Legal Watch No. 65 – November 2023.

Complaints and sanctions: what is the 2024 agenda for data protection authorities?

The entry into force of the GDPR has led to increased awareness of data protection, both among data controllers and individuals.

This has resulted in an increase in complaints to ODAs, which are sometimes accused of not following up on these complaints due to a lack of sufficient resources.

While in the United Kingdom the "Information Commissioner" has decided to no longer deal with certain types of complaints considered non-priority, in the European Union the authorities are in principle required to deal with any complaint, provided that it is admissible of course.

Thus, the Norwegian Privacy Appeals Commission overturned a decision by the DPA to close a complaint case by a simple information letter to the data controller, obliging the controller to assess the legality of the processing and stressing that the data protection authority cannot freely choose which cases to investigate or not.

In France, the CNIL introduced a simplified sanction procedure in 2022, allowing it to process certain types of complaints more quickly.

These are cases for which there is established case law, decisions previously rendered by the restricted panel, or questions of fact or law that prove simple to decide.

The procedure is written, but it allows the organization concerned to be heard and to present oral observations.

Sanctions are more limited in this configuration, and may consist of a warning, an order to bring the processing into compliance – including a penalty of up to €100 per day of delay, or an administrative fine of up to €20,000.

The CNIL has just sanctioned ten private and public actors with a total of €97,000 in fines for breaches:

• To the obligation to respond to requests from the CNIL;
• To data minimization;
• Information on the processing implemented and its purposes;
• The obligation to respect the rights of individuals, and in particular to respond to a request for objection.

The CNIL highlights that two issues stand out in particular from the complaints it has had to deal with: geolocation and permanent video surveillance of employees.

The processing carried out is often done in violation of the principle of data minimization provided for in the GDPR.

The Commission notes in particular that "the continuous recording of geolocation data, without the possibility for employees to stop or suspend the device during break times, is, unless specifically justified, an excessive infringement on the freedom of movement and the right to privacy of employees."

The same applies to video surveillance systems that constantly film employees at their workstations.

"The prevention of workplace accidents and the establishment of evidence do not justify the implementation of continuous video surveillance of workstations," and the personal data collected do not appear to be adequate or relevant.

Constant monitoring of employees is, with few exceptions, disproportionate to the objectives pursued.

The CNIL announces its intention to intensify its repressive policy in 2024, and to make its decisions within shorter timeframes.

It should be noted that, within the framework of their collaboration at the European level, the DPAs that are members of the European Data Protection Board have decided to prioritize the rights of individuals next year. : their coordinated action will focus on how data controllers respond to requests from individuals to access their data, a topic that should be included in the CNIL's upcoming simplified sanctions procedures.

 

  

• The CNIL published on November 15th a Reference guide concerning retention periods for the most common treatments in the social and medico-social sectors and a practical guide offering a methodology to the professionals concerned.
• In partnership with the French Competition Authority (AdlC) and the Toulouse School of Economics, the CNIL is organizing an event on December 12th entitled "Data Protection and Competition: A Shared Ambition." During this half-day event for regulators, researchers, and professionals, the AdlC and the CNIL will adopt and present a joint declaration.
• On November 9, 2023, the CNIL (French Data Protection Authority) issued a warning to the Ministry of Transformation and Public Service and the Ministry of Economy, Finance and Industrial and Digital Sovereignty for using the contact details of more than two million public officials in order to communicate and justify the pension reform project then being adopted.

The minister had used ENSAP, a digital platform on which confidential documents of public officials, such as their monthly payslip, are available. 

The restricted CNIL panel notably recalled that the ENSAP platform cannot be used for communication of a political nature.

• In a decision dated November 16, the Constitutional Council censures remote activation of mobile phones for capturing sound and images provided for by the law on the orientation and programming of justice concerning the organic law relating to the opening, modernization and responsibility of the judicial body.

The Council considers that this remote activation, without the need for investigators to physically access private premises in order to set up surveillance devices, is likely to cause a particularly significant and disproportionate infringement of the right to respect for private life.

He also emphasizes that this measure makes it possible to monitor both those targeted by the investigations and third parties. 

