Analytical tools: the impact of a court decision – and intelligence services – on our websites.

Legal Watch No. 44 – February 2022

Analytical tools: the impact of a court decision – and intelligence services – on our websitesThe "Schrems II" ruling of the Court of Justice of the European Union was already, at the time of its publication in July 2020, considered a major ruling in the context of the protection of personal data, and more specifically transfers to the United States.

Today, it has increasingly far-reaching consequences, a logical consequence of the Court's findings regarding the risks of American intelligence accessing European data.

These consequences now affect commonly used tools such as audience measurement solutions and Google fonts.

Last month we already mentioned the cascading decisions taken by the data protection authorities of Austria, the Netherlands, Norway and Germany, to which are added those of the CNIL and the Liechtenstein.

These decisions follow complaints (101 in total) filed with the authorities by Max Schrems and his association NOYB (European Center for Digital Rights) aimed at ensuring that GAFAM complies with the Court of Justice's ruling.

The authorities' conclusions are as follows:

• Cookie identification data and non-anonymized IP addresses, as used by Google Analytics, are personal data.

They may also be combined with other identifiable data held by third parties (intelligence services).

• The fact that the data is collected via a European website is not relevant to assess the risk of access by third parties : what is, is the transfer of data to the United States

• Transfers to the United States are only permitted provided that appropriate safeguards are in place. be taken, in addition to standard contractual clauses for example, to eliminate the risk of third-party government access to data.

• The data protection authorities considered that the additional guarantees taken by Google were not enough to exclude the possibility of access to data by American intelligence services.

The sanctions currently consist mainly of warnings and orders to block the use of the incriminated tools by website managers. The CNIL reports that it has launched several formal notice procedures in this regard.

While Google Analytics is widely used, the impact of these decisions will not be limited to that: data protection authorities are extending their analysis "to other tools used by sites which result in transfers of data from European Internet users to the United States ".

Many European operators, site managers in the public or private sector, are therefore concerned.

We know that prevention is better than cure, and in this case, we should turn – if they exist – to tools that do not collect personal data or store them on local servers.

The CNIL therefore recommends that the tools only be used to produce anonymous statistical data, which also allows for an exemption from user consent.

It has initiated a procedure to evaluate existing solutions and is publishing on its website solutions that meet these requirements, including, for example, Matomo, Wysistat, Beyable, or Compass.

Let us point out that even the most virtuous tools can sometimes be configured in different ways: It is the responsibility of the site manager to verify that the default configuration meets the requirements of the law.

In the current context, limiting data accessible to third parties is in any case a practice to be encouraged, whether the risks of access come from across the Atlantic or elsewhere.

And also

France:

The CNIL is submitting a draft position for public consultation until March 11, 2022, regarding “smart” cameras. or “augmented” in public spaces.

It also publishes its new 2022-2024 strategic plan, around three priority axes for a trusted digital society: “promoting respect for rights, promoting the GDPR as an asset and targeting regulation on high-stakes subjects”.

Its priority control themes for the year 2022 are commercial prospecting, the cloud and monitoring of teleworking.

France launches a national cybercrime awareness campaign, in cooperation with the media, aimed at guiding the public towards cybersecurity solutions. 

Europe:

At its plenary meeting on February 22, the European Data Protection Board (EDPB) has adopted a letter concerning the Council of Europe Convention on Cybercrime and its 2nd Additional Protocol, letter in which he expresses concern about the possibilities for third-party governments to directly request data from European service providers.

It also published guidelines on codes of conduct as instruments for international data transfers, and a letter on liability issues in the context of artificial intelligence.

On February 15, the European Data Protection Board also launched its first coordinated enforcement action on the use of the cloud by the public sector.

Cloud usage, which has doubled in six years in the EU, has seen further growth during the pandemic, with implications for compliance with European legal rules. Twenty-two data protection authorities, including the CNIL, will send questionnaires to 75 public authorities to verify compliance with the GDPR and, if necessary, initiate formal inspections.

CISPE, the organization of cloud infrastructure service providers, has announced the approval of its data protection code of conduct by the EDPB..

Several companies have already signed it, including Aruba, Amazon Web Services, Elogic, Leaseweb, Outscale and OVHCloud.

The code notably provides for the possibility for users to choose to store data in the European Economic Area.

NGOs may also be subject to controls: The Belgian Data Protection Authority has issued two sanctions against the NGO EU DisinfoLab and one of its researchers, following a referral to the CNIL. The GDPR violations identified relate to the mass collection of data as part of a study aimed at identifying the political leanings of people who posted tweets on the "Benalla affair."

In a significant decision, the Belgian data protection authority also fined the European Interactive Advertising Bureau (IAB Europe) €250,000. for violation of the principles of legality, loyalty and transparency, lack of technical and organizational data protection measures, lack of a register, impact analysis and appointment of a DPO. Behind this list of offenses, it is the principle of “real time bidding” (the auctioning of Internet users’ data via consent management platforms – CMPs) which is sanctioned given its total opacity for the persons concerned.

The Italian data protection authority has sanctioned a private club up to €2,000 for having directed its surveillance cameras towards the public highway, without clear signage, in violation of Articles 5(1)(a), 5(1)(c) and 13 of the GDPR. 

In the Netherlands, the District Court of The Hague has sanctioned an employer who secretly recorded his employee's telephone conversation.For the court, suspecting an employee of contacting his clients to set up his own business is not enough to legitimize the secret recording of calls.

Also in the Netherlands, the Data Protection Authority fined a media company €525,000.00: The latter asked people exercising their right of access to their data for a copy of their identity card, a request considered unjustified and in violation of Article 12(2) of the GDPR.

The Spanish Data Protection Authority has imposed a €200,000 penalty against the Spanish Football Federation for sharing the recording of a video conference on Zoom, without prior information or consent of the participants. 

Also in Spain, Amazon's road transport was fined €2,000,000.00 for the illegal collection of criminal record information as part of their recruitment process.

International :

The International Committee of the Red Cross has just been the victim of a highly sophisticated cyberattack with potentially significant consequences. given the sensitivity of the data processed by the organization. The website provides exemplary information for the public as of February 16, explaining the circumstances of the attack, the potential risks, and the actions taken to mitigate these risks.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.