Data Protection News: Summer Edition 2019

The Battle for Cookies

This summer marks the adoption of important guidance on the topic of cookies and similar technologies. The UK’s ICO and France’s CNIL both issued official information in July on the use of cookies. While there are similarities between the two authorities’ guidance, there are also points where they drift apart, as indicated in this salient Bird&Bird article.

For example, while CNIL disapproves of cookie walls, the ICO does not take a firm position on this issue. Another important point of divergence is the treatment of analytics cookies – CNIL accepts that they might not require prior consent, if certain conditions are met; however the ICO is ambiguous on this matter (it does not make an exception, but it suggests that certain analytics cookies which are low risk might not warrant formal action from the ICO if used without consent). Although there are still elements of difference, the two supervisors agree that practices such as inferring agreement from browser settings or from continuing the use of the website do not constitute compliant means of obtaining valid consent.

Unfortunately, manipulative practices for placing cookies or similar technologies on users’ terminals are widespread among EU web publishers, as this joint German-US academic study cited by TechCrunch shows. The study found that a majority of reviewed websites place cookies irrespective of user’s expressed options or offer options which have no technical effect of preventing the placement. Lack of transparency (no information about the purpose of cookies) is still a general concern.

Just as it happened with the GDPR, the publication of the anticipated ePrivacy Regulation might raise additional awareness on the legal issues surrounding the act of placing cookies and other similar technologies. The recent CJEU Fashion ID case has also underlined the importance of viewing this matter from a regulatory rather than a purely technical perspective, with legal consequences for all parties involved (including the website publisher). Providers of web design and online marketing services must understand that advising their clients on cookie placement triggers legal responsibilities and is not only a matter of advertising strategy.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

Fashion ID: another case of joint Controllers

The CJEU decided on yet another case involving joint controllership over personal data (Case C-40/17). This time, the publisher of a fashion website was deemed to be acting jointly with Facebook for the collection and transmission of personal data through the installation of social media plugins (e.g. Facebook like button). On the other hand, the publisher is not a controller for the processing of the data after it is sent to Facebook.

Another issue made visible by this judgement concerns the placement of Facebook tracking technology through social media buttons without the users being aware and even if they do not have a Facebook profile and did not click the Like button.

Website owners should look into the social media buttons situation on their websites and analyze how they work and what is their added value. Many times, such buttons are placed simply because the website developer suggested it, without any real purpose or benefit. However, since this triggers additional compliance obligations under GDPR and ePrivacy legislation, it might be worth it to give it a second thought and decide if truly necessary. Nevertheless, even if the buttons are installed, trackers should not be activated if there is no user consent.

The pitfalls of relying on employees’ consent

An important international consulting firm in Greece fined 150,000 Euros by The Hellenic Data Protection Authority (direct download link). The issue under review was the use of employees’ consent as a legal basis for processing personal data in the context of labor related activities.

Previously, the Article 29 Working Party has already expressed the view that in certain situations such as employment where there is an imbalance of power between controller and data subject, consent might not be the appropriate legal basis, because it would not be freely given.

In the Greek case, the data protection authority also made an interesting point to the problem of changing legal bases: “The principles of lawful, fair and transparent processing of personal data pursuant to Article 5(1)(a) of the GDPR require that consent be used as the legal basis in accordance with Article 6(1) of the GDPR only where the other legal bases do not apply so that once the initial choice has been made it is impossible to swap to a different legal basis. In case the data subject withdraws his or her consent, it is not allowed to carry on the processing of personal data under a different legal basis.

Romania: new legislation

SIM cardholder identification: The Romanian Government has proposed new legislation which will require purchasers of prepaid SIM cards to provide a copy of their national ID. The Association for Technology and Internet (ApTI) has analysed the legal context surrounding this proposal and documented their effort to participate in public debates (articles in Romanian). This is not the first legislative effort to identify holders of prepaid SIM cards – previously, the ID collection requirement was justified on reasons of combating terrorism and fighting crime. Now, the underlying motivation is the need to identify persons calling the emergency 112 services.

