1 December 2020

Data Blast: Apple faces questions around its tracking of users; Canada seeks to update its national privacy law and more…

See below for the latest Data Blast from our legal team: Apple faces questions around its tracking of users; Canada seeks to update its national privacy law; UK regulator fines Ticketmaster for lax data security; Massive data breach exposes sensitive voter details in Malta; Dutch court issues welcome interpretation on legitimate interests

NYOB sues Apple over Identifier for Advertisers

Earlier this year, Apple announced changes to the latest version of its iOS operating system which will limit the opportunities for third parties to track users using the Apple Identifier for Advertisers (IDFA) code generated by iPhones and other Apple mobile devices. The IDFA is similar in principle to a cookie set on a user’s browser, and allows users of Apple mobile devices to be tracked across different applications, and facilitates targeted advertising. IDFA has also been an essential tool for measuring attribution for mobile advertising, i.e. to understand whether particular advertisements (whether targeted or not) have been viewed. Apple’s latest iOS version will require user consent in order for third parties to use IDFA, and third parties will be permitted to seek such consent only once.

Apple’s change of approach may be seen as a move to bring the use of IDFA into compliance with the EU’s ePrivacy Directive, which is implemented in the UK via the Privacy and Electronic Communications Regulation (PECR); the PECR requires prior consent for the storage of an electronic identifier on a user’s device, including cookies and similar technologies. Moreover, to the extent that IDFA may process personal data, the full range of obligations under the General Data Protection Regulation (GDPR) will apply, including not only consent, but also transparency about the purposes of the data processing and the parties with whom the data may be shared.

Businesses in the online advertising space have been critical of Apple’s move, noting in particular that Apple itself will continue to be able to use its IDFA, and suggesting that the new rules around IDFA are anti-competitive. This has not escaped the notice of privacy activists: NOYB, the organisation founded by the activist Max Schrems, has launched a legal challenge against Apple in Germany and Spain, asserting that IDFA breaches the ePrivacy Directive by failing to obtaining user consent before being deployed on iOS devices. NOYB’s complaints allege that Apple’s use of IDFA breaches of the law on user consent both before and after the change of approach with the latest iOS, and both pre and post GDPR. On the basis of that latter assertion, NOYB seeks to avoid engaging the GDPR mechanism for cooperation between Member State data protection authorities, and to have the German and Spanish authorities consider the complaints without delay.

Canadian government introduces new privacy law

On November 18th 2020, the Canadian federal government introduced the Digital Charter Implementation Act (DCIA) which proposes considerable changes to Canada’s national personal data protection framework.

If passed, the DCIA would establish in Canada a new privacy law, the Consumer Privacy Protection Act (CPPA), and would repeal the privacy provisions of the current Personal Information Protection and Electronic Documents Act (PIPEDA).

The key changes proposed by the CPPA include:

  • New Enforcement Regime: The CPPA provides for administrative monetary penalties of up to 3% of global revenue, or $10 million CAD, (whichever is greater) for organisations that fail to comply with the new law. For more serious offences, including failing to comply with certain security breach disclosure rules, data retention requirements, or illicitly identifying an individual using anonymised data, penalties may amount to the higher of 5% of global revenue, or $25 million CAD; making them potentially greater than the maximum fines under the GDPR of £17 million (circa $27 million CAD) or 4% of global annual turnover.
  • New Regulatory Structure: The CPPA provides the Privacy Commissioner of Canada broader order-making powers, and establishes a Personal Information and Data Protection Tribunal, which will review decisions made by the Commissioner and issue enforcement penalties for non-compliance.
  • New privacy rights: the CPPA establishes a data portability right, allowing individuals to request that organisations transfer their personal data to another organisation. It also includes a right to algorithmic transparency, whereby an organisation that employs automated decision-making about an individual will, in certain circumstances, need to provide them with an explanation of the decision and how the underlying personal data was obtained.
  • New standard of consent: The CPPA sets out informational requirements in order for an individual to be able to provide meaningful consent, and expands the existing need for express consent under PIPEDA in relation to sensitive information, to cover the full range of personal information.  Consent obtained through false or misleading information would render the consent invalid, and individuals would be able to withdraw consent at any time in a range of circumstances.
  • Codes of Practice: Industries will have the ability to request that the Privacy Commissioner approve codes of practice and certification systems, which would establish rules for how the CPPA applies to certain industries or business models.

