5 December 2023

Data Blast: Clearview AI successful in appeal against UK ICO fine; Business reprimanded for using out of date software; Meta rolls out ad-free subscription options for Facebook and Instagram; French TV station fined €600,000 for numerous data protection

UK ICO reprimands company for using out of date software

On 17 October 2023, the UK’s First-tier Tribunal ruled in favour of Clearview AI Inc. (‘Clearview’) in its appeal against an enforcement notice and fine issued by the UK’s Information Commissioner’s Office (‘ICO’).

In May 2022, the ICO had issued a notice instructing Clearview to delete personal data of UK individuals collected through its facial recognition technology and imposed a fine of £7.5 million. The ICO alleged several violations of the EU and UK General Data Protection Regulations (UK GDPR). Clearview appealed the notice to the First-tier Tribunal, arguing that it had not violated the UK GDPR and that the ICO lacked jurisdiction to issue the notice and fine. Clearview, a U.S.-based company without a presence in the UK for the purposes of the UK GDPR purposes, claimed it provided services solely on behalf of foreign law enforcement and national security clients, thus falling outside the scope of the GDPR.

The judge agreed with Clearview’s argument, concluding that whilst the processing did involve monitoring individuals in the UK, which is typically within scope of the GDPR, as that monitoring occurred exclusively in respect of non-UK/EU law enforcement or national security bodies, it fell outside the scope of the UK GDPR. Furthermore, the judge clarified that activities of foreign governments are outside the reach of both EU and UK GDPR, as one government cannot control the actions of another sovereign state outside the treaties to which those states are party.

The decision has attracted wide attention and sparked expressions of concern that foreign states and their law enforcement and national security services could collect and use the personal data of UK residents without any regulatory recourse available under the UK GDPR. The ICO has sought permission to appeal the First Tier Tribunal’s decision.

UK ICO reprimands company for using out of date software

The UK’s ICO issued a reprimand to Gap Personnel Holdings Limited on 18 October 2023, due to several infringements of the UK GDPR. Gap, a recruitment company, experienced unauthorised access to its systems twice within the space of a year, leading to the exposure of personal data of UK individuals.

The data breaches occurred due to vulnerabilities including Gap’s use of unsupported versions of MySQL and PHP, poorly written code, and insufficient system logging. Gap lacked appropriate technical and organisational measures to ensure the appropriate level of data security relative to risk, leading to a failure to ensure confidentiality, integrity, and resilience of their systems, as required by Art. 32(1)(b) of the UK GDPR. Despite Gap’s efforts to notify affected individuals and implement appropriate security measures, the ICO reprimanded it for the breaches of the UK GDPR (though Gap was not fined), and emphasised the need for ongoing vigilance in maintaining data security measures.

Meta rolls out paid subscription for ad-free Facebook and Instagram experience

On 27 October 2023, the European Data Protection Board (EDPB) directing the Irish Data Protection Authority (DPA) to impose a ban on the processing of personal data for behavioural advertising by Meta (on its Facebook and Instagram services) on the legal bases of contractual necessity and legitimate interest.  The ban follows previous decisions in which regulators concluded that contractual necessity was not an appropriate legal basis for the personalisation of advertising to users of Facebook and Instagram. The narrow interpretation of ‘contractual necessity’ has met with considerable controversy; the position of the regulators being that processing personal data for personalised advertising is not ‘strictly necessary’ even where it is ‘necessary’ in order to provide a service (e.g. a social media platform) free of charge.

Meta has subsequently rolled out for users across the EU the option of proceeding to use Instagram and Facebook without charge, but with personalized advertising, or to pay a subscription charge to use the services on an ‘ad-free’ basis.  The model of offering a ‘free’ version of an online service which comes with personalised advertising placement, together with the option of paying a fee to receive an ad-free experience, is not new.  Indeed, data protection regulators have previously scrutinised such models and have tended to conclude that consent for the processing of personal data for the tailoring of advertising can be ‘freely given’ where the service offered (with advertising) is an alternative to a paid offering (a subscription service).

The privacy activist, Max Schrems, has already initiated a legal complaint with the Austrian data protection regulator, via his organisation None of Your Business (‘noyb’), alleging that Meta’s new approach to consent is not compliant with the GDPR’s requirements for freely given consent.