Sex offender database: June saw the publishing of a law establishing a national register of persons sentenced for sexual crimes, exploitation and crimes against minors as well as a national register of genetic data for law enforcement purposes (Law no. 118/2019). This registry is organized separately from the Criminal Record and is subject to different rules. Moreover, registered persons must notify the Police about intended travel and are subject to Police monitoring. The law even institutes an obligation on organizations which intend to hire/contract staff to make background checks based on this new register, if the proposed job involves education, health social protection, working with vulnerable groups or performing physical/psychological checks. Available public information does not show whether any DPIA has been performed before adopting this law.

Internet banking: The Ministry of Communications issued a new order regarding minimum security rules for long distance electronic payment systems such as internet and mobile banking.

First four GDPR fines in Romania

One year after the application of the GDPR, the Romanian supervisory authority (ANSPDCP) applied its first fines based on the new legislation. Read below a summary of the sanctions, with direct links to the authority’s press releases:

  •  A bank was sanctioned with 130,000 Euros for excessive processing of personal data. The bank’s clients were receiving a large number of data of the persons who were making transfers into their accounts. The account statements showed not only the name and account of the payer, but also their national identification number and other personal information.
  •  15,000 Euros was the fine applied to a hotel for lacking security measures after a list with the identification details of guests (used by the hotel for managing breakfast) was photographed and published online.
  •  An online store selling GDPR-related documentation was fined 3,000 Euros for a security incident which allowed the public to access to lists of online financial transactions.
  •  An industrial equipment producer was fined a total of 2,500 Euros for (a) installing CCTV surveillance without informing data subjects and (b) publishing a list of employees and their personal identification numbers (CNP) on the company’s public bulletin board.

Guidelines & reports

✎ EDPB’s July plenary resulted in the adoption of substantial guidance and opinions: video surveillance, standard contractual clauses for processors, supervisory authority competence, and others.
First ISO standard on information privacy management has been published.
From the Irish DPA: Guide for users about app permission requests. Guidance on Requesting Personal Data from Prospective Tenants. Transfers of personal data to third countries or international organisations. Guidance on CCTV in the home. Guidance Note on Data Protection Basics. Quick Guide to GDPR Breach Notifications.
✎ With Brexit looming (again), the EDPS has issued an Information note on international data transfers after Brexit.
✎ ICO launches public consultation on data sharing code of practice.
✎ EU Commission communication: Data protection rules as a trust-enabler in the EU and beyond –taking stock (direct download).
✎ EU Commission facilitates drafting of Recommendations for a better presentation of information to consumers.
✎ UK Centre for Data Ethics and Innovation: interim reports for online targeting and bias in algorithmic decision-making.
✎ EPDB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection.
✎ EDPS adopts DPIA List for EU institutions.
✎ Slovenian DPA issues cookie guidance.
✎ Dutch DPA: further guidance on data breaches.
✎ Germany: guidelines on data transfers in asset deals.
✎ Training Data Protection Authorities and Data Protection Officers – T4DATA  project: The DPO Handbook.
✎ European Parliamentary Research Service: How the GDPR changes the rules for scientific research.
✎ Portugal adopts GDPR Application Law.
✎ The Office of the Privacy Commissioner, New Zeeland: guideline about what data should and should not be collected by landlords when leasing a property.
✎ The Centre for Information Policy Leadership (CIPL) released a response to the UK ICO’s consultation on Age Appropriate Design – A Code of Practice for Online Services.
✎ The Law Society: Algorithm use in the criminal justice system report.
ENISA published the annual report on security incidents that took place in 2018 in the telecoms sector.
✎ The Information Commissioner’s Office released Update report into adtech and real time bidding.
✎ The national cyber security and incident response team from Romania (CERT-RO) elaborated a set of recommendations for when it comes to web-based apps security.
✎ A new guide on data breaches is published by the Polish Data Protection Authority (UODO).
✎ The European Commission published the results of a survey conducted on topics regarding General Data Protection Regulation and the Charter of Fundamental Rights.
✎ The European Parliament has elaborated a detailed analysis on blockchain and the GDPR.
✎ The Irish Data Protection Commission gave a more complex definition to the ‘right to be forgotten’ or the right to erasure as stated in arts. 17 and art. 19 of the GDPR.
✎ Technlogylawdispatch: German DPA released audit checklist for GDPR readiness.

