A new year under the sign of expectation

Legal Watch No. 42 – December 2021

A new year under the sign of expectation

In terms of data protection, the year that begins does not herald any major new developments, but rather an evolution and perhaps strategic decisions concerning certain current issues.

Let's focus on three of them: the implementation of the GDPR by supervisory authorities, health issues, and the regulation of digital giants.

One of the recurring themes since the GDPR came into force concerns the seriousness of its implementation by national data protection authorities. and the large gap between the number and severity of sanctions adopted, depending on whether the person responsible is in Ireland or Spain, for example.

The latter country appears to be one of those having imposed the greatest number of sanctions, while Luxembourg and the CNIL can claim the highest fines against GAFAM (recall the 746 million euro fine imposed by Luxembourg on the company Amazon).

At the other end of the spectrum is Ireland's data protection authority, which has been openly criticized by some of its peers, as well as by the vice-president of the European Commission, for its laxity towards major web players.

In order to strengthen the cohesion and effectiveness of control procedures within Europe, some are talking about strengthening the powers of the European Data Protection Board (EDPB).

The issue will be addressed at a conference organized by the European Data Protection Supervisor on June 16 and 17 in Brussels.

The processing of health data constitutes, in the wake of the health crisis, another major subject of concern..

Are concerned

• Questions related to medical research conditions,
• The processing of genetic data and the risks of resale by certain laboratories of data collected as part of screening tests, as demonstrated by the recent British case of the company Signpost Diagnostics,
• Tracking individuals via apps and other health passes, 

• And finally, risks related to data security: we are thinking in particular of the data breach concerning the Covid test results of the company FranceTest, which was formally ordered by the CNIL last October to secure its data, or the data leak concerning the Assistance Publique-Hôpitaux de Paris.

Although the CNIL regularly publishes its positions on this subject, we note that in its deliberation to parliament dated 30 November, it indicated that it was waiting for the government to provide elements intended to support the effectiveness of the files and means of control implemented.

A third topical issue concerns the European Union's regulatory initiatives concerning digital services and artificial intelligence.

In addition to cookie management, which remains in the crosshairs of national authorities, the European legislator is concerned about the growing power of web giants, these intermediaries in a dominant position that provide messaging and social networking services.

Also at issue is the use of biometrics and artificial intelligence for increasingly intrusive profiling purposes, and the manipulation of Internet users without their knowledge (dark patterns) through the presentation of targeted content.

Several texts are in the process of being adopted at European level, including two proposals from the European Commission on digital markets and digital services, and a proposal concerning artificial intelligence. 

The European Parliament adopted its position on the proposal on digital markets on 5 December.

Among the changes made to the text is the addition of a requirement for interoperability between the services of the main instant messaging and social networking platforms, the aim being to allow users to easily change service providers and combat dominant positions.

At the start of the French Presidency of the Council of the European Union, the European Data Protection Supervisor has just presented his best wishes for success to the French government, while stressing the importance of these three major issues related to digital technology and artificial intelligence and indicating that he will closely monitor developments in these areas.

While some priorities already seem to be well identified, let's hope that this new year brings us all its share of nice surprises, as well as big breaths of fresh air, finally.

And also

France:

The CNIL sanctioned the company on January 6 Google to the tune of 150 million euros, and the company Facebook up to 60 million euros, for failure to comply with legal provisions regarding cookies.

On December 28, the CNIL imposed a fine of 300,000 euros against the company. FREE MOBILE, in particular for not having respected the rights of individuals and the security of its users' data.

On the same date, it also sanctioned the company SLIMPAY, which offers payment solutions to its customers, was fined 180,000 euros for failing to adequately protect users' personal data and failing to inform them of a data breach.

The president of the CNIL formally notified the company on November 26 CLEARVIEW AI to stop collecting photographs and videos available online, and to delete the data within 2 months.

The company has developed facial recognition software whose database is based on the extraction of photographs and videos publicly available on the internet.

A new version of the CNIL developer guide has just been published. This guide provides new content designed to support web and application development professionals in ensuring their work is compliant.

There SNCF In December, it moved its 7,000 servers and 250 applications to Amazon's cloud, specifically to three data centers in the Paris region.

The company's goal is also to expand its use of artificial intelligence.

Europe

THE European Data Protection Board published guidelines on December 14 to help data controllers manage security breaches.

The text includes a large number of examples and develops the measures to be taken depending on the type of offense.

The European Union Agency for Fundamental Rights (FRA) is publishing, in collaboration with data protection authorities, a guide intended to better inform asylum seekers and migrants about the use made of their fingerprints.

When stopped at the external border of the European Union, they are required to give their fingerprints, which are stored in the Eurodac file.

The Administrative Court of Wiesbaden On December 1, a German company ordered the RheinMain University of Applied Sciences to stop all use of the “Cookiebot” consent manager. The reason for this was the illegal transfer of website visitor data to the United States.

The Finnish Data Protection Authority fined a psychotherapy company more than €600,000 on 7 December for failing to adequately ensure the security of its patients' data and failing to inform them of two security breaches that led to blackmail against the patients concerned and the company itself.

The Norwegian Data Protection Authority imposed a fine of 6,300,000 euros against Grindr to share its users' data with third parties for profiling and advertising purposes, without their consent.

The Dutch Tax Administration was fined EUR 2,750,000 for processing data without a legal basis and in violation of the principle of fairness (Articles 5(1)(a) and 6(1)(e) GDPR.

The Belgian Ministry of Defence was the victim of a serious cyber attack on December 20 caused by the Log4Shell malware, which impacted the administration's activities for several days. 

The Belgian Data Protection Authority fined a company 10,000 euros for purchasing a database for direct marketing purposes without checking that the data had been collected legally.

The company also failed to inform the individuals concerned of this indirect collection, nor to respond to an individual's request for access.

International :

Amazon has filed several patent applications for biometric technologies designed to enable videophone cameras to detect suspicious individuals based on various criteria: smell, skin texture, fingerprints, eye, voice and gait.

There South Korea has been considered to provide an adequate level of protection since December 17. The European Commission's decision comes a few months after the conclusion of a free trade agreement between the European Union and Korea, which came into force in July 2021.

From February 15th, the Chinese government will subject Chinese companies with international business operations to a series of cybersecurity controls.

The checks are intended to limit the transmission of strategic data outside the country.