Legal Watch No. 76 – October 2024.  

Cyberattacks: an increased risk and an evolving legal framework.

 The number of cyberattacks targeting businesses or public services in France this autumn is countless.

After Boulanger, Cultura, Truffaut, Grosbill and SFR, it is now Free's turn to suffer a major cyberattack, just as the month of cybersecurity awareness is ending.

In an email to its customers, the company stated that the attack resulted in unauthorized access to some of the personal data associated with subscribers' accounts, including their login credentials, contact information, contractual details, and in some cases, their IBAN. The breach is estimated to affect more than 19 million customers.

Free has notified the CNIL and ANSSI of the data breach.

If we also take into consideration the large-scale attacks that targeted two major third-party payment organizations and France Travail in early 2024, some estimate that today, the data of more than 40 million French people are for sale on the dark web.

The increase in these attacks has led the CNIL to publish an information sheet to help those concerned to protect themselves.

She advises, in particular, checking bank account activity, being vigilant about identity theft and phishing risks, changing passwords, and using multi-factor authentication procedures.

Until now, the CNIL rarely sanctioned companies that were victims of cyberattacks for failing to protect data, unlike its European counterparts.

However, it has just sanctioned the crypto-asset security company Ledger for failing to adequately protect its customers' data.

According to La Lettre, which broke the story on October 23, the fine imposed amounts to €750,000. The CNIL has not confirmed this amount.

The company had suffered several personal data breaches in 2020, affecting numerous customers and prospects.

New rules are now being added to the provisions of the GDPR, requiring data controllers to secure data.

These are the obligations of the European NIS2 directive, which came into force on October 17th.

This directive aims to mitigate threats to networks and information systems that provide essential services in key sectors, in order to strengthen the security of the European Union.

The text broadens its scope compared to the NIS1 directive, and specifically targets the infrastructures and entities essential to the proper functioning of economic and societal activities in the internal market: public administrations, telecommunications infrastructures, information and communication services, digital service providers but also sectors of food or chemical manufacturing, health or wastewater treatment.

The requirements relate in particular to governance and cyber risk management measures, the compartmentalization of the administrative IS, the obligation to report any incident, and the security of supply chains.

The directive provides, like the GDPR, for notification of incidents and financial penalties.

While a three-year period is planned for full compliance, a minimum must be put in place quickly, namely "registration with ANSSI of the regulated entity on the "monespaceNIS2" portal, notifications of incidents and demonstration of investments in security solutions.

Regardless of rules and sanctions, it is good to remember the human consequences of security violations.

This is what the British Information Commissioner (ICO) has just done in a publication on October 28.

The authority emphasizes in a warning to data controllers the sometimes devastating effects of data breaches.

She mentions that 55% of adults in the UK have had their data lost or stolen, which represents nearly 30 million people.

The personal and emotional consequences of this situation are too often overlooked: 301,000 victims report emotional distress, while 25,000 of them receive no help from the responsible organizations.

In addition, 32% of those affected learn about it through the media rather than the organization itself, which accentuates their feeling of betrayal.

The ICO points out that too many organizations do not fully measure the harm and neglect the protection of personal data.

"When a data breach occurs, it's not simply an administrative error, but a failure to protect someone."

 

        

On September 26, the CNIL (French Data Protection Authority) fined Cosmospace and Telemaque, providers of psychic services, €250,000 and €150,000 respectively, for failing to obtain the explicit consent of the individuals concerned. before the processing of sensitive data in the context of recorded consultation sessions.

It also announced that it had issued eleven new simplified sanctions since June 2024, concerning offences relating to excessive data collection, lack of register, failure to respect the rights of persons or lack of cooperation.

Finally, on October 17, 2024, she called the Ministry of the Interior and Overseas Territories and the Ministry of Justice to order for their poor management of the criminal records processing file.

On November 19, the CNIL is organizing an "Air" event dedicated to surveillance and its ethical implications.

The debates will be co-organized with the National Commission for the Control of Intelligence Techniques (CNCTR).

