Data Blast: Meta lessons from Ireland, EU and US look to simplify data flows, French fine over access right, Indian draft bill back on track, Norwegian lessons on ex-employee data, and TikTok cookie troubles…

The Irish DPC Concluded Two Further Enquiries into Meta

The Irish Data Protection Commission (DPC) has announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta”) in connection with its Facebook and Instagram services, fining Meta €210 million (for breaches relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).

The inquiries concerned two complaints about the two popular services made on May 25^th 2018, the date on which the GDPR came into operation. In advance of May 2018, Meta had changed the Terms of Service for its Facebook and Instagram services and flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. Instead of consent, Meta now sought to rely on the ‘contract’ legal basis for most (but not all) of its processing operations. So, if users wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, the existing (and new) users were asked to click ‘I accept’ to indicate their acceptance of the updated Terms of Service.The services would not be accessible if users declined to do so). In light of this, the complainants argued that, contrary to Meta stated position, Meta was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data, in fact ‘forcing’ users to consent to the processing of their personal data for behavioural advertising and other personalised services. Following comprehensive investigations, the DPC prepared draft decisions submitted then to regulators in the EU/EEA, also known as Concerned Supervisory Authorities (CSAs) and finally referred the points in dispute to the European Data Protection Board (EDPB), which issued its determinations on December 5^th 2022.

The DPC found that the legal basis relied on by Meta was not clearly outlined to users, in breach of Articles 12 and 13(1)(c) of the GDPR and that in circumstances where it found that Meta did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the ‘forced consent’ aspect of the complaints could not be sustained. The DPC further considered Meta’s reliance on ‘contract’ as providing a legal basis for its processing, finding that Meta was not required to rely on consent and GDPR did not preclude Meta’s reliance on the contract legal basis.

The EDPB took a different view on the ‘legal basis’ question, finding that Meta was not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising. The final decisions adopted by the DPC on December 31^st 2022 reflect the EDPB’s binding determinations. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR.

The DPC’s also required that Meta must bring its processing operations into compliance with the GDPR within a period of 3 months.

Draft EU-US Adequacy Decision Published

There is high hope that EU-US data flows might get easier this year. The European Commission published on December 13^th 2022 a draft adequacy decision to allow EU-US data flows. The decision followed the Executive Order (EO) signed by President Biden on October 7^th 2022 which implemented into US law the agreement in principle on a new EU-U.S. Data Privacy Framework announced on March 2022 by President von der Leyen and President Biden. Addressing the issues raised in Schrems II Judgment, the Executive Order provides for:

1. Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
2. Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
3. The establishment of an independent and impartial redress mechanism.

Of particular importance for EU individuals is the two-layer redress mechanism envisaged in the EO. Under the first layer, EU individuals will be able to lodge a complaint with the Civil Liberties Protection Officer (CLPO) of the US intelligence community.

Under the second level, individuals will have the possibility to appeal the decision of the CLPO before the newly created Data Protection Review Court, composed of members from outside the US government and that cannot receive instructions from the government. The Data Protection Review Court will have powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and will be able to take binding remedial decisions. Further, the Executive Order requires US intelligence agencies to review their policies and procedures to implement these new safeguards. US companies will be able to certify their participation in the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations (such as purpose limitation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties).

The road ahead to adoption of the final decision is still bumpy. The draft adequacy decision has been transmitted to the European Data Protection Board (EDPB) for its opinion. The Commission will then need to obtain approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. As a final step, the adequacy decision will be published in the Official Journal of the European Union.

Max Schrems, the Austrian privacy activist known for his successful challenges of the two previous EU-US data agreements stated on his website NOYB that “[We] will analyse the draft decision in detail the next days. As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights.”

We shall continue to monitor developments and report them in our Data Blasts.

