Data Blast: EU-US data transfers get a boost, children’s data practices fined, email marketing without consent, US e-health firm fined…

A step toward a new EU-US Data Transfer Mechanism

US President Joe Biden, on October 7^th 2022, signed the much anticipated Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“EO”). The EO seeks to fill the void left by the decision of the Court of Justice of the European (CJEU) in July 2020 in the Schrems II case, which invalidated the Privacy Shield data transfer framework which had allowed for personal data to flow from the EU to the US. In that decision, the CJEU held that:

• the legal frameworks for U.S. surveillance did not limit data collection to that which is strictly necessary and proportionate; and
• EU data subjects did not have sufficient redress to challenge unlawful data collection.

The EO seeks to address those lacunae by:

• providing that US signals intelligence activities can be conducted only in relation to defined national security objectives and ”…only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized.” and
• replacing the Ombudsman role under the Privacy Shield with an independent Data Protection Review Court (DPRC), and by requiring US intelligence agencies to cooperate with a Civil Liberties Protection Officer (CLPO)’s investigation of a disputed data transfer and to comply with any remedy prescribed by the CLPO or the DPRC.

The European Commission has publish a Q&A document explaining what to expect next, as it considers the preparation of a new draft adequacy decision in relation to the US. In the meantime, organisations transferring personal data from the EU to the US should continue to adopt alternative transfer mechanisms, such as Standard Contractual Clauses.

Meta fined for Instagram’s approach to children’s data

After a €225 million fine for WhatsApp and a €17 million fine for Facebook, the Irish Data Protection Commissioner has now imposed another fine on Instagram (via its parent Meta) for €405m in relation to Meta Ireland’s non-compliant processing of children’s personal data. In particular, it concerned the public disclosure of email addresses and phone numbers of children aged 13 – 17 using the Instagram business account feature.

Instagram was also found to have adopted a user registration system whereby settings for child users were set to ‘public’ by default, making all social media content public unless the account was set to ‘private’ by manually changing the account settings.

Due to the cross-border processing carried out by Meta Ireland, the Irish regulator’s counterparts in Finland, France, Germany, Italy, the Netherlands and Norway raised objections to its original proposal to penalise Instagram. The Irish regulator was able to impose the fine only after triggering the GDPR’s dispute resolution mechanism and involving the European Data Protection Board (EDPB); the dispute process was settled in July 2022.

Meta is reported to be considering its position in relation to the fine, and has suggested that the investigation focused on historic settings which had been altered more than a year earlier, whereas currently any user under 18 automatically has their account set to ‘private’ when they join Instagram.

ICO may impose £27 million fine on TikTok for failing to protect children’s privacy

The UK Information Commissioner’s Office (ICO) has issued TikTok, the short-form video hosting service owned by Chinese company ByteDance, with a ‘notice of intent’ – a statutory notice which precedes a potential fine – after an ICO investigation found that the company may have breached UK data protection law by failing to protect children’s personal data when using TikTok.

In the statement issued by the ICO, the Commissioner found that TikTok may have:

• processed the data of children under the age of 13 without appropriate parental consent;
• failed to provide proper information to its users in a concise, transparent and easily understood way; and
• processed special category data (e.g. data concerning health, sexual orientation etc.) without a proper legal basis for doing.

Under the UK GDPR, only children aged 13 or over are able to consent to the processing of their personal data. For children under 13, save for narrow circumstances, consent must be provided by the holder of parental responsibility over the child.

The ICO will consider any representations from TikTok before taking a final decision.

ICO fines Halfords for sending unsolicited marketing emails

The ICO fined Halfords, the UK’s largest retailer of motoring and cycling products, £30,000 for sending 498,179 unsolicited marketing emails to individuals without their consent.

The ICO commenced its investigation upon receiving a complaint from an individual about an unsolicited direct marketing email. The email concerned the ‘Fix Your Bike’ UK Government Voucher Scheme, which ran between July 2020 and December 2021, and which allowed members of the public to receive a voucher worth up to £50 toward the cost of repairing a bicycle at a registered shop such as Halfords.

Halfords asserted that the purpose of the message was to promote a government initiative, and not a Halfords product or service. The ICO disagreed and found that Halfords’ email was a marketing communication because it advertised a service provided by the company.

The UK retailer sought to rely on ‘legitimate interests’ as justification for the transmission of its unsolicited direct marketing emails, however, this was predictably rejected by the Commissioner, as the applicable e-privacy regulation – specifically regulation 22 of the Privacy and Electronic Communications Regulations (PECR) – does not recognise such a basis for sending marketing communications without a recipient’s consent.

Halfords was also unable to rely on the ‘soft opt-in’ basis for existing customers who received the email, as those customers had previously not opted in to receive emails from the company, and the email did not contain a mechanism to permit recipients to unsubscribe from further marketing communications.

Head of ICO Investigations, Andy Curry said: “It is against the law to send marketing emails or texts to people without their permission. Not only this, it is a violation of their privacy rights as well as being frustrating and downright annoying. This also sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”

US e-health firm fined by Italian regulator for careless patient identification

The Italian Data Protection Authority (GPDP) has fined Senseonics Inc., an American company offering health services in Italy (but without a local presence), €45,000 for GDPR breaches when the email addresses of approximately 2000 users of the company’s glucose monitoring system were disclosed in error.

The company notified the GPDP of the data breach caused by one of its employees who, as part of an information campaign, sent a mass e-mail message with recipients’ addresses in the “cc” field instead of the “bcc” field, thereby revealing the identities of many of the company’s customers.

The GPDP reiterated that an e-mail address is personal data and must be used only in accordance with data protection law. Further, as the email in question was addressed to users of Senseonics’ glucose monitoring application, the identification of those users also implicated special category personal data, as it would reveal data pertaining to the health of those individuals.

The GPDP also found further data protection breaches where:

• the company, based in the US and without a local establishment, failed to designate a GDPR representative within the European Union; and
• users of the company’s app were required to accept both the contractual terms and conditions and the privacy policy with a single click, rather than specific consents being sought for the processing of special category data.

The GPDP fine serves as an important reminder, in particular, for businesses based abroad to seek legal advice on regulatory compliance where they offer services within the EU (or the UK), as they will be subject to the local data protection laws, including the requirement to have a representative within the local jurisdiction.