New year, review and outlook.

New year, review and outlookAfter a year that some are calling an annus horribilis, 2021 is being welcomed by many as a hope for change. 

It is true that recent months have tested the resilience of our societies in unprecedented ways.

The impact of the pandemic on our health, but also on our political systems and our fundamental rights, is far from trivial.

Data protection authorities have devoted a large part of their time to support and monitoring in key and very diverse areas related to the virus:

• Medical research,
• Population surveillance by drones,
• Teleworking,
• Distance learning,
• Tracking anti-covid apps,
• Vaccination data,

And the broader question of the processing of health data by public authorities outside the medical framework.

This particular attention to the issues raised by the management of the pandemic has not, however, prevented the CNIL from adopting several notable sanctions, including two concerning the web giants Google and Amazon, for amounts of several tens of millions of euros.

Other players have been fined lesser amounts, adapted to their turnover, and these sanctions have affected both large commercial players (see the December editorial concerning Carrefour) and very small businesses: a company employing two people and specializing in sending commercial prospecting emails has just been fined 7,300 euros, in particular for failure to comply with the obligation to obtain consent, with a penalty payment of 1,000 euros per day of delay if compliance is not achieved within two months.

We won't dare predict what the new year will bring. However, it is still possible to identify the main areas and priorities of data protection stakeholders for the coming months.

So, In addition to the processing of health data and associated surveillance measures, it is noted that the issue of ethics, the development of artificial intelligence and new technologies remains a priority..

This is what the European Data Protection Board (EDPB) highlights in its 2021-2023 Strategy, which targets in particular

• Biometrics,
• Profiling,
• Ad tech technologies,
• Cloud services and
• The blockchain.

The Committee also indicates that it wants to address not only data protection specialists, but directly, in a more concrete manner, data controllers, with guidelines aimed at supporting VSEs and SMEs.

The concentration of companies in the field of digital services is also in the sights of the European authorities (see below, "Europe"), as are data transfers between Europe and the rest of the world.

Following the Schrems II ruling of the European Court of Justice, greater attention is being paid, on the one hand, to the surveillance regimes and laws in force in third countries, and on the other hand, to the precautions to be taken in the context of transfers, which include data encryption.

Still within the framework of data transfers, let us add that, Even though the UK has now left the European Union, data can still flow freely between the UK and the EU for the next six months, the GDPR still being applicable there on a transitional basis.

The transfer regime will then depend on the adoption by the European Commission of an adequacy decision.

Otherwise, guarantees (such as contractual clauses) will have to be taken before considering any transfer.

Despite the upheavals experienced in recent months, and perhaps partly because of these upheavals which have further increased our use of new technologies and the development of the virtual, the preservation of fundamental rights is more relevant than ever.

Let us bet that we will rise to the technological and human challenges that await us.

And also

France:

• The Council of State confirmed in its order of December 22 the immediate suspension of the decision of the police prefect concerning the use of drones in the context of demonstrations or gatherings on public roads.

The Council of State orders the cessation of drone surveillance measures for these demonstrations or gatherings, until a text authorizing the creation of a personal data processing system has been adopted.

It remains to be seen whether the proposed Global Security law will be able to justify such use of drones.

In its assessment of the urgency, the CE mentions in this regard "the significant number of people likely to be subject to the disputed surveillance measures and the infringement that they are likely to cause to the freedom of demonstration", as well as the fact that "the minister does not provide any evidence to establish that the objective of guaranteeing public safety during gatherings of people on public roads could not be fully achieved, in the current circumstances, without the use of drones."

• In terms of facial recognition, the Council of State, on the other hand, in a decision of November 4, validated online authentication based on biometric data allowing access to certain public administration tele-services (Alicem).

The CE considers in particular that the data collected are necessary and proportional to the purpose of the processing (biometric data are destroyed after creation of electronic identifiers) and users retain the possibility of accessing the services via a separate identifier.

• On December 7, the CNIL fined Amazon Europe Core €35 million for cookie deposit on the computers of visitors to its site without prior consent or satisfactory information.

Europe:

• The press has widely commented on the publication by the European Commission of its proposal for regulation of digital services.

This new legal framework, if approved by the European Parliament and the Council, will result in a major update of the European eCommerce Directive with the aim of better protecting consumers and promoting a more balanced digital market.

The text creates significant obligations for "tech" players, in particular access platforms such as Google or Facebook.

These will have to put in place measures for information, reporting, auditing, risk management and cooperation.

A European Digital Services Board will be created, with a role comparable and complementary to that of the European Data Protection Board.

These obligations should come into force no earlier than 2023.

• A man has been convicted of murder in Germany based on a recording made by Amazon's Alexa voice assistant.

The man had used the voice assistant at the crime scene, which confirmed his presence there.

Amazon provided the judges, at their request, with the recordings that were stored on servers abroad.

Regardless of the question of the use of such recordings for legal purposes, the processing of data by voice assistants has been the subject of a clarification by the CNIL, available on its website.

International :

• Russia Facebook has paid a fine of four million rubles (fifty thousand dollars) for refusing to locate its Russian users' data in Russia, a requirement that all foreign companies operating in the field of new technologies are subject to.

Russian authorities previously blocked the social network LinkedIn for the same reasons.

• There China is preparing to regulate the use of biometrics and facial recognition in its personal data law.

According to the spokesperson for the Legislative Affairs Committee, if the objective is to respect the principles of proportionality and necessity in data processing, "many options remain open."

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.