News from the supervisory authorities: celebrations and supervision

Legal Watch No. 31 – January 2021

News from the supervisory authorities: celebrations and supervisionThe last few days have been an opportunity to celebrate (virtually) several birthdays.

On January 28, privacy stakeholders in Europe, Africa, the Americas and the Asia-Pacific region organized several events to mark the 15th anniversary of the Data Protection Day.

Let us add that Convention 108 (Council of Europe Convention on the Protection of Personal Data) celebrates its 40th anniversary this year.

The occasion for an assessment and an official Declaration emphasizing the need to preserve "human dignity and integrity in the era of automated decisions made by artificial intelligence and algorithms", and to develop a common legal space on an international scale to facilitate the circulation of data between countries.

Digital technology is thus at the heart of current debates, with a declaration by the Committee of Ministers of the Council of Europe on safeguarding the right to data protection in the digital environment, and the adoption of guidelines on facial recognition.

One of the most important international conferences on data protection, “Computers, Privacy and Data Protection”, which took place at the end of January, confirms these concerns with three days of online discussions on the theme of "enforcing rights in a changing world". 

While data protection authorities have been given increased powers to enforce the GDPR, questions remain about their strategy, European cooperation, and the effectiveness of sanctions in light of the influence of "big tech" companies such as Google and Amazon.

Fines imposed in Europe in 2020 total €272.5 million, and the three most active countries in this regard are Italy, Germany and France, as indicated in a recent report by DLA Piper on the subject.

The CNIL is not lacking in sanctions, whether against major digital players or VSEs or SMEs, with fines adapted to the turnover of those responsible.

But while multinationals can set aside certain sums as part of a sanction procedure, the impact on smaller structures can be significant, in financial terms or in terms of public image.

Concretely, the latest CNIL sanctions for violation of the GDPR were justified by breaches of security rules and non-compliance with rules on commercial prospecting.

So the Nestor company was fined 20,000 euros for having failed in its obligation to obtain the consent of prospects, and for not having respected the rights of the persons concerned (information, access).

The lack of appropriate security measures is also in the CNIL's sights, in this case as in the more recent one involving a credential stuffing attack: the manager and his subcontractor had omitted certain essential protections such as limiting the number of requests allowed on a web page and the use of CAPTCHA.

In this case The CNIL imposed fines of 150,000 and 75,000 euros respectivelyShe took the opportunity to remind people on her website of the measures aimed at protecting personal data from this type of attack.

The CNIL also focuses on the use of cookies and how websites comply with its guidelines.

As a reminder, it published guidelines on this subject at the end of 2020, specifying in particular how to obtain Internet users' consent to the use of trackers.

And also

France:

On January 26, the CNIL issued its opinion on the bill concerning global security.

She has reservations about the use of drones and advocates for prior experimentation, citing the expanded image capture that this technology allows, with tracking of people in their movements, without their knowledge and over a potentially long period of time.

She adds that these surveillance devices are likely to have a greater impact than traditional cameras on citizens' exercise of other fundamental freedoms (right to demonstrate, freedom of worship, freedom of expression).

It also questions the conditions of use of cameras installed in certain vehicles, as well as video surveillance, in particular the real-time transmission of images to law enforcement.

Europe:

• The Norwegian supervisory authority intends to impose on Grindr a fine of 10 million euros for

Not only does the app only offer "take it or leave it" terms and conditions that do not allow users to consent or not to the sharing of their data, but no information was provided to them regarding this sharing of (sensitive) data with the MoPub advertising platform used by Twitter, allowing subsequent sharing with more than a hundred clients. 

• In Italy, the data protection authority ordered the blocking by TikTok dand any use of data from users whose age is not verified. 

She accuses TikTok of a flawed verification system that risks exposing minors under 13 to inappropriate content.

This decision, taken urgently, follows a tragedy which cost the life of a ten-year-old girl who participated in a challenge on the social network which went viral (the scarf game).

• The Belgian data protection authority has put the government on notice regarding the conditions, deemed too broad, under which the National Social Security Office can share personal data. covid health data.

It calls for an adjustment to the text of the royal decree which specifies the conditions for sharing data.

International :

New York State has just passed a law suspending the use and purchase of facial recognition technology and other biometric identifiers in schools until July 2022.

The Governor of New York directs the Commissioner of Education to conduct a study on the appropriateness of this technology in the educational environment.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.