French Regulator fines television station for numerous infractions

The French Data Protection Authority (‘CNIL’) imposed a fine of €600,000 on television producer GROUPE CANAL+ after receiving 31 complaints between late 2019 and early 2021. These complaints covered various issues, including unsolicited ‘cold’ calls, problems with individuals exercising their personal data rights, inadequate safety measures concerning employee passwords, and the company’s failure to report a significant data breach in 2020.

The CNIL’s investigation found that GROUPE CANAL+ had engaged in electronic commercial canvassing through service providers without valid consent from the prospective customers. The individuals receiving ‘cold’ calls were not adequately informed about the identity of the canvasser on whose behalf the consent was collected. The company also failed to obtain direct consent before conducting canvassing activities, violating Article 7(1) of the GDPR. Additionally, the CNIL determined that the company breached Article 14 of the GDPR by not always informing prospective customers during ‘cold’ calls about the purpose of data processing or their available rights. GROUPE CANAL+ also failed to comply with Article 12 of the GDPR by not providing clear responses to data subject requests within the stipulated time frame, violating the right to access personal data.

The CNIL also scrutinized the company’s security practices and found issues with password protection. GROUPE CANAL+ had used an obsolete MD4 algorithm to store employee passwords, which was known for years to have vulnerabilities, making it insufficiently robust for ensuring data confidentiality. This breach of Article 32 of the GDPR highlighted the company’s inadequate security measures. Furthermore, GROUPE CANAL+ failed to notify the DPA of a personal data breach involving over 10,000 people, a violation of Art. 33 of the GDPR; the breach occurred when subscribers accessing their accounts were able to view other subscribers’ information, compromising the privacy rights of those other subscribers.

Taking into account the severity of the breaches, and despite some improvements made by the company, the CNIL imposed the 600,000 € fine under Art. 83 of the GDPR.

Canada issues guidance on best interests of young people

On 17 October 2023, the Office of the Privacy Commissioner of Canada published two companion documents offering insights into safeguarding the privacy of young individuals. This guidance comes in the wake of a resolution on young people’s privacy jointly adopted by federal, provincial, and territorial regulators earlier last month.

The first document, titled ‘Putting best interests of young people at the forefront of privacy and access to personal information’ (here), furnishes organisations with best practices for handling young people’s personal data. Among the recommended practices are facilitating straightforward methods for rectifying personal information (including deleting and recalling messages). The document also advocates for the implementation of shorter data retention periods, in order to aid young people in  managing their reputation online.

The second document, ‘How organizations can help protect young people online’ (here), is tailored for young audiences; it aims to set out the objectives of the recent governmental resolution in a clear and understandable manner. The document highlights the privacy rights of young people, and outlines the responsibilities that organisations bear in protecting these rights; notably, it emphasises the significance of organisations permitting young people to amend or erase information stored about them, helping to protect their privacy and online safety.

The protection of young people online has been a key priority for governments and regulators in numerous jurisdictions.  Notably, in the UK, the Online Safety Act has recently been passed into law, and a consultation commenced on the first set of proposed measures by the regulator, Ofcom, which will set out the detail of how organisations must seek to protect users – in particular children – from harmful content online.

EU General Court denies interim injunction against EU-US Data Privacy Framework

Philippe Latombe, a member of the French Parliament, challenged the Commission Implementing Decision (EU) 2023/1795 of July 10th 2023, which established the adequate level of protection for personal data under the EU-US Data Protection Framework (the ‘Framework’) (the ‘Adequacy Decision’). Latombe sought the annulment of certain provisions of the Framework. He also filed for interim relief, requesting the suspension of the Framework’s execution.

Latombe argued that the Adequacy Decision harmed him, as his personal data could be transferred to US organisations listed on the ‘Data Protection Framework List’ without adequate protection. He contended that the Adequacy Decision violated his rights under the EU GDPR and the Charter of Fundamental Rights of the European Union. He further raised concerns about the delayed assessment of the US’s data protection adequacy (which would only occur a year after notification to the EU Member States) and its impact on his data stored on various IT platforms.

The Court found Latombe’s arguments insufficient to demonstrate urgency or serious harm resulting from the Adequacy Decision, including that he failed to specify how the Adequacy Decision directly affected him or his personal data. Additionally, the Court observed that transfers of personal data to the US were permissible under the GDPR in prescribed circumstances prior to the Framework’s approval. Latombe failed to demonstrate how the transfer of his personal data to the US under the Framework would result in an additional risk of harm to that which existed prior to the Framework. Consequently, the Court rejected Latombe’s request for interim relief, without delving into the substance of his claims, which will be assessed in due course at a final hearing.