Legal Watch No. 66 – December 2023.

GDPR Case Law: Key Trends for 2023

Whether in France or at the European level, data protection authorities and judicial bodies took numerous decisions in 2023 clarifying the conditions for the application of the GDPR.

At the European level, the most significant sanctions imposed by data protection authorities concern international tech giants as well as a few national companies.

They specifically target advertising without user consent and the failure to inform users.

• On January 4, 2023, the Irish Data Protection Commission fined Meta Platforms Ireland Ltd. €390 million for unlawful use of personal data for advertising purposes on Facebook and Instagram.

It also imposed a historic fine of 1.2 billion euros on Meta in May 2023 for illegally transferring data to the United States.

• The Irish Data Protection Authority (DPA) also fined WhatsApp €5.5 million in January 2023 for forcing users to consent to the use of personal data for the purposes of "improving services and security".
• On June 15, 2023, the CNIL imposed a fine of 40 million euros on CRITEO, a company specializing in online advertising, notably for failing to verify that the individuals whose data it processed had given their consent.
• The Italian data protection authority last June fined the telemarketing company TIM SpA 7.6 million euros for insufficient supervision of call centers with abusive practices.

In France, the CNIL has adopted several other sanctions that are worth mentioning. The Commission has focused in particular on:

• Due to the lack of a legal basis in the context of the collection of biometric data by the company Clearview;
• Regarding the question of respecting the principle of minimizing collected data, in this case geolocation data in the Cityscoot case of March 16, 2023;
• Regarding the data retention periods in the KG COM case of June 8, 2023, and Doctissimo case of May 11, 2023;
• Regarding respect for the rights of individuals in the Canal + (October 12), Free (March 20) and Criteo (June 15) cases.

Regarding this last point, the CNIL emphasizes that the data must be communicated to the applicant in an intelligible form.

She also notes that failure to comply with the one-month deadline for responding to the access request is a frequent offence.

It is worth recalling that the exercise of individuals' rights is the theme of the coordinated investigations by data protection authorities in Europe for 2024.

Let us also mention, in terms of case law from French courts and tribunals, several recent decisions regarding video surveillance.

• The administrative courts of Nice and Lille ruled on November 23 and November 29 respectively in favour of municipalities that had installed algorithmic facial recognition video surveillance systems, on the grounds that these systems had not (yet) been fully activated or deployed for the purpose of augmented video surveillance.
• The administrative court of Caen, on the other hand, considered more decisively in an interim order dated November 22 that the Briefcam algorithmic video surveillance system constituted a serious and manifestly illegal infringement of the right to privacy.

The judge in chambers noted that the use was outside of any legal or regulatory framework and considered that "it has not been established, nor even alleged, that other less intrusive means with regard to privacy could not have been implemented in order to preserve public order."

The question of the legal basis for the use of algorithmic video surveillance should become even more pressing with the adoption of the European regulation on artificial intelligence which will regulate facial recognition in public spaces in a particularly strict manner (see the briefs below).

Finally, at the European level, the Court of Justice of the European Union (CJEU) has adopted several decisions that clarify, in particular, the principles applicable to automated processing, and the consideration of damage in GDPR violations:

• The CJEU thus adopted on December 7 two important rulings concerning the dominant provider of credit information services in Germany (“Schufa”).

The Court notably stated that automated creditworthiness processing (“scoring”) is subject to a general prohibition under Article 22 of the GDPR.

She adds that the company that establishes a credit score by automated means remains subject to Article 22, even if it is another company that relies on this score to make decisions having a (negative) impact on the person concerned, reasoning that could have an impact on AI-assisted systems.

• Regarding damages, in the Osterreichische Post AG judgment of May 4, 2023, the Court held that a violation of the GDPR provisions is not sufficient to confer a right to compensation on the data subject affected by the unlawful processing: they must also prove harm. This harm must, however, be compensated even if it does not reach a certain degree of severity.
• In its judgment of December 14, 2023, the CJEU gives a broad interpretation of moral damage.