The Paris Public Prosecutor's Office announced that on October 18, 2024, during a Eurojust meeting, the Belgian and French judicial authorities formed a joint investigation team (JIT) regarding the investigations on Telegram.

In France, a preliminary investigation was opened in February 2024, leading to the opening of a judicial investigation and then to the arrest of Pavel Durov this summer.

The cybercrime section of the Paris Public Prosecutor's Office had previously consulted various prosecutors' offices and investigative services, as well as its foreign partners within Eurojust, on the difficulty in obtaining responses to requests.

On October 3, the Court of Cassation overturned a ruling by the Caen Court of Appeal, and reiterated that a court must respect the principle of data minimization when ordering an employer to produce evidence of possible wage discrimination in the context of civil proceedings.

The personal data requested as evidence must be limited to what is strictly necessary for the procedure.

On October 22, the NGO Noyb filed a complaint with the CNIL against the social media platform Pinterest..

Noyb indicates that despite a ruling by the Court of Justice of the European Union (CJEU) on July 4, 2023 condemning this practice, the platform uses users' personal data without asking for their consent, on the basis of its legitimate interest, and that it activates tracking by default.

The platform is also being criticized for failing to provide information about the third parties with whom it shares data.

 

European institutions and bodies

The European Commission published on October 9 the report of its first review concerning the adequacy decision of the data protection framework (DPF) between the EU and the United States.

The Commission concludes that the US authorities "have put in place all the constituent elements of the framework.

This includes implementing safeguards to limit access to personal data by US intelligence services to what is necessary and proportionate to protect national security, and establishing an independent and impartial redress mechanism.

The report contains recommendations to ensure that the framework continues to function effectively, such as developing common guidance on key DPF requirements.

During its plenary session on October 8 and 9, the European Data Protection Board (EDPB) adopted an opinion on processors and subsequent processors, guidelines on legitimate interest, a statement on additional procedural rules for the application of the GDPR and the EDPB work programme for the period 2024-2025.

On November 4, the Committee also adopted its first report on the EU-US data protection framework, as well as a statement on access to data by law enforcement.

He notes the progress made and encourages the US authorities to develop new guidelines and the European Commission to monitor the redress mechanism for EU citizens.

In its judgment C-507/23 of 4 October, the CJEU held that an apology can constitute appropriate redress for non-pecuniary damage under Article 82(1) of the GDPR, particularly where a return to the situation prior to the damage is impossible, provided that this form of redress is capable of fully compensating the harm suffered by the data subject.

 

News from the member countries of the European Union.

The Belgian Data Protection Authority (DPA) published online on October 9 the documents from its study day on "smart cities".

The objective was to provide a discussion platform where stakeholders could share their experiences, best practices, challenges, solutions and visions for the future of "smart cities".

The report of the study day, the interventions of the participants and video sequences are available on the APD website.

In a decision dated October 11 concerning RTL Belgium, the APD also reminds the data controller that it must make it as easy for visitors to its website to refuse the placement of cookies as it is to accept them, this constituting a concrete application of the conditions for the validity of consent.

The APD also sanctions the design of the buttons presented to the visitor and refers in particular to the work of the EDPB on this subject.

In this particular case, the bright orange "Accept and close" button stood out particularly from the rest of the cookie banner, and for the APD, "this is the button on which users' attention will primarily gravitate."

In response to RTL's argument of "artistic freedom," the APD retorts that "Data controllers must ensure that the use of a colour does not obviously encourage users to consent to the placement of cookies on their browser.

However, there is nothing preventing data controllers from using a button color that would similarly encourage users to refuse the placement of cookies.

Note that the Austrian Data Protection Authority (APD) took a decision in the same direction on October 28 concerning the public broadcasting company Österreichischer Rundfunk: it ordered the company to adapt the cookie banner on its website, because the graphic highlighting of the "accept all cookies" option invalidates the consent of the person concerned under Article 6(1)(a) of the GDPR.

These two cases are part of a series of complaints filed by the NGO Noyb in several EU countries, and further decisions on this matter can be expected soon.