The Right to Privacy of Ultimate Beneficial Owners (UBO)

In the case of WM and Sovim SA v Luxembourg Business Registers (joined Cases C‑37/20 and C‑601/20) delivered on November 22^nd 2022, the European Court of Justice considered that the public’s right of access to the data of beneficial owners contained in the Luxembourg Business Register (LBR) constituted a serious interference with the fundamental rights to respect for private life and the right to the protection of personal data, enshrined respectively in Articles 7 and 8 of the Charter of Fundamental Rights (CFR), which is neither limited to what is strictly necessary nor proportionate to the objective pursued.

The 4^th and 5^th Anti-Money Laundering Directives required Member States to establish a central UBO registry for corporate and other legal entities incorporated within their territory. The information to provide to the Registry should ‘at least’ comprise of the name, month and year of birth, country of residence and nationality of the UBO, as well as the nature and extent of the beneficial interest held.

The Court also found that although the information on UBOs relates to their professional activities, it is in fact information on identified individuals, and therefore personal data, and making such data available to third parties constitutes data processing.

Immediately after the ruling of the EU Court of Justice, Luxembourg provisionally suspended the online public consultation of the beneficial owners register.

France: The CNIL fined FREE

The French Data Protection Authority (CNIL) fined FREE, a telecommunications provider €300,000 for several GDPR violations, including for failure to respect the right to erasure, failure to ensure the security of personal data, failure to comply with the obligation to document a personal data breach and failure to respect the right of access.

Focusing on the latter, complaints received by CNIL concerned access requests for information regarding the data broker from which FREE obtained personal data. With regard to information involving the source of the data, relying on recital 63 and Article 15(4) GDPR, FREE refused to provide such information as it was not obliged to reveal information that was deemed a ‘business secret.’

Recital 63 provides that ‘the right of access should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software,’ whereas Article 15(4) GDPR provides that ‘the right to obtain a copy referred to in paragraph 3 (copy of the personal data undergoing processing) shall not adversely affect the rights and freedoms of others.’

CNIL determined that FREE violated Article 15 GDPR for failure to respect the right of access arguing that the controller’s argument for not disclosing the source of the data because of ‘business secrecy’ was not valid in that the data subject’s requests were requests for information according to Article 15(1) GDPR. The ‘Business secrecy’ exception only applied to Article 15(4) GDPR, where a data subject would request a copy of their data, which was not the case here.

The CNIL also stated, in compliance with Article 5(1)(a) personal data had to be processed in a transparent manner and when the data subject filed an access request, the controller had to communicate the specific source of the data. The controller was only exempt from this obligation when it did not have this information. The fact that the controller had not provided the identity of the data broker despite possessing this information, prevented the data subject to verify the lawfulness of the processing carried out. The right of access regarding the primary source of the data was therefore limited by the controller.

The Indian Digital Personal Data Protection Bill 2022 Has Been Released

The Indian Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Bill 2022 (Draft Bill) on November 18^th 2022 which is focused on regulating the use of digital personal data of Data Principals.

The Draft Bill defines Data Principals as ‘any natural person to whom the personal data pertains’ and Personal Data as ‘any data about an individual who is identifiable by or in relation to such data.’ It has been removed the classification of personal data in various categories, such as sensitive personal data and critical personal data. The Bill covers the processing of digital personal data within India and the processing of digital personal data outside India if this involves the collection of data that relates to the behaviour or interests of Data Principals within India, or data emanating from goods or services offered for sale to Data Principals within India. It does not apply to any non-personal data, any data in a non-digital format or personal data about an individual that is contained in a record that has been in existence for at least one hundred years. Further, it does not apply in cases of non-automated processing of personal data or processing of personal data by an individual for any personal or domestic purpose.

Of concern is the introduction of the concept of ‘deemed consent’ in certain instances; a consent deemed to have been given by the data principal in a medical emergency, for employment purposes, to comply with any judgment or order issued under any law, or in public interest. The Draft Bill empowers the government to prescribe additional categories of deemed consent, a broad power which can undermine the right to privacy. There is also no mention of the possibility for the individual to withdraw the deemed consent.

