Privacy Corner

by Eva Jarbekk, Anna Eide and William Eitrem


Computer and lock

August has arrived, and the big news of the summer is that it will be easier to transfer data between the European Economic Area (EEA) and the United States (US) henceforth. At least for as long as it lasts. Schrems will take the new agreement to court, and it is interesting to note that while Schrems' description is that there have only been small changes in US law, the Norwegian Data Protection Authority writes that they are pleased that privacy in the US has improved. In any case, the situation is better for companies, which can now transfer information more easily. But there is no reason to forget Standard Contractual Clauses (SCCs) completely – as they must be used for other third countries such as India. Besides the fact that there has been much focus on this new agreement, there have been significant restrictions in regard to the opportunity to use legitimate interest as a legal basis for profiling and marketing. See a few important cases from Sweden and from the European Court of Justice (ECJ) regarding this below.

Multiple key decisions from Sweden

13 million kroner fine to Bonnier
The Swedish data protection authority, the IMY, is stepping up its activities. They can no longer be criticised for being passive, which has frequently been the case up until now, and there is every reason for companies with activities in Sweden to pay attention to the areas IMY focuses on . Below are some cases that may be useful for many.

The IMY has given Bonnier an administrative fine of 13 million kroner. This case is important because it criticises a practice that has been common. Furthermore, this case sheds light on how legitimate interest can potentially be used as a legal basis for profiling. This is also a topic of the decision on 4 July against Meta, which is discussed below.

Many actors collect information from websites and collate it with information from online purchases – for those who do this based on legitimate interest, it is high time to rethink one's practices.

The fine was issued due to Bonnier profiling its customers and website users without their consent. The IMY investigated how Bonnier collected and handled personal data for marketing purposes. The information was gathered from many sources and was used for targeted online advertising, postal marketing and telemarketing. For instance, this included the collection of personal data related to purchases made from various companies within the Bonnier Group, as well as the analysis of users' online activities – i.e. how visitors have navigated the company's websites. In some cases, the information was also collated with personal data obtained from external sources. These included details about the customers' gender and postcodes, as well as statistical information based on the person's area of residence, such as their stage of life, purchasing power and type of housing.

Bonnier has stated that they rely on a legitimate interest assessment for the processing of personal data. According to the aforementioned assessment, the company's relevant interests outweigh those of the data subjects, and the processing is necessary to carry out the relevant marketing.

However, IMY believes that customers should not have to expect that behavioral data be collected for marketing purposes solely based on a visit to a website. Nor can customers expect that behavioral data be assembled with information from a purchase situation or information obtained from other databases with the intention of contacting them for telemarketing or direct marketing. According to the IMY, such extensive profiling requires consent.

While determining the amount of the fine, IMY has emphasized that Bonnier has taken extensive measures to minimize violations of the data subjects' privacy. Since Bonnier has users in many countries, the decision has been made in consultation with other data protection authorities in the European Union (EU).

The case can be found here.

Tele2, CDON, Coop and Dagens Industri
IMY has assessed the lawfulness of four companies' transfer of personal data to the United States via Google Analytics; namely CDON, Coop, Dagens Industri and Tele2. The assessment was based on an edition of Google Analytics dated 14 August 2020 – that was before any of the players were using Google Analytics 4.

The investigation was prompted by the infamous 101 complaints made by the organisation None of Your Business (NYOB), in the wake of the Schrems II decision of 2020. The complaints simply stated that these companies did not have the legal basis for transferring the data to the United States.

All the companies used SCCs as the basis for transfer. The question was whether the data transferred was personal data, and if so, whether the companies had implemented sufficient security measures to ensure an adequate level of protection for the transfer of personal data . IMY was of the opinion that the data sent to the United States is personal data, as the information could be linked to other unique personal data that had been transferred. IMY also concluded that the technical security measures that the companies had implemented were not sufficient to ensure a level of protection in line with the GDPR.

IMY issued an administrative fine of SEK 12 million and SEK 300,000 against Tele2 and CDON respectively, as they did not implement the same in-depth technical security measures as Coop and Dagens Industri.

