Legal Watch No. 75 – September 2024.  

Anonymization or pseudonymization: qualifications that evolve over time?

On September 5, 2024, the CNIL fined Cegedim Santé 800,000 euros for processing health data without authorization.

The supervisory authority notes that this data remained identifiable even though it was presented as anonymous.

This sanction gives us the opportunity to review the subtleties of the GDPR regarding the anonymization and pseudonymization of data.

Cegedim publishes and sells management software to general practitioners working in private practices and health centers.

These software programs allow doctors to manage their schedules, patient files, and prescriptions.

Customers also have access to a database enabling the production of studies and statistics in the field of health.

The checks carried out by the CNIL in 2021 notably revealed that the data processed by the company – without prior authorization – were pseudonymous health data, therefore identifiable.

Only completely anonymous data is exempt from the obligations of the GDPR.

However, the anonymization process is particularly demanding.

In this particular case, Cegedim had put in place a procedure aimed at deleting identifiers, and in the context of previous findings dating from 2012, the CNIL had also considered that the data processed was indeed anonymous.

The Commission has today revisited these findings, specifying that the current context of doctrine and case law must be taken into account to assess the possible re-identification of data.

Thus, data that was anonymous ten years ago may not necessarily be so today: "To establish whether means are reasonably likely to be used to identify a natural person, it is necessary to take into consideration all objective factors, such as the cost of identification and the time required for it, taking into account the technologies available at the time of processing and their evolution."

More specifically, the CNIL – like its European counterparts since 2014 – has specified the requirements to be respected within the framework of an anonymization procedure.

She explains the main anonymization techniques:

• randomization (which aims to modify the attributes in a dataset so that they are less precise, while preserving the overall distribution) and
• generalization (which consists of modifying the scale of the attributes of the datasets, or their order of magnitude).

The CNIL advises:

• To identify the information to be retained, according to its relevance.
• To remove direct identifying elements as well as rare values that could allow for easy re-identification of individuals;
• To distinguish important information from secondary or useless information;
• To define the ideal and acceptable level of detail for each piece of information stored.

Three criteria can be used to ensure that a dataset is truly anonymous:

1. Individualization: it must not be possible to isolate an individual in the dataset;
2. Correlation: it should not be possible to link together distinct sets of data concerning the same individual;
3. Inference: it should not be possible to deduce, with near certainty, new information about an individual.

In the case of Cegedim, the criterion of individualization was not respected: the service made it possible to constantly track people over time using a unique identifier and to increase the data concerning them.

This made it possible to isolate an individual in a dataset and therefore increased the risk of lifting the pseudonymity.

Finally, it should be noted that the person responsible for setting up a health data warehouse can only implement it after authorization from the CNIL or on the condition that it complies with a standard.

In the event of subcontracting, the responsible party must include in the subcontracting agreement all the requirements necessary to ensure compliance with the regulations, particularly with regard to data security.

In most of the data breach cases making headlines today (see below), the weak link at the origin of the breach was the subcontractor.

 

 

The composition of the new government has been known since September 21, with some new developments concerning digital issues.

"Digital sovereignty" disappears from the title of the Ministry of Economy and Finance, and digital affairs are attached to the Minister of Higher Education and Research.

Finally, the title of the secretariat in charge is now: Artificial Intelligence and Digital Technology.

For Henri d'Agrain, general delegate of Cigref (an association representing businesses and government agencies in the digital sector), this title "fails to capture the importance of the cloud, data, and AI continuum, which any serious public policy in this area must embrace." He adds that "the emphasis on artificial intelligence in this title should be considered in light of the ambitions of the Élysée Palace for the AI Action Summit, which will be held in Paris in February 2025."

Following a public consultation, the CNIL published on September 24 the final version of its recommendations to help professionals design privacy-respecting mobile applications.

It will ensure, from 2025 onwards, that these are properly taken into account through a specific control campaign.

The CNIL intends to clarify and regulate the role of professionals, and to ensure the quality of information and consent of mobile application users.

After SFR last month, it is now Free's turn to warn its customers of a data leak.

Among the data accessed by the attacker were at least the name, surname, telephone number, and postal address of customers.

In addition to these two operators, many French retailers including Boulanger, Cultura, Truffaut and Grosbil were victims in mid-September of the hacking of their delivery data, which was published and resold on the dark web by the same hacker.

