Key takeaways from December and January include:

  • Cookies: Businesses should consider reviewing their cookie compliance following major CNIL fines against Microsoft (€60 million) and TikTok (€5 million) calling for companies to ensure user consent is paramount and that refusing cookies is as easy as accepting them;
  • More on cookies: Websites are advised to implement user-friendly cookie consent mechanisms such as prominent “reject” buttons and forgo the use of pre-ticked opt-in boxes, per the Cookie Banner Task Force report, adopted by the European Data Protection Board (“EDPB”);
  • GDPR access rights: Controllers responding to data subject access requests may be expected to disclose the specific recipients of the individual’s personal data, and not just categories of recipients, following a recent European Court of Justice (“CJEU”) judgment and Swedish court ruling;
  • User Consent: Businesses may wish to review their consent flows in light of CNIL fines against Apple (€8 million) and Voodoo (€ 3 million), ensuring consent is obtained for all trackers and identifiers used for advertising purposes with easily accessible and changeable settings;
  • Tech advertising: Companies relying on contractual necessity as the lawful basis for processing personal data to deliver personalized advertising or for service improvements and generalized security may want to consider alternative lawful bases following Irish DPC fines against Facebook (€210 million), Instagram (€180 million), and WhatsApp (€5.5 million);
  • ICO transparency changes: Organisations face an increased publicity risk from data breach notifications and enforcement action following the UK ICO’s new practice of publishing records of breach notifications, complaints, reprimands, and audits;
  • Identity theft: Data protection obligations and identity theft prevention controls should be considered together, as highlighted by the Spanish AEPD’s recent €30,000 fine against a telecom provider for processing an identity theft victim’s data without consent; and
  • Employee monitoring: Employers should ensure that employee monitoring practices are appropriately assessed and consider a lawful basis other than consent, following recent enforcement by the Estonian AIK and Italian Garante that extends a trend amongst DPAs rejecting employer reliance on consent.

These developments, and more, covered below.

CNIL fines Microsoft €60 million and TikTok €5 million for alleged unlawful cookie practices

What happened: On 19 December 2022, the French CNIL fined Microsoft Ireland Operations Ltd €60 million for:

  1. depositing cookies serving multiple purposes, including targeted advertising and avoiding advertising fraud, when users connected to bing.com without the users’ consent; and
  2. failing to implement a mechanism to allow users to refuse cookies as easily as accepting them.

On 29 December 2022, the CNIL fined TikTok UK and Ireland as joint controllers €5 million for failing to:

  1. offer users the ability to refuse cookies as easily as accepting them (several clicks were required to refuse all cookies, as opposed to just one to accept them); and
  2. inform users in a sufficiently precise manner about cookie purposes.

When calculating the fine, the CNIL cited the large scale of the data processing and the high proportion of minors (38% were between 13 and 17) as aggravating factors.

The fines follow non-compliance notices CNIL served to 60 organisations that did not allow users to refuse cookies as easily as to accept them.

What to do: Businesses should consider reviewing their cookie policy based on the CNIL’s cookies guidelines, in particular ensuring that it is as easy to refuse cookies as it is to accept them.

EDPB’s cookie banner task force report highlights user-friendly design choices

What happened: In January 2023, the EDPB adopted a final report on the Cookie Banner Task Force’s work. The Task Force was convened in September 2021 following hundreds of cookie banner-related complaints from the European Center for Digital Rights.

Intended to reflect a “minimum threshold” for compliance with the GDPR and ePrivacy Directive, as implemented in the EU Member States, the report emphasises the need for informed consent from users. Best practices include:

  • placing a reject button that is prominent enough within the cookie banner to draw user attention;
  • not using pre-ticked boxes to obtain opt-in consent;
  • avoiding deceptive design choices, such as misleading colours and contrasts;
  • implementing a clearly visible icon or link that allows users to withdraw consent at any time;
  • not using multi-level banners that may mislead users to believe refusing cookies is not possible;
  • classifying cookies as “essential” or “strictly necessary” only when they serve essential or necessary purposes under the ePrivacy Directive or the GDPR; and
  • ensuring reliance on the notion of “legitimate interests” for subsequent data processing activities only where an overriding legitimate interest exists.

