain from Google the removal of search results concerning them.

The case involved two investment managers who asked Google to delist the results of a search carried out using their names, which provided links to certain articles criticizing their investment model.

The Court ruled that "the right to freedom of expression and information cannot be taken into account when, at the very least, a part – which is not of minor importance – of the information found in the referenced content turns out to be inaccurate." People who want to remove inaccurate results from search engines must provide sufficient (and reasonable) evidence that what is said about them is false.

The Dutch Data Protection Authority published a statement on December 22 regarding its powers to supervise algorithms in matters of transparency, discrimination and arbitrariness.

Also in the Netherlands, a study by the Dutch privacy group Incogni reveals that many popular shopping apps, including Amazon's, come with questionable practices regarding sharing access permissions with advertising libraries, which allows ad networks to indirectly access the device. 

Greek authority The Data Protection Authority has fined Vodafone PANAFON SA €150,000 for failing to take appropriate technical and organisational measures to protect the security of its electronic communications services.

The Icelandic authority The Data Protection Authority ordered a car repair shop to comply with an access request under Article 15 of the GDPR and provide the data subject with data relating to all repairs and services carried out on their car while it was in their possession.

The Portuguese authority The Data Protection Authority has reprimanded and fined the Municipality of Setubal €170,000 for violating the principle of integrity and confidentiality, the principle of storage limitation, the information obligations provided for in Article 13 of the GDPR and for failing to appoint a data protection officer in connection with the collection of personal data of Ukrainian refugees who used a telephone helpline in Portugal.

The Portuguese Data Protection Authority also sanctioned the National Institute of Statistics for non-compliance with the GDPR, including for sending personal data from the 2021 census to the United States and for failing to conduct a data protection impact assessment.

The Italian authority The Data Protection Authority has fined Alpha Exploration €2,000,000 for operating the social network Clubhouse in violation of the GDPR's provisions on lawfulness and transparency, for failing to assess the risks arising from the processing, and for appointing an EU representative without the requisite mandate to act on behalf of the controller.

The Italian data protection authority also fined telecoms operator Vodafone Italia €500,000 for processing personal data for direct marketing purposes without a legal basis, for obtaining generic consent for separate data processing operations, and for providing information on the processing of personal data in an incomprehensible manner.

Spanish authority The Data Protection Authority fined a 16-year-old teenager €5,000 for using videos and photos received via WhatsApp to blackmail a 13-year-old minor who could not give valid consent. The DPA also ordered the teenager to delete all other personal data concerning the person concerned and to report on the measures taken to this effect. 

International

UNITED STATES : Epic Games, maker of the video game Fortnite, will have to pay more than half a billion dollars for violating the Children's Privacy Protection Act (COPPA), changing default privacy settings, and tricking users into making unwanted purchases.

The Federal Trade Commission's settlements with Epic Games were made public by the FTC on December 15.

In a December 29 publication, The Guardian reports that Chinese surveillance camera maker Hikvision has developed a software platform to assist police. to follow the activities of the protesters.

Chinese police could thus set up alerts for various types of demonstrations, such as "gathering of crowds disturbing order in public places", "illegal assembly, procession, demonstration" and threats of "petition".

OECD countries adopted the first intergovernmental agreement on privacy on December 14, 2022. when accessing personal data for national security and law enforcement purposes.

The principles define how legal frameworks regulate government access, the legal standards applied when access is requested, how access is approved and how the resulting data is processed, and efforts to ensure transparency to the public.

Of the technical solutions are being developed to enable both users to control the use of their data and data controllers to manage online data in accordance with data protection principles.

In addition to Global Privacy Control, which is now seeing its use expand in the context of online consent management, the CookieFirst consent management platform offers advanced control to users for third-party services and the cookies they set, and uses EU-based subcontractors for data storage.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.