Legal Watch No. 63 – September 2023.

Brexit: an overview of data protection.

Since the United Kingdom left the European Union on January 31, 2020, increasingly significant differences have emerged between data protection frameworks on both sides of the Channel.

The country still applies the law that transposed the GDPR at the national level, called "UK GDPR", and since June 28, 2021, the United Kingdom has benefited from an adequate level of protection, which authorizes data exchanges with the EU.

The adequacy decision is valid until June 27, 2025, but it could be revised earlier if the UK legal framework were to change significantly before that date.

Among the developments that could raise eyebrows at the European Commission is the UK's ambition to become a "data hub", facilitating international data exchange, and the current draft revision of the "UK GDPR" which aims to ease the obligations of British companies.

On September 21, the United Kingdom formalized the "data bridge" concluded in June with the United States.

The agreement will enter into force on October 12.

The UK has also concluded agreements with several countries that the EU already considers adequate: Canada, Israel, Japan, New Zealand, Switzerland and Uruguay.

His list of priorities also includes Australia, Colombia, Dubai, the Republic of Korea and Singapore.

This facilitation of international exchanges raises the question of subsequent transfers of European data, which, after passing through the UK, would be received at a later stage by a country that the EU does not consider to guarantee equivalent data protection.

The UK is indeed moving towards a more pragmatic assessment of the guarantees offered by third countries, based more on risk.

In parallel with these initiatives concerning data transfers, the UK is preparing a bill on data protection and digital information ("Data Protection and Digital Information (No. 2) Bill") aimed at replacing the current UK GDPR.

This text has already been read twice in parliament last spring and still needs to be debated in a third reading.

The project retains respect for the principle of purpose limitation but modifies its scope: it authorizes further processing when data has been collected without consent, for example in cases of use based on public interest.

The impact of this rule on the use of cookies is not yet clear, even though the government says it wants to limit unwanted "pop-ups" asking for the user's consent.

The definition of scientific research has been updated and broadened, and its conditions of practice have been relaxed.

This could allow companies to more easily process data for commercial purposes, arguing that these commercial practices consist of technological research and development. 

The project also reduces the requirements imposed on companies regarding record keeping and proactive control of their data processing activities, except for those whose processing poses high risks to the rights of individuals.

The text also introduces a framework for the use of "reliable and secure digital verification services", which appears to respond to the European Union's digital identity project.

For companies operating across the EU, some of the benefits of the reform aimed at reducing the administrative burden will be limited: they will still have to, for example, appoint a data protection officer and will not be able to benefit from the relaxation of certain rules relating to data retention.

The plan also includes replacing the existing regulatory body, the ICO, with a council, and giving the Secretary of State the power to guide certain activities of the institution by designating strategic priorities.

The existence of an independent data protection regulator will be one of the key elements that the EU will consider when it reassesses the UK's "essential equivalence" with its data protection rules.

This issue has already raised questions in the European Parliament.

The law could be adopted next spring.

 

• On September 18, 2023, the CNIL fined the air freight company SAF LOGISTICS 200,000 euros for collecting too much data from its employees, including sensitive data and criminal record extracts.

She is also being sanctioned for not cooperating sufficiently with the CNIL services.

• At the end of September, the European Sustainable Development Week took place, providing the CNIL with an opportunity to communicate on its booklet dedicated to the issue: it explores the intersections between data protection, freedoms, and the environment: "Does protecting data protect the planet? Are our freedoms in transition? Should we share data to protect the environment?"

The document attempts to answer these questions and proposes recommendations to reconcile two objectives.

• The CNIL published a draft guide on the reuse of public data this summer.

The guide incorporates the position of the CNIL, its counterparts, as well as French and European court decisions, enriched by a series of consultations with various actors directly involved in the development of approaches to opening, sharing and reusing publicly accessible data (institutional partners, associations and companies, lawyers, researchers).

