On data processors' use of data controllers' personal data:
On 12 January, the French Data Protection Authority (CNIL) issued brief, but important, guidance on how a data processor, which collects data for its client, can use the same data for its own purposes. This is an area where there is often great disagreement between customers and suppliers. A data processor often wants to analyze such data and use it to improve its own software and services.
The good news is that the guidance allows for this to a large extent, but on the following conditions:
In addition, it is required that the registered individuals are informed of the use of data. All in all, the guidance means that several assessments must be made in each specific situation, and these must be documented. In other words, there will not be a one-size-fits-all approach to these cases.
The recommendations from CNIL are not surprising and other data protection authorities will most likely find it an appropriate take on the topic themselves. This is obviously going to be an even more important issue in data processing agreements going forward and we will discuss this further in a separate article. CNIL's text can be found here.
Cookies, new fines, and third country transfers:
Not surprisingly, Google Analytics (GA) has met the "Schrems wall". Read Digi's article where the Norwegian Data Protection Authority speaks out and discusses this issue here. Note that the Norwegian Data Protection Authority merely recommends that companies use alternatives to GA, but they do not explicitly threaten supervision or audits of companies who do use it. This de-dramatizes the situation somewhat. See also this article from Digi that mentions alternatives to GA.
The case in question is the result of one of many complaints to NOYB (Schrems' organization) about businesses that use GA, on this occasion the complaint was against the EU Parliament itself. Earlier NOYB expressed concern about businesses using Facebook plug-ins on websites. On 5 January this year, EDPS (which oversees EU institutions' own privacy) decided to order the EU Parliament to stop using Google Analytics, without issuing a fine. Digi quotes Schrems as saying "EDPS made it clear that simply placing a cookie by a US supplier on the website is in violation of EU privacy laws. No proper protection against U.S. surveillance was in place, despite the fact that European politicians are a known target of surveillance." See the Digi article here.
There are 101 other similar cases filed at the data protection authorities. A few Norwegian companies have also been complained about. It is now reasonable to believe that the result of these cases will be similar to the result in the EU Parliament matter, mentioned above. Businesses may avoid fines for now, but regardless, it is probably time for businesses to implement alternatives to Google Analytics.
Google and Facebook have also been warned of heavy fines for lack of cookie compliance by the French Data Protection Authority. The criticism is based on the fact that the companies had an easily accessible button to accept cookies, but not an easily reachable button to reject cookies (i.e. it took many more clicks to reject cookies). As a result, Google faces a fine of €150,000,000 and Facebook €60,000,000. They have been given three months to change their practice, after which they receive €100,000 in daily penalties until the required change is made. The decisions will of course be challenged, but in light of them it is nonetheless worth reviewing your cookie processes. Read more about the case here.
The history of transfer problems to third countries also continues at a state level. Interestingly, Australia signed a CLOUD-ACT agreement with the US in December, read about this here. As generally known, no country in the EEA/EU has done this to date (the UK had, but they are no longer part of EEA/EU).
The EDPB has engaged external advisers to make their own assessment as to the legal status of China, Russia, and India. The paper which they have produced sets out that in China, the state has few barriers to accessing information – despite the fact that they now have a privacy law. The same applies to Russia, with it being noted in the paper that the country has a "striking record" of violating human rights. As regards India, it is suggested that although the Indian Supreme Court has recently handed down decisions which address privacy concerns, this is a new trend and the country has been violating fundamental privacy principles for a long time. Perhaps the most important comment in the paper is that even if India is now establishing a privacy law, the legislation seems to afford the government a legal basis upon which they have far reaching powers to require access to information. Indian authorities can seemingly not be held responsible for violations of the regulations. The summary of the report states: "the features of the proposed Personal Data Protection (PDP) Bill are discussed. The report concludes that, while the right to privacy was recently recognised by the Supreme Court of India, the government still benefits from wide exemptions to the data protection regime for government access to personal data. The concept of 'national security' is recurring, vague and broad, and it is often used as a ground to access any personal information stored in the Indian territory, including personal data of persons in the EU." The assessment of India has great practical consequences for ICT-services. The assessments may be used in third country assessments, and in contact with suppliers. See the report itself here.
European cloud solutions?
The EU is working on new initiatives for European cloud solutions. Gaia-X, a previous initiative, appears to have been hampered by internal cooperation issues. In December, the European Commission launched a new initiative for a "data and cloud alliance" with 39 participants, many of them large companies. A new set of guidelines for cloud is excpected within 2022, and part of the goal is to reduce dependence on foreign technology providers, read more here.
Fundamental questions about the role of the data protection authorities
The Irish Data Protection Authority has been the subject of criticism for a long time and recently that criticism has peaked. They are accused of being too friendly towards the big tech companies, specifically when it comes to Facebook/Meta. Schrems and NOYB have used the Irish Freedom of Information Act to access documents showing that the Irish Data Protection Authority has been active in changing the regulations so that Facebook can share personal data without having to obtain consent from the users.
The Irish Data Protection Authority has argued that Facebook can justify its collection of information on the basis of contract. The user contract states that a key part of Facebook's offering is to offer users personalized advertising. On that basis, Facebook would not require consent from the users. This has been heavily criticised by the other data protection authorities and the Norwegian Authority is taking a visible role, having sent an 11-page letter about the topic to Ireland. The Irish data protection is also on a collision course with the Data Protection Authority in Luxembourg, which took the opposite view a few months ago when they fined Amazon in the region of seven billion kroner, for using contract as a legal basis for its information collection, instead of consent.
Ireland is an attractive place for tech giants due to low taxes. It is not surprising that other countries' supervisory authorities react when the Irish Data Protection Authority bends the rules of the GDPR in favour of the giants. It would be a surprise if Ireland's views will prevail in this matter.
Another recent example of data protection authorities being in the frontline can be found in Belgium. The head of the Belgian Data Protection Authority has recently resigned in protest after attempts to politically control the authority. The European Commission has also sent a "reasoned opinion" to Belgium, with the EU pointing out that a data protection authority must be independent. Belgium has two months to correct the internal structures so that the employees of the data protection authority are independent from political control. The EU's letter to Belgium can be read here.
Sweden convicted of lack of due process in surveillance law
In November, the Swedish Surveillance Act (FRA) was found by the European Court of Justice (CJ) to be in violation of human rights. The verdict came a full 13 years after the complaint was filed.
The essence of the verdict is that surveillance of communications may be legal, but there must be due process guarantees in place. The Swedish law did not sufficiently ensure such guarantees. In particular, the ECJ pointed out that under domestic law enterprises should be given protection, as well as individuals. Moreover, the domestic law must ensure that information handed over to another country's intelligence service is not misused. fFinally, the ECJ noted that a surveilled person had no way of being able to control or complain to ensure that wiretapping takes place in accordance with the legal regulations. This final element is similar to that which was applied in the Schrems case.
It is good that laws are evaluated, but it is not so good that it takes this long. Swedish human rights organizations are critizising their government for expanding the scope of the law before the shortcomings in the existing alw are corrected. This is a matter of not only law, but also moralilty and ethics. There are going to be lots of discussions about surveillance in our technological society going forward.