Privacy Corner

by Eva Jarbekk


Lock hanging

The Danish Data Protection Authority (DPA) confirmed their decision on the well-known Helsingør municipality case on the 18th of August, in which they ordered the municipality to stop using Chromebooks in their schools. See more on this here.

The Data Protection Impact Assessment (DPIA) that the municipality presented to the data protection authority was not sufficient. The DPIA did not adequately identify the risks for the individuals as a consequence of transfer of personal information to the United States, nor did it apprehend the contractual consequences of the agreement or the data protection agreement between Google and municipality.

In order for companies to properly carry out DPIAs, companies should look to readily available resources for inspiration. One such resource is the European Data Protection Supervisor's (EDPS) 2020 analysis of their licensing agreement with Microsoft, which is publicly available here. It is likely that there are relevant similarities in how Google and Microsoft have designed their data protection agreements.

Some of the findings from the EDPS, show that the licensing agreement allowed Microsoft to define and change the parameters of its processing activities and that it gave Microsoft broad rights to act as a controller for some of the information. Further, the analysis uncovered a lack of control over the sub-processors that Microsoft used and a lack of meaningful audit rights as regards the ability to control the location of a large portion of the data processed by Microsoft. These are elements that one should look for and address in one’s own DPIA – and Microsoft is not the only company having such regulations.

The Dutch government has also published a useful DPIA on Microsoft teams, OneDrive and Azure which is very useful as a source for DPIAs. It is available here.

Talks have been held between the data protection authority and the municipality on solutions to the matter, but  the potential solutions raised in these discussions have not yet been released to the public. So, the matter is to be continued!

The Danish DPA have made public a questionnaire that they put to companies regarding the use of Cloud solutions. They have sent out this questionnaire to several companies in both the insurance and health sector. It will be interesting to see what kind of decisions the DPA will make for these businesses. The questionnaire is available here.

The European Court of Justice (ECJ) issued one interesting decision on 1 August 2022. It concerns the publication of the name of a spouse or partner, and whether this amounts to the processing of sensitive personal data because it may reveal the sexual orientation of an individual. For example, if it is made public that Peter is married to Paul, it is fair to assume that they are in a same sex relationship. The ECJ ruled that such publication, of the name of a spouse or partner, is in fact sensitive data, as set out in the GDPR. The major consequence of this decision is that, in publishing this type of information, the publisher must follow the strict requirements for obtaining legal basis under GDPR Article 9 and not the more basic requirements for "regular" personal information under Article 6. TechCrunch has a good article on this where Dr Gabriela Zanfir-Fortuna, Senior Counsel for the Future of Privacy Forum, is quoted: "I think this might have broad implications moving forward, in all contexts where Article 9 is applicable, including online advertising, dating apps, location data indicating places of worship or clinics visited, food choices for airplane rides and others [..]”. The article is available here.

The French data protection authority, CNIL, has been very active this summer. They have threatened AdTech giant Criteo with a fine of €60 million, for the application of a suite of tracking techniques and data processing practices designed to profile web users so they can be targeted with behavioral ads, which the CNIL believe contravenes GDPR due to lack of legal basis and consent and lack in legitimate interest. Little is known about this very large fine yet but we will follow this case closely and keep you updated. CNIL has also fined the hotel chain Accor €600,000 because customers automatically received a newsletter from the hotel after booking; the hotel had pre-ticked consent boxes and did not effectively allow people to opt out of such emails. The most interesting part in this case is not the lack of legal basis for sending out the newsletters, but that CNIL, as lead supervisory authority in the matter, was required to consult with other data protection authorities on the size of the fine as the case had relevance for other countries as well. The Polish data protection authority  considered that the initial reaction of CNIL was not strong enough , given the nature of the breach by Accor. Therefore, the EDPS directed the CNIL to increase the fine in order for it to act as a more convincing deterrent. There is clearly a difference in opinion between authorities on how large the fines are supposed to be, and we are seeing an increasing number of cases were the EDPS orders fines to be increased.

CNIL has issued another significant fine of €1 million to TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE. Several individuals complained about how their personal information was processed, leading the data protection authority to conclude that Total Energie had not provided the data subjects with the required information under Article 14 GDPR. Total Energie further failed to respond to requests to provide the information within one month, as required under Article 14(3)(a).

CNIL have also fined the car rental company Ubeeqo €170,000 for collecting information on the location of its rental vehicles every 500 metres when they were moving. The company kept records of some of the geo location data for three years after the rental had ended, this was found to be excessive. Given that such data is quite intrusive, this fine may be seen as quite low. Ubeeqo claimed that they needed the information for security purposes, though this argument was dismissed by CNIL.

Another interesting case comes from the data protection authority in the German state of Lower Saxony. They have fined Volkswagen €1.1million  which has not been contested by the company. A Volkswagen test vehicle was stopped by police in 2019 and the police found that the vehicle had unusual attachments on it, which turned out to be cameras. The vehicle was used to test and improve the functionality of a driving assistance system. It therefore recorded traffic around the vehicle for error analysis. When the data protection authority looked into this, they concluded that the vehicle was missing information signs that would have been required pursuant to GDPR Article 13. Further, Volkswagen had no data processing agreement with the company that drove the car, thereby violating Article 28. Volkswagen had not carried out a DPIA and their Article 30 protocol did not have an explanation of technical or organisational security measures. It is notable that the authority found these violations of low impact and that despite Volkswagen promptly remedying the faults, they were nevertheless fined quite a large amount.

Finally, Maximilian Schrems and his organisation None of Your Business – European Centre for Digital Rights (NOYB) have been active this summer. NOYB have filed a claim against Google for sending unsolicited advertising emails directly to users' email inboxes. You can read more about this here. NOYB has also recently, on 8 of August, filed 226 complaints against deceptive cookie banners that are not compliant with GDPR requirements. The complaints are filed with 18 different responsible authorities against websites that used cookie banners from OneTrust, with settings that are not compliant as they did not have an easily reachable "reject" button. This demonstrates that even where companies use well-known privacy software, it is necessary to adjust it correctly in order to be compliant. Read more about this here.

Do you have any questions?