What to do: Organisations may want to map their existing cookie banner design against the report’s recommendations to ensure alignment with the latest regulatory expectations embodied in the Report.

CJEU and Swedish Court find that controllers must disclose specific information about personal data recipients upon request

What happened: On 12 January 2023, the CJEU found that controllers must be as precise as possible in providing data subjects with information about the recipients of their personal data when asked in a data subject access request. Disclosing only categories of recipients was held to be inadequate in response to a request for the specific recipients.

Relatedly, a Swedish Court upheld the Swedish IMY’s 2022 reprimand of Klarna Bank AB for failing to disclose information regarding the specific recipients of personal data to a requesting data subject; providing the categories of recipients only was insufficient.

What to do: Companies should ensure that their existing data subject access request procedures outline that, in keeping with the draft EDPB guidelines, the response should name the specific recipients, unless it is only possible to indicate the categories of recipients or the request is manifestly unfounded or excessive, in which case such exceptions should be justified and documented.

CNIL fines Apple €8 million and Voodoo €3 million for using advertising and technical identifiers on devices without prior consent

What happened: On 29 December 2022, the CNIL fined Apple Distribution International €8 million for failing to collect the consent of French iPhone users (iOS 14.6) before depositing or writing identifiers later used for advertising purposes on their phones. The CNIL found that this practice was not strictly necessary for the provision of the service, the identifiers should not have been deposited without the user’s consent, and the user had to perform a large number of actions to deactivate this setting. When calculating the fine, the CNIL considered the number of affected users and the significant profits made through targeted advertising using these identifiers, while acknowledging that Apple has since reached compliance.

The CNIL also fined smartphone video game publisher Voodoo €3 million for using a technical identifier for advertising without the user’s consent. While Voodoo offered an option to deactivate advertising tracking, when deactivated, Voodoo used the user’s technical identifier anyway and processed information linked to their browsing habits for advertising purposes—without the user’s consent and contrary to what was indicated to the user. The number of affected individuals, financial benefits obtained as a result of the processing, and the company’s recent annual turnover were considered in calculating the fine.

What to do: Businesses should consider verifying their processes to obtain consent for any trackers and identifiers used for advertising purposes. Businesses should not rely on pre-checked boxes and ensure that settings are easily accessible and changeable.

Irish DPC finalises investigations into Facebook, Instagram, and WhatsApp

What happened: On 4 January 2023, the Irish DPC issued a press release confirming that it had finalised two investigations into Meta Ireland, following intervention by the EDPB in December 2022. Both investigations concerned the lawful basis relied on for the processing of user data to deliver personalised advertising. The EDPB upheld parts of the Irish DPC’s original determination, but following intervention from several DPAs, also determined that Meta could not rely on its contractual basis argument to deliver personalised advertising and directed the DPC to increase the corresponding fines to €210 million (in the case of Facebook) and €180 million (in the case of Instagram).

The DPC subsequently issued a press release confirming that it had finalised a similar investigation into WhatsApp Ireland and issued a €5.5 million fine. The DPC incorporated an EDPB finding that WhatsApp could not rely on its contractual basis argument to require users to agree to data use for “service improvements” and “security,” with a carve out for “IT security,” reflecting a narrower view of the nature of contractual services than the DPC originally found.

What to do: Businesses may wish to review where they rely on contractual necessity as the lawful basis for processing personal data to deliver personalized advertising or for service improvements and generalized security, and consider where alternative lawful bases may be necessary to ensure such reliance is consistent with the EDPB’s emerging expectations.

UK ICO kicks off transparency push

What happened: The UK ICO’s new policy of publishing all reprimands from January 2022 and onward on its website, following a November 2022 announcement by UK Information Commissioner John Edwards on the subject, expands upon the ICO’s developing approach to publishing details of regulatory submissions.