The Irish Data Protection Agency (DPA) announced its final decision on October 24th following a LinkedIn survey., investigation launched following a complaint initially filed with the CNIL by La Quadrature du net in 2018.

It focused on LinkedIn's processing of personal data for the purposes of behavioral analysis and targeted advertising of users and concerns the legality, fairness and transparency of this processing.

The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totaling €310 million.

The Italian Data Protection Authority (APD) has fined Postel SpA, Italy's main postal service, 900,000 euros for failing to respond to a known and reported vulnerability in its systems for almost a year.This made a personal data breach possible: in August 2023, the company was the target of a ransomware attack that resulted in the blocking of its servers and some workstations.

The information, published on the dark web, concerned identification and contact data, payment data, as well as data relating to criminal convictions and offences, health data and revealing union membership.

The Dutch Data Protection Authority (APD) announced on October 23 that it had investigated eight holiday parks that use facial recognition to access swimming pools and play areas, and found that all of these parks violated privacy laws, due to a lack of information and the absence of valid consent.

Under pressure from the APD, seven of the parks changed their data processing methods.

 

An Excel file has allowed the disclosure of the personal information of 9,483 officers and employees of the Northern Ireland police.

In response to two requests for access to the data, the police service provided the file with the data masked but not deleted. Deemed responsible for the leak, the police were fined a record €900,000 by the UK's Data Protection Authority (DPA).

In a similar context, the ICO also sanctioned the Southend-on-Sea council: in response to a request for access to administrative documents, the council provided a spreadsheet that still contained personal data.

Data protection authorities from 16 jurisdictions, including Australia, Canada, China, Spain and the United Kingdom, adopted a joint statement on "scraping" technologies on the sidelines of the international conference of data protection authorities.

The statement emphasizes that organizations must comply with data protection laws when using personal information, including information from their own platforms, to develop large AI language models (LLMs).

The statement, published on October 28, outlines other expectations, including that organizations:

• They deploy a combination of safeguards, review and update them regularly to keep pace with advances in scraping techniques and technologies; and
• They ensure that authorized data extraction for commercial or socially beneficial purposes is carried out in compliance with the law and strict contractual conditions.

In mid-October, the G7 of data protection authorities was held in Italy, with the aim of strengthening collaboration between authorities at the global level.

A declaration was adopted on the role of authorities to ensure that AI is used responsibly.

A statement was also released, which underlines the importance of a robust mechanism for cross-border data flows that protects personal data globally.

On October 20, the Australian Data Protection Agency (DPA) published two guidance documents on privacy protection and artificial intelligence:

• A guide regarding the use of commercially available AI products;
• A guide on developing and training generative AI models.

Among the key points concerning the first guide, the APD emphasizes that

• Privacy obligations apply to any personal information entered into an AI system, as well as to AI-generated output data (when it contains personal information).
• If AI systems are used to generate or infer personal information, including images, this constitutes a collection of personal information that must comply with data protection principles.

As a best practice, the APD recommends that organizations not enter personal information, and in particular sensitive information, into publicly available generative AI tools, due to the significant and complex privacy risks involved.

Internal TikTok communications made public in October showed that the company was not concerned about the app's harmful effects on American teenagers, even though its own research highlighted numerous concerns.

These confidential documents are part of a more than two-year investigation conducted by 14 United States attorneys general.

The lawsuit alleges that TikTok was designed with the express intention of making young people addicted to the app, and that the company misled the public about the risks involved.

According to NPR, which had access to the documents, TikTok determined the precise number of views (260) needed for a person to be likely to become addicted to the platform.

According to state investigators, "although this may seem significant, TikTok videos can be as short as 8 seconds and are played by viewers in rapid, automatic succession. (...) Thus, in less than 35 minutes, the average user is likely to become addicted to the platform."

The Internet Archive is currently experiencing a wave of cyberattacks.

The first series of attacks, made public in mid-October, consisted of several DDoS attacks. The hackers also revealed that they had gained access to the data of 31 million users.

At the end of October, the organization was once again the victim of an intrusion, this time on its Zendesk email support platform, after being repeatedly warned of a theft of authentication tokens.