In terms of cross-border data transfers, the Draft Bill does not contain any restrictions on the transfer of personal data outside India, however, it gives the government the right to impose restrictions on the transfer of personal data outside India and notify jurisdictions to which a data fiduciary may not transfer personal data (or otherwise prescribe terms and conditions for such transfer). In comparison to the previous iterations of the bill, the Personal Data Protection Bill, 2019 (the ‘2019 Bill’) and the Data Protection Bill, 2021 (the ‘2021 Bill’), it is absent from the Draft Bill, the right to data portability and the right to be forgotten but retains the right to correction and erasure of personal data.

Lastly, the Draft Bill seeks to establish a Data Protection Board of India (the ‘Board’) and proposes a penalty not exceeding an amount of INR 15 crores (GBP 1.5 million approx.) or 4 per cent of the defaulting entity’s global turnover for non-compliance of the proposed provisions. Section 25 of the Draft Bill has raised the applicable penalty limit to INR 500 crores (GBP 50 million approx.).

We will monitor and provide updates in our upcoming Data Blasts as the bill progresses.

UK-DIFC Statement on Data Partnership

On December 15^th 2022, the UK government and the Dubai International Financial Centre Authority (DIFC) issued a joint statement on the shared commitment to a data bridge between the UK and the DIFC. The announcement adds to other existing Memoranda of Understanding between UK and DIFC regulators, such as the UK Financial Conduct Authority and the Dubai Financial Services Authority. The statement reveals that there are over 5,000 UK companies operating in the UAE, many of which depend on the free and secure flow of safe data across borders and that the UK government and the DIFC have been involved in discussions on building a framework which will facilitate the free and secure flow of personal data. The UK government and the DIFC are committed to (1) ‘working together to realise the benefits of the important role that the trustworthy use of data across borders plays in international commerce[..]’ and (2) ‘the pursuit of a closer UK-DIFC partnership on data flows as a way of realizing untapped economic growth.’

Norway: The DPA Dealt With Inspecting the E-Mail Inbox of Former Employees.

The Norwegian Privacy Appeals Board (Privacy Board) dismissed an appeal against the DPA’s decision to fine a controller €9,600 for unlawfully inspecting the e-mail inbox of a former employee. The matter concerned a company that inspected the e-mail inbox and automatically forwarded an e-mail of its former employee after she had objected to processing of her personal data under Article 21 GDPR. The Norwegian Data Protection Authority held that automatic forwarding of the contents of the data subject’s e-mail box could not be based on Article 6(1)(f) GDPR (processing necessary for the purposes of the legitimate interests pursued by the controller) nor any other valid legal basis.

The controller did not comply with its duty to carry out a balancing of interests after the data subject had objected to the processing under Article 21 GDPR. The DPA also found that that the controller did not comply with its duty to inform the data subject of the forwarding of her e-mails, violating Article 13 GDPR. The DPA concluded that the infringements were intentional and serious imposing a fine of NOK 100,000 (£9,600 approximately) on the controller. The controller appealed this decision to the Privacy Board which dismissed the appeal.

Cookies Infringement costed TikTok €5 million

The French data protection authority, the CNIL, carried out several online investigations on the tiktok.com website between May 2020 and June 2022. During the inspection, the CNIL found that TikTok UK and TikTok Ireland offered a button allowing immediate acceptance of cookies, failing however to provide an equivalent immediate solution to allow the internet user to refuse to accept the cookies. The obligation and the conditions to obtain consent from internet users to place cookies and other similar technologies on their devices is based on two main pieces of legislation: the French Data Protection Act (Article 82), which implements the ePrivacy Directive (EU Directive 2002/58/EC) and the EU General Data Protection Regulation (EU GDPR).

The CNIL also found that users were not sufficiently informed about the purposes of the cookies used, neither in the first-layer cookie banner nor through the cookie consent tool linked to in the banner. The amount of this fine was decided on the basis of the breaches identified, the number of people concerned, including children – and the numerous previous communications from the CNIL on the fact that it must be as simple to refuse cookies as to accept them.

TikTok implemented the ‘Reject all’ button in February 2022 to help address concerns. In the UK, the ICO published a useful guide on when consent is required if cookies or similar technology is used by a website with the below figure summarising when consent applies for cookies.

Figure 1. Source ico.org.uk