Reprimands will be published unless there is a good reason not to.  The Commissioner explained the change on reprimands as motivated by a desire to ensure greater accountability and to inform the rest of the economy about the reasons for the enforcement action. The publication of reprimands will provide additional insight into the ICO’s regulatory expectations and priorities, and potential consequences for non-compliance.

This reflects a marked change from a prior policy to “not usually” publish reprimands but aligns with the ICO now publishing quarterly data sets about the nature of “data protection complaints” it received, self-reported breaches that did not involve investigatory follow up, cyber incidents and investigations that involved ICO inquiries, and individualised audit findings, among others.

What to do: Organisations should keep the ICO’s publication practices in mind when seeking insight into ICO expectations and enforcement practices, when considering publicity risks associated with data subject complaints, breach notifications, and enforcement action, and when it may be in the organisation’s interest to challenge an ICO action.

Spanish AEPD fines telco 30,000 for GDPR violation arising out of consumer identity theft

What happened: The Spanish AEPD fined telecommunications provider Orange Espagne, S.A.U. (“Orange”) for data processing without informed consent. Orange established a mobile telephone contract and SIM card without adequately verifying the customer’s data, resulting in identity theft and data processing of a victim’s personal data without consent.

The AEPD fined Orange €50,000, reduced to €30,000 following an acknowledgement of guilt and voluntary payment.

Highlighting the importance of coordination between data protection and fraud prevention functions, the AEPD outlined remedial measures broadly applicable to consumer businesses, including:

  • ensuring controls are in place to manage the risk of identity theft throughout the product/service lifecycle;
  • verifying customer information against public data sources (e.g., national census);
  • monitoring to detect suspicious concentrations of unpaid customers, accounts or e-commerce transactions;
  • designating internal teams to exclusively escalate complaints regarding unrecognised orders, suspicious transactions and asset solvency; and
  • using external identity check platforms at the registration stage to reject or accept applications.

What to do: Companies should consider revisiting both existing data processing and fraud prevention policies and procedures to ensure these align with the AEPD’s suggested measures, especially those related to identity checks and validation at the inception of the product-service lifecycle.

DPAs continue objections to employee monitoring on the basis of consent

What happened: In December 2022, Italy’s DPA, the Garante, and Estonia’s DPA, AKI, announced decisions against two companies for unlawful employee monitoring. Both regulators rejected reliance on consent as the lawful basis for the monitoring.

The Garante fined Sportitalia €20,000 for using a biometric fingerprint collection attendance system. Sportitalia claimed it sought informed consent and offered an alternative badge system to those who did not consent, but the Garante believed the company failed to provide sufficient information to employees and did not permit withdrawal of consent.

The AKI ordered hotel company OÜ Laidoneri KV to cease use of CCTV cameras to monitor its employees pending a legitimate interest assessment, finding that signage was inadequate and, going further than the Garante, found that consent was not a lawful basis for processing personal data in an employment relationship.  Here, where there was no need for the monitoring to fulfil a contractual or legal obligation, only legitimate interests might suffice as a lawful basis.

What to do: As we covered previously here, here, and here, workplace monitoring practices continue to be scrutinised closely. Companies may wish to review their monitoring practices to ensure that an appropriate lawful basis is established, and that employees are provided sufficient information. Given the range of views on whether consent to monitoring can be freely given in an employment context, employers may wish to consider alternative lawful bases. The EDPB guidelines on video monitoring and UK ICO draft guidance on employee monitoring may serve as useful guides.

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.

Author

Tristan Lockwood is an associate in the firm’s Data Strategy & Security practice. He can be reached at tlockwood@debevoise.com.

Author

Melissa Muse is an associate in the Litigation Department based in the New York office. She is a member of the firm’s Data Strategy & Security Group, and the Intellectual Property practice. She can be reached at mmuse@debevoise.com.

Author

Anya Allen is a law clerk in the Litigation Department.

Author

Emily L. Morgan is a law clerk in the Litigation Department.

Author

Alexandre Pous is a legal intern and trainee in the Litigation Department at the Debevoise Paris office.

Author

Maria Santos is a trainee associate in the Litigation Department.