EU legislation watch

The latest version of the ePrivacy Regulation proposal was published on 26 July.

A new Directive (Directive (EU) 2019/770) regulates contracts for the supply of digital content and digital services. The transposition deadline is 1 July 2021.

Cases & decisions

⚖ Italian DPA issues Decision on the right to be forgotten in a case concerning de-listing from Google search results.
⚖ EDPB pleading before the CJEU in Case C-311/18 (Facebook Ireland and Schrems). Read here explanations and context provided by NOYB.
⚖ The Dutch DPA said that Banks may not use payment data for marketing purposes.
⚖ Regional Court of Frankfurt: refraining to process personal data in the future is also part of right to erasure (read this article for further reference).
⚖ The Higher Regional Court of Dresden recently issued a decision on monetary compensation for minor violations of the GDPR.
⚖ The Research Service of the German Parliament released an opinion about Amazon Alexa and data protection risks.
⚖ The situation with Google’s Doubleclick.net cookies that were bypassing privacy settings from Safari and Internet Explorer ended up with a settlement.
⚖ The regional Courts of Bonn and Wuppertal released judgments regarding GDPR which stated that physicians can assert their right to erasure (“Right to be forgotten”).
⚖ The Austrian Regional Court Feldkirch decided to award a claim for non-material damages amounting to EUR 800 against the Austrian Post.
⚖ The European  Court of Human Rights published a factsheet with some relevant case law regarding data privacy and Art. 8 of the European Convention on Human Rights.
The Council issues conclusions on the retention on electronic communication data for the purpose of fighting crime.
⚖ A Romanian court of first instance fines a state-owned company for publishing personal data on its website – judgement not final, subject to appeal.
⚖ The Garamukanwa v. UK decision of the European Court of Human Rights deals with the right to privacy and use of e-mails in employment disciplinary proceedings.
⚖ There is a new request for a preliminary ruling originating from Verwaltungsgericht Wiesbaden (Germany) on the issue of the right to access and public bodies.
⚖ The European Court of Justice published the judgement in Case C‑193/18 dealing with the concept of electronic communications networks and services.
⚖ A new competition-related decision from Germany limits the way in which Facebook may combine data collected through different services.
⚖ A recent decision from the Amsterdam Court said that employers cannot oblige employees to use an authorization system for cash register which works based of finger scan, this being against the GDPR regulation.

GDPR enforcement actions

⚡ Google Home Speech Assistant under scrutiny by the Hamburg DPA for concerns about employees and contractors listening in on private recordings.
⚡ Swedish municipality fined for using facial recognition technology to monitor student attendance in school. This IAPP article provides more insight.
⚡ French DPA (CNIL) applies 180,000 Eur sanction to an automobile insurance intermediary for lack of security following a data breach which affected its website users.
⚡ Lower Saxony DPA comments on the use of GPS on vehicles. Read this related article in English.
⚡ Italian DPA prohibits sending marketing communications to loyalty cardholders.
⚡ CNIL fines company for excessive monitoring of employees.
⚡ The French supervisory authority CNIL fines Estate Company 400K on issues of inadequate technical measures (Art. 32 GDPR) and non-compliance with retention periods (Art. 5(1)(e) GDPR).
The Norwegian DPA imposed a fine of 170.000 € on the Bergen Municipality, related to computer files with usernames and passwords to over 35,000 user accounts in the municipality’s computer system.
⚡ In Germany, the Baden-Wuerttemberg Authority imposed a fine of EUR 1,400 on a police officer who was accessing personal data for private purposes through official means.
The Danish DPA proposed a fine of DKK 1,5 million against IDDesign A/S, for failure to delete data about 385.000 customers.
⚡ The Italian DPA sanctioned a call center with a fine of 2 M€ for unlawful data processing in its role as a data controller.
⚡ The Hellenic DPA imposed sanctions on Renewal Private Medicine Ltd, fining the company for unsolicited marketing calls. You can find the decision, only available in Greek, here.
Banka DSK was fined by Bulgaria’s commission for personal data protection with one million leva (about 511,300 euro), for “illegal disclosure” of the personal data of its customers.
⚡ The ICO looks into face recognition technologies used in King’s Cross station in London.

