Data Blast: Social media firm fined over ‘invite a friend’ and more…
See below for the latest Data Blast from our legal team: Social media firm fined over ‘invite a friend;’ Swiss gaming company settles dispute re COPPA Safe Harbour program; Facebook Covid-19 misleading advertiser disclosed; & UK test and trace update..
Belgian DPA fines social media firm for ‘invite a friend’
On May 19th, the Belgian Data Protection Authority (the Belgian DPA) publicized the imposition of a €50,000 fine on an unnamed social media firm for unlawful personal data processing regarding the platform’s ‘invite a friend’ function. Interestingly, in publishing the decision, the Belgian DPA elected to keep the company’s identity confidential, stating that while publication of the decision is in the interests of the development of the law and the consistent application of the GDPR, it was not necessary for the company’s identification to be disclosed for that purpose.
As a part of offering the ‘invite a friend’ function, the firm collected and stored personal data relating to members’ contacts, in order to send invitations to connect on the platform. The Belgian DPA worked in close cooperation with 23 data protection authorities from 16 Member States, acting as the lead supervisory authority under the GDPR’s ‘one-stop-shop’ mechanism, under which a single supervisory authority may take responsibility for EU-wide data processing obligations of controllers which have their ‘main establishment’ within their territory.
In its decisions, the Belgian DPA’s Litigation Chamber found that the social media firm, as the data controller, is responsible for ensuring it had a valid legal grounds for personal data processing regarding the ‘invite a friend’ function. The function relied on members’ consent to legitimize the processing of members’ personal data in sending invitations to their own contacts, in order to connect on the platform. However, the Litigation Chamber found that such consent was insufficient in two respects:
- Valid consent was not obtained from the network members’ contacts who received invitations to connect with members, and no alternative grounds for processing under the GDPR existed; and
- Users were shown pre-ticked boxes at the point of inviting contacts, which does not meet the standard for valid consent under the GDPR, which requires a positive act by the user.
The Litigation Chamber made clear that the firm could not rely on consent obtained from its members to legitimize processing the personal data of contacts who were not platform members, and therefore who never themselves consented to the processing of their information. Importantly, the Litigation Chamber also concluded that sending an initial email to obtain consent from non-members is not GDPR compliant, and is at odds with generally accepted practices in Belgium.
The social media firm’s legitimate interests were also considered as a grounds for the ‘invite a friend’ data processing. In the decision, the Litigation Chamber held that the conditions for relying on the legitimate interests grounds were not satisfied, in particular as the limitation principle was not satisfied: Data drawn from members’ contacts was not limited to that which is strictly necessary to send invitations, and that data was retained for up to 3 months after the closure of a user’s account. The Belgian DPA noted that the firm ought to have run an initial comparison of members’ contacts data, identifying which contacts were existing members of the network, and deleting all non-member data.
FTC settles with Swiss Gaming Company over Safe Harbour Claims
On May 19th, it was announced that the US Federal Trade Commission (FTC) reached an agreement with digital game developer Miniclip SA (Miniclip) in settlement of allegations that Miniclip misrepresented to customers its membership in a COPPA Safe Harbour program.
Under the terms of settlement, Miniclip may not misrepresent its membership in or compliance with, a government sponsored privacy or security program, and Miniclip will also subject itself to further compliance and record-keeping requirements.
Dutch Court rules that Facebook must disclose misleading Covid-19 advertisement information
On May 15th, the Amsterdam Court of First Instance ruled that Facebook must share information identifying the advertisers behind misleading Cobid-19 advertisements.
The Claimant, a Dutch celebrity news presenter, was featured in fraudulent advertisements appearing on Facebook in March and April of 2020, which related to the coronavirus crisis. The Claimant, and broadcaster Avrotros, sought an order requiring Facebook to take down the fraudulent advertisements within 5 days of judgment, and to share information identifying the advertisers behind them, including names, email, phone number IP addresses and other user and payment data.
On the first question, the Court accepted Facebook’s assertion that the measures it employed to detect and remove fake or fraudulent advertisements were sufficient. As to whether Facebook should be required to disclose information on those responsible for the fraudulent advertising – to which Facebook did not object – the Court considered a 2004 Amsterdam Court of Appeal ruling, which found that an obligation on service providers to provide data to a third party may be justified, provided certain conditions are met, including:
- The third party has a real interest in obtaining the information;
- There is no less intrusive means of procuring the information;
- The balance of interests of the third party and service provider (Facebook) are in the third party’s favour; and
- The possibility that the information, viewed in isolation, is unlawful or harmful to the third party, is sufficiently plausible.
The Court ruled that all conditions were met in the case, and that Article 6(1) of the GDPR, which related to lawful processing of data, provides a lawful means for the sharing the advertiser data.
UK ‘test and trace’ service fails to complete mandatory privacy checks
The UK’s coronavirus tracing system did not complete mandatory privacy checks prior to launching on May 28th.
The system would collect personal data including names, addresses, dates of birth, and symptoms, in an effort to inform others if they have come into contact with infected individuals. However, Public Health England, who oversees the English system, confirmed that it had yet to complete a data protection impact assessment prior to the system’s launch, as required under the Data Protection Act 2018 (DPA). The DPA requires that an assessment of potential privacy concerns associated with collecting and processing special category data, such as health data, be completed prior to collection. If the assessment indicates that the processing would result in a high risk to the data subjects concerned, absent measures taken by Public Health England to mitigate such risks, they must consult the ICO prior to initiating processing.
The confirmation by Public Health England raises concerns that UK authorities have not fully addressed the system’s potential privacy implications, and could expose the system to potential legal challenges. Those contemplating such action have also raised concerns over the privacy notice published to date, which provides for data to be held for a period of 20 years, and is ambiguous as to whom may be granted access to the data collected.
The acknowledgement is another blow to the UK’s efforts to combat the spread of the coronavirus. A related smartphone application, designed to trace infected individuals, was expected to be rolled out by the end of May, but has been delayed due to concerns regarding its effectiveness, and whether data protection concerns had been adequately addressed.
For more information please contact Partner, James Tumbridge at firstname.lastname@example.org.