The court specifies in particular that the fear that a person experiences regarding a potential misuse of their personal data by third parties following a violation of the GDPR is likely, in itself, to constitute moral damage.

Combined with the Österreichische Post AG ruling, which establishes that there is no minimum threshold for non-material damages, this ruling could promote the development of class actions in Europe.

It is worth recalling that France, like its European partners, is in the process of transposing into national law the directive of 25 November 2020 on representative actions in defense of the collective interests of consumers.

 

   

• In mid-December, the CNIL published "Data Processing and Freedoms Tables" for data protection professionals.

These tables group and classify summaries of numerous decisions from French and European courts, including the European Court of Human Rights, the Court of Justice of the European Union, the Constitutional Council, the Council of State and the Court of Cassation.

The tables also include certain decisions of the EDPB and the CNIL, focusing on those establishing a new doctrine or setting principles.

• In mid-December, the CNIL also published a guide to raising awareness of the GDPR in order to support occupational health and safety services (SPST) in their compliance.
• After the EDPB, it is now the turn of the Directorate General for Competition, Consumer Affairs and Fraud Control to publish a page intended to alert consumers about "dark patterns", these techniques or processes intended to influence the choices of internet users in order to lead them to order products or subscribe to services that they would not have fully chosen.
• The Ministry of the Interior has just finalized the reorganization of its cybercrime services.
• The new "Ministry of the Interior Command in Cyberspace" (Comcyber-MI) was created by decree on November 23, 2023, and will coordinate all of the ministry's resources.
• Another decree formalizes the creation of a new "Anti-Cybercrime Office" (OFAC) which merges, within the Police, the sub-directorate for combating cybersecurity and the former office, the Central Office for Combating Crime Related to Information and Communication Technologies (OCLCTIC).
• Finally, a third decree formalizes the creation of a national cyber unit, attached to the general directorate of the national gendarmerie.

The iliad, CMA CGM and Schmidt Futures Groups have created "Kyutai": a non-profit artificial intelligence research laboratory whose ambition is to tackle the main challenges of AI such as the development of large multimodal models and the invention of new algorithms.

 

European institutions and bodies

• The EU reached a political agreement on December 9 on the AI regulation which is expected to be officially adopted at the beginning of 2024.

The provisional agreement would prohibit, for example, cognitive manipulation of behavior, non-targeted collection of facial images from the Internet or CCTV footage, emotion recognition in the workplace and in educational institutions, social scoring, biometric categorization to infer sensitive data, such as sexual orientation or religious beliefs, and certain cases of predictive policing for individuals.

The agreement provides for several exceptions for law enforcement services and migration.

• At its last plenary meeting, the European Data Protection Board adopted a letter responding to the European Commission's initiative on the voluntary cookie pledge.

The Committee generally supports the document, and recommends that companies, when a user has refused the collection of their data, wait a year before renewing their requests for consent in order to reduce user fatigue ("cookie fatigue") which, due to repeated solicitations, leads users to click randomly instead of actually exercising their rights.

• In a ruling dated December 7, 2023, the CJEU clarified that the imposition of a fine for a violation of the GDPR presupposes a violation committed deliberately or negligently.

It further develops the scope of responsibility and the qualification of the data controller: this definition can thus target an entity which has commissioned a company to develop a mobile computer application and which has, in this context, participated in determining the purposes and means of the processing, even if this entity has not itself carried out the processing operations, has not explicitly given its consent for the performance of these operations or for making the application available to the public.

It points out that the qualification of two entities as joint controllers of the processing does not presuppose either the existence of an agreement between these entities on the determination of the purposes and means of the processing or the existence of an agreement which sets the conditions relating to their responsibility.

• On December 21, the CJEU ruled that the right to compensation under Article 82 of the GDPR fulfills a compensatory function, "in that monetary compensation based on that provision must make it possible to fully compensate for the actual harm suffered as a result of the violation of that regulation," and not a deterrent or punitive function.