The risks to individuals generally concern identity theft and obtaining data related to their address.

As for Cultura, which specializes in selling cultural products, the contents of shopping baskets have also been leaked, providing precise information on buyers' reading habits, with potentially very intrusive consequences.

In most of these attacks, the hacker had targeted a service provider of the companies involved.

On September 25, the social chamber of the Court of Cassation issued a judgment by which it invalidated the dismissal of an employee based on the interception of emails sent from his professional address.

The Court recalls that "the employee has the right, even at the time and place of work, to respect for the privacy of his private life.

This particularly involves the confidentiality of correspondence.

The employer cannot, therefore, without violating this fundamental freedom, use the content of personal messages sent or received by the employee using a computer tool provided for work purposes, to discipline them.

 

European institutions and bodies

On September 25, the Commission brought together key players in the AI sector in Brussels to celebrate the first 100 signatures of the commitments of the AI Pact.

The signatories are multinational corporations and small and medium-sized European companies from various sectors. So far, Meta and Apple have not signed this Pact.

The voluntary commitments in the document invite participating companies to commit to carrying out at least three fundamental actions:

• Adopt an AI governance strategy to promote AI adoption within the organization and work towards future compliance with AI regulations.
• Identify and map AI systems that may be classified as high risk under the AI regulation.
• Promote staff awareness of AI.

Companies are encouraged to make other commitments tailored to their activities, including ensuring human oversight, mitigating risks and transparently labeling certain types of AI-generated content, such as "deepfakes".

The Court of Justice of the European Union (CJEU) held in a judgment of 4 October (C 621/22) that a commercial interest can be a "legitimate interest" within the meaning of Article 6(1)(f) of the GDPR, insofar as it is not contrary to the law.

While this position may seem obvious, it was no longer so in the Netherlands for some years: according to the Dutch Data Protection Authority (DPA), legitimate interest had to be based on a legal basis.

The Court reiterates that such a requirement is excessive, and that it is sufficient for the purpose not to be contrary to the law. It should be noted that this decision does not constitute a carte blanche for all marketing practices: a balancing of the interests and rights at stake must always be carried out.

Also on October 4, the CJEU issued a ruling in case C-446/21 in which it supports legal action brought against Meta regarding its Facebook service.

The questions concerned the limitation of the use of personal data for online advertising and the limitation of the use of publicly available personal data to the purposes originally intended for publication.

On the same day, the CJEU also validated in case C-21/23 the possibility for a company's competitor to bring an action before the civil courts on the basis of the prohibition of unfair commercial practices in order to stop a violation by that competitor of the substantive provisions of the GDPR.

It should be noted that case law in this sense already exists in French law.

The CJEU held on September 26 (Case C 768/21) that when a data breach has been established, DPAs are not required to exercise corrective power under Article 58(2) of the GDPR, when it is not appropriate, necessary or proportionate to remedy the identified deficiency.

According to the Court, after analyzing all the circumstances of the case, data protection authorities may refrain from exercising such corrective power, for example when the controller has implemented appropriate technical and organizational measures to ensure that the violation ceases and does not recur.

The Court finally held in a judgment of 12 September (Joined Cases C 17/22 and C 18/22) that not only a legislative act but also national case law could stipulate a legal obligation, in accordance with Article 6(1)(c) of the GDPR, to disclose to a shareholder the identity of all other shareholders concerned.

Following initiatives in France, Denmark, Spain and Germany in the field of online age verification, the European NGO EDRi and 63 organizations, academics and experts in privacy, encryption, child safety, sex worker rights and consumer rights published a joint statement on September 16.

It urges the European Commission to prioritize effective child safety measures, while expressing serious concerns about the adequacy, proportionality and negative impact on fundamental rights of the current proposals.

 

News from the member countries of the European Union.

A resolution published on September 11 by the Conference of Independent Data Protection Authorities of Germany (DSK) provides practical recommendations for the framework for transfers of personal data within the context of "Asset Deals" concerning personal data held by companies: data of the company's customers and prospects, its employees, business partners, etc.

In Germany, the Hamburg DPA adopted a controversial document on large language models (LLM).

The authority thus concluded that LLMs do not store personal data and that this conclusion is in accordance with the opinion of the CJEU.

However, the input and output data of an AI system can constitute personal data, unlike the training phase, with the consequences that this implies: requests for access, erasure or rectification can therefore relate to this data.