IMY's decision attracted much international attention as it was the first decision that imposed a fine for the violation. This is particularly interesting in light of the now adopted EU-US Data Privacy Framework, as shown below.

EU-US Data Privacy Framework

I'm sure you have heard perhaps the best news of the summer – the EU and the US have agreed on a new framework for transferring personal data to the US. For those of us working with privacy, I can safely say that this was more promising in terms of a few weeks of summer holiday in comparison to Schrems II in 2020 and the European Data Protection Board (EDPB) (with their guidelines for following up on Schrems II) in 2021.

In short, the EU-US Data Privacy Framework will allow US companies to self-certify under this solution and thus be approved for accepting personal data from the EU and the EEA. All major US companies will of course, do this, and we will once again be approaching a situation with a "free flow". This free flow of personal data does not automatically apply to all US companies, only those certified and listed on the official website

However, it will also become easier to transfer personal data to other US companies. For example, if you want to send personal data to a company that is not on the list, you will still be required to have a basis for the transfer. In practice, the SCCs will be used. However, since the European Commission's assessment of US legislation and case law, which they found to be satisfactory, several supplementary additional measures became unnecessary – which is something that most of us have spent a good amount of time considering lately. This is explicitly stated by the Norwegian Data Protection Authority in their FAQ) regarding the new solution. They write: "Assuming that the business you are transferring to is not subject to other laws than normal commercial US businesses, you can rely on the European Commission's assessments. Thus, the demanding assessments have been simplified, but don't forget that you still need to ensure you have a basis for transfer." See link to the statement here

And as the Data Protection Authority writes – remember that you still have to make sure you have a basis for transfer.

But will this last? Schrems has announced that they will be bringing the matter before the ECJ as soon as possible. 

This could happen as soon as a company starts using the Privacy Framework. This could also mean that the first companies to use the Privacy Framework run a significant risk of being exposed to Schrems III. Personally, I would prefer not to be the "first mover" in this scenario. Moreover, the EU has a fast-track for these types of complaints, and it is possible that this case will end up in the ECJ as early as the end of 2023 or early 2024. There is also the possibility that the court may subsequently suspend the agreement while it considers the case. In other words, there is no need to forget how to fill out an SCC and you should consider additional measures.

A decision against Meta

On 22May 2023, Meta Platforms Ireland Limited, the company behind Facebook, was fined EUR 1.2 billion for their handling of personal data. The fine — the largest GDPR fine ever — was imposed for Meta's improper transfers of personal data to its US parent company, Meta Platforms Inc. In addition to the fine, Meta has been ordered to rectify its data transfers according to the GDPR (which will probably be relatively easy now, with a new framework in place).

The 222-page long decision concerns the fact that Meta for years has been transferring large amounts of personal data based on s SCCs and additional measures. The Irish Data Protection Authority has thoroughly reviewed Meta's additional measures, such as organizational policies and encryption of personal data, and concluded that the measures did not provide adequate protection, thus all transfers are  in violation of the GDPR. Although Meta has taken measures to oppose US government requests for disclosure, they are unable to change the fact that they have to disclose the data if US authorities validly require them to do so. Therefore, they cannot ensure that the level of protection when transferring personal data to the US is the same as the level of protection EU citizens enjoy in the EU, as required by the GDPR.

The head of the EDPB, Andrea Jelinek, stated the following:

Meta’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.

Meta,has been clear that they will be taking legal action to contest the fine. At the same time, the situation is peculiar due to the newly implemented EU-US Data Privacy Framework that will allow such transfers. But this also shows that every infringement is considered a breach of the regulations in place when it occurs – rule changes are considered of little importance – even though this probably seems strange to many.

Another Meta decision – from the ECJ on the use of legitimate interest and the competence of competition authorities

The 4th of July was probably not a day of celebration for Meta this year, as the European Court of Justice handed down their decision (C-252-21) in a case between Germany and Meta. The process leading up to the judgment started with a decision from the German Federal Cartel Office, which argued that Meta's terms of use for Facebook violated German legislation, prohibiting the abuse of a dominant market position. Facebook's terms were said to violate the GDPR, as using Facebook required that Meta could collect and process user data from various sources without actual user consent. This breach of the GDPR was seen as abuse of Meta's dominant position.