• On August 29, the CNIL (French Data Protection Authority) ordered Boursorama to comply with the provisions of the GDPR, "in particular by ceasing the processing of login credentials for the impots.gouv.fr website": Boursorama was indeed requesting access to the username and password of the impots.gouv.fr website from those who wished to obtain a loan or open a share savings plan.

The CNIL indicates that the company has a period of two months to comply.

• Mozilla is launching a public appeal to react to the future SREN law which provides for the implementation of an "anti-scam filter" on the internet.

The foundation argues, in the title of its petition, that France is forcing web browsers "to censor websites".

A mandatory mechanism would require intermediaries to put in place all appropriate measures to prevent internet users from accessing addresses deemed harmful, for a period of at least seven days.

In principle, the foundation considers it commendable to seek to combat online fraud.

However, she disputes the methods chosen to achieve this objective, which create a precedent, as the filtering strategy, once in place, could be extended to other issues.

 

 

European institutions and bodies

• The European Commission publishes guidelines on the new European directive on cybersecurity, NIS2.

This directive imposes obligations regarding security, incident notification and governance on entities in various critical sectors, including energy, transport, finance, health and digital infrastructure.

The two guidance documents help to determine whether NIS2 requirements or sectoral requirements apply, and aim to ensure that registration requirements are consistent across the Union.

• During the month of October, the European Parliament's Committee on Civil Liberties will begin its examination of the regulation for "the protection of children on the Internet" (CSAM).

This text is the subject of increasingly virulent criticism, particularly concerning the measure aimed at obliging major platforms to proactively scan private content exchanged with their services to detect child pornography.

Many civil society actors, all European data protection authorities, and also lawyers from the Council of the EU believe that the regulation would impose "particularly significant limitations on the right to privacy" and that there is a "serious risk" that it is contrary to fundamental EU texts.

• Cybersecurity Month is an opportunity for ENISA, the European Union Agency for Information Security, to publish recommendations regarding ransomware.

Among the available documents are tips for operators in the electricity sector, a prime target for hackers.

• On September 7, MP Philippe Latombe, a member of the CNIL, challenged the Data Privacy Framework before the Court of the European Union, which has allowed data exchanges between the EU and the United States since this summer.
• Latombe filed two appeals, one to suspend the agreement immediately and the other concerning the content of the text.

He is requesting the Court to urgently suspend the agreement, invoking a 1958 European regulation which requires that European texts of general scope be written in the four official languages, whereas since July 10, the DPF has only existed in English.

• The use of video conferencing tools raises data protection issues, especially since data is very often transferred outside the EU.

The Court of Justice of the EU carried out a "transfer impact assessment (TIA)" in connection with its use of Cisco Webex, and subjected the processing to the authorization of the European Data Protection Supervisor (EDPS).

The EDPS decision and the CJEU impact assessment are useful references for any data controller using these tools in a professional context.

 

News from European member countries.

• The Belgian Data Protection Authority (APD) rejected a complaint on August 16, despite the existence of GDPR violations.

She considered that the violations had not had a "major social and/or personal impact" and that the resources needed to examine the complaint would therefore be disproportionate.

• Following the binding dispute resolution decision of the EDPB, the Irish Data Protection Commission published its final decision on September 1, finding in particular that TikTok breached the principle of fairness of the GDPR when processing personal data relating to children aged 13 to 17.

In the sign-up pop-up window, children were encouraged to opt for a public account.

The APD's final decision considers that the default public settings were also contrary to the principles of data protection by design and by default, data minimization and transparency.

In addition to a reprimand and a compliance order, Ireland's data protection authority imposed a fine of 345 million euros.

• The Lower Saxony Data Protection Authority, in collaboration with six other data protection authorities, has drawn up a guide on the use of Microsoft 365 for professional purposes.

The authorities recommend that a supplementary agreement be concluded between the responsible party and Microsoft, which must prevail over all conflicting contractual texts.

This agreement should notably govern erasure periods adapted to the needs of the data controller, information requirements regarding the use of subcontractors, as well as the processing of data by Microsoft for its own commercial purposes.