However, the Constitutional Council does not censure the remote activation of electronic devices for geolocation purposes.

• By an interim order dated November 22, 2023, the administrative court of Caen held that the Briefcam algorithmic video surveillance system used by the Cœur Côte Fleurie intercommunal authority (including Deauville-Trouville) constitutes a serious and manifestly illegal infringement of the right to privacy, and has ordered those responsible to erase the personal data resulting from the use of the software.

The judge in chambers noted that the use was outside of any legal or regulatory framework and considered that "it has not been established, nor even alleged, that other less intrusive means with regard to privacy could not have been implemented in order to preserve public order."

• On November 8, 2023, a coalition of six organizations, including La Quadrature du Net and EDRi, filed an appeal with the Council of State against the French decree implementing the regulation relating to the fight against the dissemination of terrorist content online.

They are asking the Council of State to refer a preliminary question to the Court of Justice of the European Union (CJEU) on the validity of TERREG with regard to the fundamental rights protected by European Union law, and point to the infringements on freedom of expression and the right to online information.

 

 

European institutions and bodies

• The European Parliament's Environment and Civil Liberties Committees adopted their position on November 28th. creation of a European health data space in order to promote the portability of personal health data and safer sharing.

Members of Parliament want, in particular, to make it mandatory to obtain explicit authorization from patients for the secondary use of their health data.

• The European Union has adopted a revision of the eIDAS regulation, paving the way for the introduction of a digital identity across the EU.

Some aspects remain contested, in particular, the "Qualified Web Authentication Certificates" (QWAC), which will require browsers to accept government-issued root certificates designed to prevent fraud and identity theft, which some cybersecurity experts consider a risk of intrusion into web authentication: browser vendors would not be able to reject a QWAC, even if it represented a security threat.

• While Negotiations regarding the future AI regulation are ongoing At the time of writing, a number of questions remain unanswered, including the consideration of foundation models such as ChatGPT in the regulations.

A position statement from civil society communicated to European negotiators on November 16 also highlights the issue of the extent of protection against harm related to the use of AI for policing, migration and national security purposes.

• The European Data Protection Board (EDPB) adopted guidelines on November 14 regarding the technical scope of Article 5(3) of the ePrivacy Directive.

The Committee explains that The emergence of new tracking methods aimed at replacing existing tracking tools such as cookies, and at creating new business models, has become a major concern. in terms of data protection.

The guidelines specifically address "device fingerprinting" and the most common techniques such as URL and pixel tracking, IP-only tracking, Internet of Things (IoT) reporting, and unique identifiers.

• The European Data Protection Supervisor (EDPS) published a "TechDispatch" in mid-November dedicated to explainable artificial intelligence ("explainable AI"), in order to address the "black box" effect of AI.

It addresses the issue of the risks of opaque AI systems and describes how AI can incorporate transparency, interpretability, and explainability.

The EDPS also published on November 8 a study on the essence of the fundamental rights to respect for privacy and the protection of personal data.

This document examines the requirement to respect the "essence" of these rights when they are limited under European Union (EU) law.

• In a decision dated November 9, the CJEU clarified its interpretation of personal data.

She felt that Vehicle identification numbers are not, as such, personal data..

However, they become personal data when a person (natural) who has access to them has the means to identify the owner of the vehicle.

• The CJEU adopted two important rulings on December 7 concerning the dominant provider of credit information services (“Schufa”) in Germany.

The Court stated, in particular, that Automated creditworthiness assessment ("scoring") is subject to a general prohibition pursuant to Article 22 of the GDPR.

She adds that a company that establishes a credit score by automated means remains subject to Article 22, even if another company relies on that score to make decisions that have a (negative) impact on the person concerned. – reasoning that could have an impact on AI-assisted systems.

The Court also confirmed that national courts have extensive powers to oversee data protection authorities.

• The European Court of Human Rights published in November a document listing its case law on the protection of personal data.
• ENISA, the European Union Agency for Cybersecurity, has published the 2023 overview of cyber threats by sector of activity.

According to the "Threat Landscape 2023", public administration and governments remain prime targets, followed by the health, manufacturing, transport and finance sectors.

