Legal Watch No. 68 – February 2024.

CNIL controls: what are the priorities for 2024? ?

As every year, the CNIL has published at the beginning of 2024 the review of its past activity and its priorities for the coming months.

It indicates constantly increasing controls, made more efficient by the implementation of a simplified procedure for certain cases.

Last year, the checks affected diverse sectors such as advertising and online commerce, security, vehicle geolocation, employee rights, and the processing of health data.

The CNIL has sanctioned both multinationals and SMEs, as well as public and private actors.

However, the Commission seems to have become aware of the additional efforts required for those in charge of small organizations to comply with the GDPR.

She notes in a study on the economic impact of the GDPR published on March 1st that "the GDPR is proportionally more favorable to large economic players, who have more resources to devote to compliance".

She draws conclusions from this by noting that "the regulator must actively compensate for this trend with a demanding policy towards large players, and even more so with very large players, in proportion to the risks they pose and the resources they have at their disposal.

Thus, as the joint CNIL-Competition Authority statement of December 2023 also specifies, the CNIL already assumes, and will assume even more in the future, an asymmetrical dimension to its regulatory action on digital marketscoupled with a full understanding of business models, for the benefit of individuals and the protection of their fundamental rights.

Among the actions announced this year, unsurprisingly, are the files related to the 2024 Olympic and Paralympic Games, and the right of individuals to access their data.

Regarding the Olympic GamesThe CNIL intends to verify the use that will be made of security devices and in particular the use of augmented cameras, QR codes for restricted access areas and access authorizations.

The volume of data and the number of partners involved in the event will also lead the Commission to verify the use of ticketing data, to prevent fraudulent reuse of the data of the people concerned.

Note that the issue of the use of facial recognition by law enforcement is also included in the priorities of the European Data Protection Board (EDPB) in its 2023-2024 work program.

The right of individuals to access their data is the theme of the EDPB's coordinated action for 2024 (see also below).

Guidelines were adopted on this subject by the EDPB in 2023 to help data controllers implement access procedures, complementary to those published by the CNIL.

The CNIL will also focus on data collected online from minors : it will verify whether age control mechanisms are implemented, what security measures are planned and whether the principle of data minimization is respected.

Finally, it will examine the impact of the dematerialization of till receipts and the use of loyalty programs on individuals' rights..

Replacing paper receipts with SMS or email, for example, involves the collection of additional data.

The CNIL specifies that this data, just like information concerning individuals' purchases, can only be used for advertising targeting purposes with the prior consent of the people concerned.

Finally, it should be noted that the CNIL can take up a case independently of the identified priorities, on the basis of a complaint, a publication in the press or a report by a data protection authority of another European country.

 

    

• On January 31, the CNIL imposed a fine of 100,000 euros on the real estate services provider PAP.

The CNIL (French Data Protection Authority) identified shortcomings regarding data retention periods, informing individuals, the management of relationships between PAP (Personal Access Point) and a subcontractor, and data security (storage of passwords in plain text). The identified security flaws exposed the data to risks of cyberattacks and leaks.

• On January 31, it also fined FORIOU 310,000 euros for using data provided by data brokers for commercial prospecting purposes, without ensuring that the people concerned had validly consented to be contacted.

The CNIL reminds us that it is the responsibility of the company using the data to ensure that the persons concerned have given valid consent beforehand, at the time of collection.

The Commission noted that, although the company imposed certain contractual requirements on its upstream data providers, no effective control of these requirements was exercised downstream.

• On January 30, the Council of State considered that the automatic transfers of tax data between France and the United States under the FATCA agreement do not infringe Articles 5 and 46 of the GDPR, the absence of an adequacy decision not preventing data transfers "necessary for important reasons of public interest".

The Association of Accidental Americans had asked the Council of State to overturn the decision of the CNIL which had concluded to dismiss its complaint.

The Council of State considered that the CNIL had sufficiently justified its decision.

Note that on the same subject, the Belgian data protection authority had reached a different conclusion and had prohibited the transfer of tax data of accidental Belgian Americans to the United States.

• The French start-up Mistral, specializing in AI development, announced a strategic partnership with Microsoft on February 26.

According to the newspaper Le Monde, this announcement is causing friction in Brussels, following intense lobbying efforts, particularly by France, to favour European start-ups and limit the obligations concerning them in the future AI regulation.