It is far from certain whether this latest attempt to reform Canada’s existing patchwork of federal and provincial privacy laws will succeed in its current form, particularly in light of the current minority government in the Canadian Parliament. Accordingly, the substance of the DCIA may be subject to considerable debate, and potentially legal challenges in the courts, as it makes its way through the legislative process.

UK ICO fines Ticketmaster £1.25 million

On November 13th 2020, the UK Information Commissioner’s Office (ICO) announced that it had fined Ticketmaster UK Limited (Ticketmaster) £1.25 million for failing to keep its customers’ personal data secure, in breach of articles 5(1)(f) and 32 of the GDPR. This is the latest in a series of high profile data breaches for which the ICO has imposed significant fines, including those against Marriott Hotels and British Airways (covered here and here).

The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its payment page.

The data subject to the breach included customer names, payment card numbers, expiry dates and CVV numbers, and potentially affected 9.4 million customers across Europe, including 1.5 million in the UK. The ICO acted as the lead supervisory authority in respect of the cross-border data processing implicated in the breach, and the fine was approved through the GDPR’s cooperation process by the other Member State supervisory authorities.

Specifically, the ICO found that Ticketmaster failed to:

  • Assess the risks of using a chat-bot on its payment page;
  • Identify and implement appropriate security measures to negate those risks; and
  • Identify the source of the fraudulent activity in a timely manner.

In calculating the fine, the ICO considered the number of individuals affected, the ‘lack of consideration’ demonstrated by Ticketmaster regarding customer personal data, and Ticketmaster’s failure to follow industry standards which would have mitigated the scope of the attack. Whilst the ICO initially proposed a fine of £1.5 million, this was revised down to take account of the impact of Covid-19 on Ticketmaster’s business.

NYOB brings complaints over Maltese voter data breach

On November 12th 2020, it was announced that privacy advocacy group NYOB filed a complaint with the Maltese Office of the Information and Data Protection Commissioner (IDPC) against C-Planet IT Solutions, the firm responsible for a leaked database of Maltese voters.

The complaint follows a class action suit brought in October by the NGO Republikka, which seeks redress for the roughly 337,000 Maltese voters affected by the data breach. News of the breach began to surface in April on this year, suggesting that C-Planet stored a copy of the electoral register in an open directory, and resulted in the personal data of roughly 337,000 Maltese voters being made freely accessible online. The leaked personal data included phone numbers, dates of birth, and numerical IDs indicating voters’ political beliefs.

It has been reported that C-Planet appears to have ties to the ruling Maltese Labour Party, and the IDPC’s investigation will assess whether C-Planet was acting on behalf of any political party or organisation. NOYB (the privacy activist organisation also responsible for the complaints against Apple detailed above) has requested that the IDPC issue a fine of €20 million, as the leaked database contained to personal data of almost 98% of the Maltese electorate.

Dutch District Court issues decision on legitimate interest basis for processing

On November 23rd 2020, the District Court of Midden-Nedderland issued its decision in VoetbalTV’s (VTV) appeal against the Dutch Data Protection Authority (Dutch DPA), overturning the Dutch DPA’s fine of €575,000.

The case centred on the interpretation of the scope of the legitimate interest basis for data processing under the GDPR. The processing in question related to professional videos of amateur football games which were made available online by VTV. The Dutch DPA concluded that VTV could not rely on its own commercial interests as being ‘legitimate interests’ for processing the personal data of players in the videos; the Dutch DPA having taken the view that a legitimate interest could only be one which is prescribed in law, and VTV’s commercial interests did not amount to such a legal right. The Dutch DPA’s view (had it not been overturned) would have drastically narrowed the scope of the legitimate interest basis for processing under the GDPR, in effect aligning legitimate interests with other GDPR legal bases such as processing to comply with a legal obligation.

Fortunately, the District Court’s ruling annulled the decision and the fine. Whereas the Dutch DPA’s view was that a legitimate interest must be one which is permitted elsewhere in a law, the District Court held that a legitimate interest could serve as a legal basis for processing as long as it was not otherwise prohibited by law.

For more information please contact Partner, James Tumbridge at