In Belgium, Flanders is distancing itself from the federal government on matters of privacy protection.

The newspaper Le Soir announced on September 1st that Jan Jambon, the Flemish Minister-President, had ordered his ministers on September 20th, a few days before leaving his post, to no longer submit draft decrees and decisions to the Federal Data Protection Authority (APD), but to its regional body, the Vlaamse Toezichtcommissie (VTC).

In fact, since 2019, the Flemish government had already been systematically bypassing the APD by passing its decrees through the VTC, despite a March 2023 ruling by the Constitutional Court recalling that the Flemish government had to go through the APD to adopt its texts.

Today the Minister-President wants to formalize Flemish competence: he has sent a letter to the European Commission requesting recognition of VTC competences with regard to the GDPR.

The Belgian Data Protection Authority (APD) fined a data controller 100,000 euros for failing to respond in a timely manner to a data subject's access request.

The APD nevertheless rejected the request from the person concerned to receive information on the specific employees who accessed his data.

Also in Belgium, the Disputes Chamber of the APD rejected on September 6 the validity of the representation mandate presented by Noyb in a case concerning the integration of Google Analytics scripts into a website at the time when the Privacy Shield had been invalidated by the CJEU.

The Disputes Chamber considered that the mandate constituted an abuse of rights on the part of Noyb.

In a separate case, the Belgian Data Protection Authority (APD) nevertheless upheld several complaints filed by Noyb in 2023 and ordered four major Belgian news sites to bring their cookie banners into compliance with the GDPR.

The Spanish data protection authority published a report on October 2nd on the processing of personal data and the verification of children's age in the digital environment.

The document argues for the development of proactive protection policies by information society services.

The Spanish Data Protection Agency (APD) has fined a fintech company 72,000 euros for implementing insufficient customer identity verification measures, which allowed fraudsters to take out a loan in the victim's name without their knowledge.

On September 27, the Irish Data Protection Commission (DPC) fined Meta 91 million euros.

The decision relates to the measures taken by the company to ensure a level of security appropriate to the risks associated with the processing of passwords and the obligation to document and notify the DPA of data breaches.

The authority reminds data controllers that they must assess the risks inherent in storing users' passwords and implement measures to mitigate these risks.

On September 12, the APD also announced the opening of an investigation against Google concerning the use of personal data of European users to develop an artificial intelligence model in the field of translations.

The investigation concerns the AI model "Pathways Language Model 2" (PaLM 2), launched by Google in 2023, without a data protection impact analysis having been carried out.

In Italy, the APD fined an energy supplier €5,000,000 for failing to implement adequate measures to ensure compliance with the GDPR by its subcontractors.

This allowed them to conclude contracts with the people concerned without their knowledge.

The Portuguese Data Protection Authority (APD) has fined a data controller 107,000 euros for repeatedly sending unsolicited commercial communications.

The data controller was held responsible even though the dispatches had been carried out by a subcontractor using its own database.

 

A report by the U.S. Federal Trade Commission (FTC) published on September 19 reveals that major social media and video streaming companies have engaged in widespread user surveillance with lax privacy controls and inadequate protections for children and teenagers.

The report recommends limiting data retention and sharing, restricting targeted advertising, and strengthening protections for teenagers.

The Chinese government published on September 30 the "Regulations on Network Data Security Management", which will come into effect on January 1, 2025. 

The text aims to regulate network data processing activities, protect the rights and legitimate interests of individuals and organizations, and safeguard national security and public interests.

Also in China, the National Information Security Standardization Technical Committee (TC260) has published an information security governance framework concerning AI.

The document contains a series of principles and provides a useful classification of AI-related risks and technological measures to address them.

IBM has published a report on the cost of data breaches for 2024.

Among the report's conclusions, it is worth noting that:

• The average total cost of a data breach is $4.88 million, and data breaches are most expensive in the United States.
• The shortage of cybersecurity skills has worsened,
• Nearly half of the breaches concern personal data (46 %) or intellectual property records (43 %),
• Law enforcement intervention reduces ransomware costs by an average of $1 million.
• 292 days are required to identify and contain breaches involving stolen credentials.

Instagram now offers teen accounts with stricter security settings, allowing parents to restrict app use.

Teen accounts are specifically designed to protect minors from harmful content and unwanted contacts, while reducing the time spent on the application.