Green MEPs have sent a letter to the European Commission raising questions about potential conflicts of interest and transparency issues concerning Mistral's lobbying on this regulation.

• In mid-January, ANSSI published three guides aimed at "managing the remediation of a cyber incident".

These guides comprise three parts: strategic, operational and technical.

The agency points out that "if a major incident is partially or poorly remedied, its effects can extend over time."

"This high potential for destabilization requires (...) expertise in containing these cyberattacks, in regaining control of the compromised information system and in restoring a sufficient state of operation."

Remediation is a major dimension of cyber incident response, along with investigation and crisis management.

• After eight months of experimentation, the digital driving licence has been available since February 14th to all those who apply for it.

With the France identity application, it is also possible to digitize your identity card and use it for certain procedures, such as making a power of attorney.

 

European institutions and bodies

• On February 28, the EDPB launched its "coordinated framework for investigations" (CFE) for 2024.

Throughout the year, European data protection authorities (DPAs) will participate in this initiative on the implementation of the right of access.

At its plenary session in October 2023, the EDPB chose the right of access for its third coordinated implementation action, "because it is at the heart of data protection and is one of the most frequently exercised data protection rights, and one about which data protection authorities receive many complaints."

• The EDPB will soon issue a decisive opinion on the "accept or pay" business model, which requires payment to access website content for visitors who refuse cookies.

Meta adopted this approach in November 2023, which led the Dutch, Norwegian and Hamburg DPAs to ask the EDPB to adopt a binding opinion on the legality of this practice.

Civil society fears that, if this economic model is legitimized, companies in all industrial sectors will follow Meta's example, which could mark the end of genuine consent for the use of data.

28 NGOs have sent a letter to the EDPB urging it to issue an opinion that protects the fundamental right to data protection.

• During its plenary session in mid-February, the EDPB adopted an opinion clarifying the concept of main establishment in the context of the "One stop shop".

Companies cannot simply create a principal establishment "by putting a sign on a door": the establishment must be where processing decisions are made, and if these decisions are made abroad, there can be no principal establishment: the one-stop shop does not apply. The EDPB also adopted a statement calling on EU legislators to ensure that the CSAM regulation, aimed at protecting children's rights online, respects the rights to privacy and data protection. 

• The European Parliament, and more specifically the defense subcommittee, was on high alert at the end of February after traces of hacking were discovered on the phones of two of its members, raising fears of cyberattacks and foreign interference in the lead-up to the European elections in June.

Last December, Politico reported that the institution's cybersecurity "has not yet reached industry standards" and is "not fully in line with the level of threat" posed by hackers.

These new revelations follow previous incidents in which other members of the European Parliament were targeted by the Pegasus and Predator spyware.

• On February 19, the European Commission launched an investigation into children's rights on TikTok.

She suspects, in particular, violations concerning transparency and obligations to protect minors under the Digital Services Regulation (DSA), including addictive design, inadequate age verification, and insufficient default privacy settings. The DSA has been in force in the EU since February 17.

• EU Member States, with the support of the European Commission and the European Union Agency for Cybersecurity (ENISA), published a report on February 21 on cybersecurity and the resilience of European communication infrastructures and networks.

This report follows an assessment by Member States of the risks associated with these infrastructures and networks.

The assessment identified a number of threats, such as wipers, ransomware attacks, supply chain attacks, physical attacks, and sabotage.

• On February 13, the European Court of Human Rights (ECHR) ruled in the Podchasov case on Russia's collection and access to citizens' private communications.

Amidst the debate on the supposed dangers of encrypted communications, the Court clearly indicated that weakening the encryption of communications for all citizens was not justified.

According to E. Tuchtfeld, "this decision sends an important message not only to the Russian state, but also to other European governments that are considering installing 'backdoors' on encrypted messaging services such as Telegram, Signal or WhatsApp."

• The ECHR also considered in a judgment of 15 February that the systematic and indiscriminate retention of telecommunications data used in Slovenia against a former judge during his trial should be considered a violation of his right to privacy.

At the time of the applicant's conviction, communication service providers were obliged to retain telecommunications data systematically and indiscriminately for a period of 14 months.

The Court considered that such conservation was not within the limits of what is necessary in a democratic society.

The retention, access and processing of data in the context of the criminal proceedings against the applicant thus violated his right to respect for private life.