More EU data protection news

► Facebook’s Libra digital currency: leading data protection institutions publish joint statements on their privacy expectations.
► Germany updates its federal data protection legislation.
► No, it is not necessary to ban visitors’ books because of GDPR.
► Data protection in the B2B Sector – read this compelling article by reuschlaw.
Practical tips for managing data subject access requests, by Phil Lee.
► Microsoft Office 365 raises more privacy concerns in Europe.
► HM Courts & Tribunals Service discovered that emails belonging to a judge were automatically forwarded to a malicious account in Nigeria.
► A press release from EDPS revealed that there are some data protection issues on EU institutions’ websites.
► The Baden-Wuerttemberg (Germany) Data Protection Authority had a word to say about the automotive sector’s compliance with data protection – in this article you can find relevant details in English.
► Digital content is being managed by some new rules and this article gives more detailed vision on the connection with GDPR.
► The Belgian Data Protection Authority published a consultation on direct marketing.
► Some hospitals in Romania were affected by the BadRabbit ransomware, as reported by the Romanian Intelligence Service.
► The UK launches voluntary cyber security standard and compliance certification mark for the manufacturers of surveillance cameras.
► A press release from the European Commission clarifies some concerns related to EU Cybersecurity.
The European Data Protection Supervisor (EDPS) comments on Twitter about current privacy incidents.
► The State Commissioner for Data Protection and Freedom of Information of the Hanseatic City of Bremen (“LfDI”) is planning on examining the Microsoft Office 365 the purpose being checking security and lawfulness of personal data processing in the cloud service.
► UK publishes proposed legislation on IoT.

Personal Data Breaches and other cyber incidents

☔ British Airways – proposed 183 million pounds fine for massive data breach.
☔ Personal data of Bulgarian citizens has been seriously endangered, after tax agency was hacked.
☔ Twitter talks about certain issues with sharing personal data for advertisement purposes, without user permission.
☔ Forbes reports that Russia’s Secret Intelligence Agency has been hacked.
☔ Ireland: hospital loses medial data in pub and bus.
☔ University in the UK shared list of activist students with police.
☔ Approximately 23 million accounts from CafePress have been the subject of data breach.
The Belgian DPA and the Hessian authority of Germany were informed by Mastercard about a data breach that took place, affecting a large number of data subjects, a majority of them being German customers
A press release from the Dutch DPA shows that, while Microsoft has taken adequate measures in order to improve data privacy, there are some new, potentially unlawful, instances of personal data processing.

Other data protection news from around the world

☕ The FaceApp conundrum – the „app that make you old” took headlines this summer after civil society organizations raised awareness about the risks of accepting their terms of service. The Spanish authority warned users about the use of this app and the ICO is reportedly looking into this matter.
☕ Arrest made after data about 106 million people from the US and Canada being was stolen from Capital One.
☕ MIT: The Dark Secret at the Heart of AI.
☕ Recent events reveal that Instagram allowed a trusted advertising partner to create accurate files on holders’ physical locations and personal bios.
☕ Following an investigation it has been shown that Facebook users cannot avoid location-based ads no matter what settings they turn off or on.
☕ Facebook finally introduced the long-awaited tool of “Clear History”, now called “Off-Facebook Activity”.
☕ The Siri app makes it possible to hear confidential details from different users without knowledge or consent from users.
☕ The US Networking Advertising Initiative (NAI) updates its Code of Conduct.
☕ Singapore: A new decision from the Commissioner for Personal Data Protection on direct marketing case.