• In a mid-July order concerning the processing of data for marketing purposes, the Italian Data Protection Authority (APD) recalls that it is not justified, in view of the principle of limiting data retention, to retain data until the date of withdrawal of consent.

This reminder is already included in the EDPB guidelines 5/2020, according to which the context and the legitimate expectations of individuals must be taken into account: it is good practice to require new consent on a regular basis.

• The Italian Supreme Court has confirmed the illegitimacy of the dismissal of an employee by an Italian bank due to illegal monitoring of emails and surveillance of that employee.

The Supreme Court stated that it is necessary to ensure a fair balance between the requirements of protecting the interests and property of the company linked to freedom of economic initiative, and the protection of the dignity and privacy of the worker, depending on the circumstances.

Monitoring all communications on the defendant's company laptop was unjustified because it was indiscriminate, unlimited, and because the plaintiff had not informed the defendant of the possible monitoring of his laptop's communications, nor of the nature and extent of the monitoring.

• In a decision published on August 21, the Spanish Data Protection Authority (APD) sanctioned a data controller for violating Articles 28(2) and 28(3) of the GDPR.

This sanction was imposed even though there was no contract between the data controller and the subcontractors and the data controller had not been informed of the subcontractors' involvement in data processing activities.

• The Spanish Data Protection Agency (APD) publishes a blog on digital currencies, in which it addresses the biggest risks posed by cryptocurrencies: volatility, speculation, false sense of availability, security and anonymity.
• The UK Electoral Commission announced on August 8 that it had been the victim of a data breach.

The cyberattack dates back to August 2021, and was discovered in October 2022.

The hackers, who remain unidentified, gained access to the data of 40 million registered voters between 2014 and 2022.

• The British government has put on hold its plans to weaken online encryption through the implementation of the Online Safety Bill.

This bill aimed to require messaging apps like WhatsApp to analyze their users' conversations for child pornography. The controversial clauses would remain in the bill, but the British government has stated it will not force tech companies to implement them.

• A British research team published an article in August 2023 on its development of an artificial intelligence (AI) capable of deciphering a password simply by listening to the sounds produced by the keyboard keys.

The AI was trained on a dataset of over 100,000 keystrokes, and successfully tested on a variety of devices, including laptops, smartphones, and smart speakers.

 

• The International Organization for Standardization recently published ISO 22989:2022 – AI concepts and terminology, which establishes terminology and describes concepts in the field of AI.

This document can be used to develop other standards and to support communication between various interested parties or stakeholders. It is applicable to all types of organizations (commercial enterprises, government agencies, non-profit organizations).

• Meta is reportedly preparing to implement a paid subscription for its social media platforms Instagram and Facebook.

According to the Wall Street Journal, users who do not wish to be tracked for personalized advertising purposes should pay between €10 and €15 per month depending on the device used (smartphone, computer).

• Video surveillance with biometric recognition is at the heart of a scandal in Argentina: errors, a system susceptible to manipulation, unauthorized access, lack of transparency measures…

Seventy-five percent of the capital is under video surveillance, but the facial recognition system is being criticized after at least 140 errors led to police checks or arrests since 2019.

Activists decided to sue the city government and in April 2022 obtained the deactivation of the system.

Since then, the city of Buenos Aires has been fighting to put it back into service.

• An Indonesian security researcher revealed on Twitter that a hacker has put up for sale for $10,000 a file containing the data of nearly 35 million passport holders.

The hacker is already known to have stolen and put up for sale in 2022 the data of 1.3 billion SIM cards from the servers of the Indonesian Ministry of Communications and Information Technology and is also suspected of being behind the theft of personal information of 17 million customers of the Indonesian electricity company in 2022 (via the AFCDP).

• Saudi Arabia published in mid-September its regulations for the implementation of the law on the protection of personal data as well as regulations on the transfer of personal data outside the Kingdom.
• On October 15, 2021, the Rwandan government enacted a law on the protection of personal data and privacy.

The government has granted a two-year transition period to allow individuals and organizations to align their data processing activities with the law. This period will end on October 15, 2023.