 

News from European member countries.

• In Belgium, the Belgian Data Protection Authority (APD) has made available on its website a section entitled "Documents for the DPO"

It includes, in particular, judicial and APD decisions relating to DPOs, for example on subjects such as conflict of interest and protection against dismissal.

• The Belgian Data Protection Authority also considered that, regardless of the withdrawal of a complaint, it still had the power to declare a violation of the rights of the person concerned and to impose a fine due to non-compliance with the GDPR.
• The Italian Data Protection Authority (APD) announced on February 29 that it had imposed a fine of more than 79 million euros on Enel Energia for serious breaches in the processing of personal data of numerous users in the electricity and gas sector, carried out for telemarketing purposes.
• The APD also fined the municipality of Syracuse 5,000 euros for failing to provide the DPO's contact details in accordance with Article 37 of the GDPR.
• The Greek Data Protection Authority (DPA) has fined a data controller 5,000 euros because its data protection officer (DPO) failed to respond, despite several reminders, to the questionnaire it sent him in the context of the coordinated European action of DPAs in 2023.
• In Spain, the APD refused to allow anti-money laundering due diligence obligations to be used as an excuse for a bank to force a complainant to provide details about the origin of their money through unencrypted emails.

It imposed a fine of 2,500,000 euros on the data controller.

• The Danish Data Protection Authority, in its fifth decision relating to Chromebook, found that 53 municipalities had illegally shared students' personal data with Google for Google's own development purposes, in violation of Article 6(1)(e) of the GDPR.
• In the United Kingdom, the DPA fined the British Ministry of Defence 409,080 euros (350,000 pounds sterling) for disclosing 265 email addresses of people seeking to leave Afghanistan following the Taliban's rise to power in 2021.
• The Swiss Federal Intelligence Service (FIS) is implicated by the magazine Republik, which published an investigation in mid-January claiming that the FIS has access to the emails of all Swiss citizens and that it massively monitors their communications under a 2016 law.

The data would be collected directly from communication cables, via equipment installed in the infrastructure of internet service providers. The SRC denies these accusations (via the AFCDP letter).

• A cyberattack against an American company led to the disclosure of sensitive information about the Swiss air force on the dark web.

The ALPHV hacking group claimed responsibility for the attack, which resulted in the release of classified documents, including a $5 million contract between Switzerland and Ultra Intelligence & Communications, a provider of encryption and communication technologies for the defense sector.

In July 2023, a similar attack hit the Swiss company Xplain, followed in November by a hack of the software company Concevis, which also works for the defense sector and the tax administration.

 

• The Biden administration adopted an executive order on February 28 aimed at protecting Americans' sensitive personal data from exploitation by certain third countries ("countries of concern").

This decree authorizes the Attorney General to prevent the large-scale transfer of Americans' personal data to countries of concern and provides safeguards for other activities that could allow those countries access to Americans' sensitive data.

This data includes, in particular, genomic, biometric, health, geolocation, and financial data.

• The US National Institute of Standards and Technology (NIST) published concrete measures in February to integrate security into every phase of the software development cycle.

The guide recommends that manufacturers prioritize a series of concrete measures, including establishing basic security requirements for the integration of open-source software and extending the monitoring of "provenance data".

• Also in the United States, the Federal Trade Commission (FTC) has just banned Avast from selling its customers' browsing data for advertising purposes.

The FTC was investigating allegations that Avast sold browsing data while claiming its products blocked online tracking. Avast was fined $16.5 million.

Note that the Czech DPA had sanctioned the company in April 2023 for the same reasons.

• The revisions to Georgia's data protection law came into effect on March 1st.

These changes aim to ensure protection closer to that of the GDPR. 

Mobile phone operators and their SMS service providers are now prohibited from using citizens' personal data for direct marketing purposes without their prior consent.

In addition, it is now mandatory for public institutions and certain private companies to appoint a data protection officer.

• The Hong Kong Personal Data Protection Commissioner (PDPC) conducted compliance checks at 28 local organizations from August 2023 to February 2024 regarding their processing of personal data in the context of the use of AI.

The exercise covered various sectors, including telecommunications, finance and insurance, beauty services, retail, transportation, education, and government ministries.

The PCPD found no breaches, although it noted that a growing number of both public and private organizations are deploying AI to improve their day-to-day operational efficiency.