The seriousness of the violation that caused the damage in question should therefore not affect the amount of damages.

• Microsoft has introduced a new version of Outlook intended to replace the email and calendar program integrated into Windows in 2024, which is raising concerns among European data protection authorities.

Microsoft could access emails and attachments when a user adds a non-Microsoft email account to the application, via that account's IMAP and SMTP credentials.

 

News from European member countries.

• While Marie-Laure Denis is expected to be reappointed as president of the CNIL according to a statement from the Elysée published at the end of November, Helen Dixon, the president of the Irish Data Protection Commission, announced on LinkedIn on November 15, 2023 her departure in February 2024, after 10 years in office.
• The Italian Data Protection Authority (APD) has fined a data controller 40,000 euros for accessing the email accounts of three of its former employees in violation of Article 5(1) and Article 13 of the GDPR.

The authority also considered that a condominium manager had infringed Article 5(1)(a) and Article 6 of the GDPR by illegally installing a video surveillance system without the prior adoption of a condominium resolution.

The APD imposed a fine of 1,000 euros and a processing ban.

• The Norwegian Data Protection Authority (APD) has fined the Norwegian Labour and Welfare Administration (NAV) 1,754,678 euros (20 million Norwegian kroner) and issued several orders for 12 violations, attributed to "serious negligence over a long period" in the administration's information security and IT systems.
• The Danish Data Protection Agency (DPA) has reprimanded the Digital Government Agency for using JavaScript in connection with MitID, the Danish digital identifier.

Although the risks associated with the use of this programming language are known, the Agency used it without conducting a prior risk assessment, thereby violating, among other things, Article 32(1) of the GDPR.

• An article in New Scientist published on December 18 mentions that an artificial intelligence trained on personal data (medical, professional and financial records) concerning six million Danes was able to predict the risks of death with greater accuracy than existing models, including those used in the insurance sector.

The researchers behind this technology say it could have a positive impact on the early prediction of social and health problems, but that it must remain out of the hands of large corporations.

• Following the adoption last October of the Online Safety Bill, which was criticized by civil society for compromising end-to-end encryption of communications, the United Kingdom is preparing a new controversial law on investigative powers.

According to a Politico report, the main concern regarding this project relates to the so-called "notices" regime: this would allow the Ministry of the Interior to require companies to inform it of any plans to modify the products or systems of their services, implying a possible loss of control by the companies over their own products and preventing them, for example, from correcting vulnerabilities in the code that the government or its partners would like to exploit.

The bill is currently in the report stage, with the next session scheduled for January 23.

 

• Cybersecurity agencies from 18 countries agreed in a document released on November 26, 2023, to create "secure by design" models for artificial intelligence: companies that design and use AI must develop and deploy it in a way that protects their customers and the general public from misuse.

This non-binding agreement was adopted by the United States, Canada, Japan, and 7 EU states (Germany, Estonia, France, Italy, Poland, Czech Republic) as well as Norway and the United Kingdom.

• In the United States, shortly before the end of the year, Google agreed to settle a $5 billion class-action lawsuit concerning the incognito mode of its Chrome browser. Google was accused of continuing to track, collect, and identify users' browsing data in real time, even after a new incognito window was opened.

According to Euractiv, the specific terms of the agreement are not yet public, but a formal agreement is expected to be submitted to the court by February 24.

• The California Privacy Agency (CCPA) has come out in favor of a legislative proposal that would require web browser vendors to include a feature allowing people to exercise their rights through "opt-out" preference signals.

The CCPA notes that many browsers currently require consumers to install a third-party plugin capable of transmitting the signal. 

Browsers that natively support opt-out preference signals currently represent less than 10% of the global web browser market.

• The Federal Trade Commission (FTC) proposed in late December new limits for companies that collect data on children under 13 and stricter standards for the retention of this information, as part of an update to its Children’s Privacy Protection Act (COPPA).
• Also in the United States, a class action lawsuit accuses the American health insurer Humana of having wrongfully used an AI model to deny elderly people essential rehabilitation care.