With this judgment, the ECJ has now given its support to the German Federal Cartel Office's position. The Court specified that the provisions of the GDPR do not prevent national competition authorities from establishing that a company with a dominating market position can be non-compliant with the GDPR. However, they clarified that competition authorities do not replace national data protection authorities, as competition authorities are neither supposed to monitor nor enforce the application of the GDPR. However, the ECJ encouraged competition authorities to take privacy considerations into account when assessing competition legislation. In line with the principle of uniform application of the GDPR, the ECJ places emphasis on the appropriate duties of disclosure and cooperation between competition and data protection authorities.

Two very accomplished law professors in Norway, Lee Bygrave and Samson Esayas, have an interesting discussion about the competition aspects of the judgment in this LinkedIn thread. It is recommended to read if you are particularly interested in this case.

The ECJ further specified that Meta cannot rely on an agreement as a basis for processing to create personalized content and facilitate seamless use of the various services from Meta. The reason for this was that the processing was not regarded as objectively indispensable for carrying out a purpose, which is an integral part of the contract performance. The fact that the processing is described in the agreement, or that it is useful for the performance of the contract, is not considered relevant. The ECJ specifies that the controller must be able to demonstrate that the main purpose of the agreement cannot be carried out without the processing in question. The latter is an interesting clarification and restriction from the ECJ, which might indicate that more players will have to consider whether an agreement can be used as a basis for processing – in other words, whether the main purpose of the agreement cannot be carried out without the processing in question.

After considering whether an agreement constitutes a legal basis for processing for Meta, the ECJ proceeded to consider whether Meta can use legitimate interest as a basis for processing. Although the ECJ recognizes that processing for the purpose of direct marketing may constitute a legitimate interest, the interests and rights of the individuals will outweigh a company's interest in processing personal data for behavioural marketing. Amongst other things, the ECJ pointed out that Facebook users cannot expect Meta to process their personal data for this purpose without their consent, even if the service is free, and that the processing relates to a potentially unlimited scope of data.

The judgment has been used to support that Meta can really only use consent as a basis for processing for behavioral marketing. NOYB writes, among other things:

While the CJEU has not ruled out that a legitimate interests can exist (e.g. for network security), the judgment clarifies that there is no "legitimate interest" that would override the users rights when controllers try to provide advertisement. This basically limits any EU controller from running personalised advertisement other than on a freely given (yes/no) consent.

The ECJ's statements about Meta's basis for processing have had direct consequences for Meta in Norway – read more about this below.

One more decision against Meta – the Norwegian Data Protection Authority is impatient

Big players get a lot of attention. In Norway, the Norwegian Data Protection Authority has temporarily prohibited behavioral marketing on Facebook and Instagram. The prohibition applies to Meta's processing of Norwegian users' personal data to target ads on the basis of observing their behavior. In other words, it does not apply to the service itself or processing for marketing as such.

The decision is closely linked to the ECJ's decision from 4 July 2023 (see above) and the decision of the Irish Data Protection Authority (DPC) from 31 December. In December, the DPC ruled that Meta could not use an agreement as a basis for processing for behavioral marketing, and ordered Meta to ensure that its processing activities complied with GDPR Article 6 within three months. The decision from the DPC resulted in Meta changing its basis for processing to legitimate interest for a number of their services.
As a result of the ECJ's decision of 4 July 2023, in which the ECJ concluded that Meta cannot use legitimate interest for processing personal data for behavioral marketing, the Norwegian Data Protection Authority concluded that Meta did not change its practice to comply with GDPR Article 6.