• On November 28, the NGO noyb filed a complaint against Meta with the Austrian data protection authority.

LONG contests the "choice" given to European users between consenting to be tracked for personalized advertising purposes or paying up to 251.88 euros per year "to preserve their fundamental right to data protection on Instagram and Facebook." 

In the same context, the European Consumer Organisation (BEUC) filed a complaint on November 30 with the network of consumer protection authorities (CPC) on the grounds that Meta is engaging in unfair commercial practices.

It also assesses whether Meta is in breach of the GDPR.

• 110 civil society organisations are calling on EU policymakers to reject the ongoing EURODAC reform.

The database, designed to collect and store data on asylum seekers, "would be transformed into a surveillance tool treating people seeking protection as criminal suspects, including children as young as 6 whose fingerprints and facial images would be integrated into the database."

 

News from European member countries.

• In Belgium, the APD considered on November 23, in a case of workplace surveillance, that continuous camera monitoring of work does not comply with the principle of minimal data processing.

The APD Disputes Chamber stated that this was a serious breach but, as it concerned a small company, it notified it of the violation and asked it to bring the processing into compliance without imposing a fine.

• The Danish Data Protection Authority rejected the City of Copenhagen's plan to develop AI tools to identify citizens in need of rehabilitation, because the national legislation invoked for the purposes of Article 6(1)(e) and Article 6(3) of the GDPR was not sufficiently specific regarding the scope of AI use.
• The German Federal Labour Court implemented CJEU Decision C-453/21, considering that The chairman of the works council of a subsidiary had been rightfully dismissed as the DPO of the group of companies due to a conflict of interest between the two roles.
• In the Netherlands, the ODA imposed corrective measures on November 24 on the employee insurance agency (Uitvoeringsinstituut Werknemersverzekeringen – UWV) with regard to 703 people receiving benefits.

Until the beginning of this year, UWV was illegally tracking the online behavior of these people receiving unemployment benefits using an algorithm.

• In the context of a procedure under Article 60 of the GDPR, The Irish Data Protection Agency (DPA) has reprimanded Airbnb Ireland for breaching data minimization and storage limitation principles. and for having invalidly invoked Article 6(1)(f) of the GDPR as a ground for processing when retaining the identity documents of a data subject.
• The Italian APD launched an investigation in late November on public and private websites to verify the adoption of Appropriate security measures to prevent the mass collection (webscraping) of personal databy third parties for the purpose of training artificial intelligence algorithms.
• Berlin Regional Court estimated that LinkedIn had engaged in unfair business practices and in violation of the GDPR, by not considering the use of "Do not track" (DNT) parameters as an objection to processing and by pre-checking the "off-LinkedIn visibility" setting when users create an account for the first time.

DNTs, despite the lack of standardization, represent, according to the court, an effective objection to data processing: in other words, the right to object provided for by the GDPR can also be exercised by automated means such as browser settings.

• The G7 digital and technology ministers and the OECD met virtually on December 1, 2023 to continue their discussions aimed at operationalizing the "Data Free Flow with Trust" (DFFT) in order to facilitate cross-border data flows.

Progress and next steps are detailed in a press release available online.

• The CEOs of the largest social media platforms appear before the US Senate Judiciary Committee on December 6 to testify about the sexual exploitation of children and the alleged failure of companies to protect children on their platforms.
• The Australian government has responded publicly to the Privacy Act Review Report published on 28 September 2023, and affirms its commitment to strengthening Australian privacy standards to bring them more closely into line with global standards.

 

A series of proposals would aim to introduce additional protections regarding children's privacy.

• Elon Musk announced that Grok, his artificial intelligence chatbot, would be operational in early December.

Developed by xAI, Musk's AI company, the chatbot will be an in-app feature for X Premium+ subscribers.

• YouTube has published a blog post announcing various measures aimed at labeling AI-generated content and combating "deepfakes".

The company intends to introduce updates that will inform users when the content they see is synthetic.

YouTube will therefore ask creators to indicate whether they have created realistic modified or synthetic content, including using AI tools.