The Norwegian Data Protection Authority believes that the conditions for urgent cases have been met, and writes on its website:

Since Meta has its European headquarters in Dublin, it is normally the Irish Data Protection Authority that oversees the company in the EEA. However, the Norwegian Data Protection Authority can intervene directly against Meta in urgent cases, and we can then make decisions that are valid for three months. We believe that the conditions for urgent cases have been met, as Meta has recently been met with a decision and judgment that it has still not complied with, and as we have already attempted the usual procedural mechanism. If we do not intervene now, the privacy of the majority of Norwegians will be violated by Meta indefinitely.

The Norwegian Data Protection Authority's temporary decision will apply from 4 August 2023 for three months, or until Meta shows that they have complied with the DPC's and the ECJ's decisions in a lawful manner. If Meta does not comply with the Data Protection Authority's decision, they risk penalties of up to one million NOK per day. However, Meta can contest the decision in the court, and the Data Norwegian Protection Authority can ask the EDPB to extend the decision beyond the three months given.

WhatsApp switches to using legitimate interest

On 17 July, WhatsApp announced that it has changed its basis for processing to legitimate interest to comply with the DPC's decision. Meta has filed an appeal against the DPC's decision, stating that Meta cannot use an agreement as a basis for processing for its personalized services (including Meta's behavioral marketing). However, pending the appeal, Meta must comply with the DPC's decision. It may seem as if Meta's strategy is to use legitimate interest as a basis for processing, even if there are many indications that the Data Protection Authorities (at least the Norwegian one) believe that this basis cannot be used.

The NOYB and several others believe that the result of the ECJ's 4 July decision and the DPC's decision, is that data controllers must rely on consent to engage in behavioral marketing. Meta probably does not agree with this, as the transition to consent could have large financial consequences for them and several other players. 

The European Commission's proposal for new legislation to facilitate cooperation between data protection authorities

It is no secret that there have been several disagreements between data protection authorities in various countries in connection to the Meta cases. The same has happened in other cases as well.

The cooperation between data protection authorities has repeatedly proved to be challenging, which has made enforcement of the GDPR particularly slow in cross-border cases. The European Commission has now come up with a proposal for a new regulatory framework that will streamline cooperation between data protection authorities. The new regulations contain several procedural rules for cases concerning individuals in more than one country.

If the proposal for new legislation is adopted, the lead data protection authority will have to send a summary of the main points of the case to affected data protection authorities at an early stage of the process, identifying the main elements of the investigations and the authority's view on the case. This should enable affected data protection authorities to put forward their views on the case at an early stage, thereby avoiding disagreements and ensuring that the data protection authorities are on the same page from the start. The proposal would give companies clarity, as  they are entitled to their procedural rights when data protection authorities conduct investigations, clarifying what the complainant must submit in the event of a complaint and ensure the individual's proper involvement in the case. 

However, the proposal has been met with criticism from several quarters. The Computer & Communications Industry Association (CCIA) believes that this proposal does not address the major procedural deficiencies and that the fundamental rights of those companies continue to be overruled. For example, companies will only have two weeks to respond to new allegations if the case is escalated to the EDPB. Max Schrems, on the other hand, believes that the regulations imply that a process that used to be about the rights of the individual, will now be about the rights of companies.

It will be interesting to see the outcome of the European Commission's proposal. It must now be submitted to the European Council and the EU Parliament, and several major changes are expected. 

Finally a note on something completely different – the Data Act

The European Council and the EU Parliament recently reached a political agreement on a new regulation, harmonising rules for fair access to and use of data (the Data Act). The Data Act follows up on the European Commission's data strategy from February 2020, and regulates the use of and access to data generated from so-called "connected products" (everything from smart home appliances to smart industrial machines). The Data Act will therefore  apply to all data other than the typical personal data.

The Data Act will give both companies and individuals better control over their data. Among other things, both companies and individuals might be entitled to the provision of the data generated from their use of "connected products", or that the data holder directly discloses this data  to a third party. In other words, the Data Act will provide a stronger right to data portability for data that is often only available to the manufacturer or service provider. The regulations will also give both companies and individuals the opportunity to influence how their data is used and make it easier for individuals to effectively switch between different cloud providers.

Do you have any questions?