In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which is to date the most severe sanction ever imposed to a web giant (‘GAFA’) under the GDPR, gives a sense of what that flexible approach might be in the eyes of the French regulator.

Background: a wave of awareness among users at the EU level shows a new face of data protection

In a notice dated November 2018,[2] the CNIL reported that the number of claims related to privacy issues had significantly increased (by 34 percent) since the adoption of GDPR in May 2018. The protection of personal data seems therefore to be becoming an ever more important issue, especially since nonprofit associations are able to collectively report breaches and issue claims on behalf of users to EU data protection authorities, pursuant to Article 80 of the GDPR.

The January 21, 2019 decision of the CNIL against Google recalls the admissibility of complaints filed by nonprofit associations, which have a mandate to represent users. The decision thus follows the collective complaints filed a few days after the entry into force of the GDPR, on May 25 and 28, 2018, by the organization None of your business and the French organization La Quadrature du Net.

As reflected by the length and documented character of the decision (31 pages), delivered in an extremely short time frame after an expeditive procedure (barely 10 weeks), the CNIL shows a clear willingness to implement a far-reaching control over GAFAs regarding the information given to users and consent management, highlighting that the GDPR is aimed at fighting any form of “forum shopping.”

Continue Reading First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

Since California enacted its Automatic Purchase Renewals Law (APRL) in 2010, the plaintiffs’ class action bar has been active in suing companies with subscription-based services for their alleged failures to comply with the APRL requirements. The lawsuits stem from the alleged failure to comply with the disclosure, consent, and acknowledgment requirements applicable to many types of subscriptions. Non-compliance has resulted in million-dollar class action settlements and government civil penalties. This summer, the APRL got tougher.

The APRL applies to companies that charge payment cards of California consumers as part of using “automatic renewals” or providing “continuous services.” An “automatic renewal” is an arrangement to automatically renew and charge for a subscription at the end of its term. A “continuous service” is an arrangement where subscription continues and charges are initiated until the consumer cancels the service.

Generally, and even before the amendment, the APRL requirements include:

  • Presenting the terms of the automatic renewal offer or continuous service in a clear and conspicuous manner where or when the offer is made.
  • Obtaining consumer’s affirmative consent before charging a consumer for the automatic renewal or continuous service.
  • Providing an acknowledgment of key terms, including cancellation instructions, to the consumer.
  • Implementing a method to cancel (as described in the acknowledgment) by toll-free phone, email, mail, or other “cost-effective, timely, and easy-to-use” method, and permitting consumers to cancel prior to charging at the end of a free trial.
  • Notifying the consumer in a clear and conspicuous manner prior to any material changes to the original terms.


Continue Reading California toughens law governing subscription auto-renewals

On 26 April 2018, the Conference of German Data Protection Authorities (German DPAs) released a highly criticised position paper on the applicability of the German Telemedia Act (TMA) after 25 May 2018 (Position Paper). The Position Paper clearly states that tracking and profiling cookies now require informed prior opt-in consent.

Position Paper

Webtracking is governed by the General Data Protection Regulation (GDPR) as well as the ePrivacy Directive. The ePrivacy Directive is currently being revised. A new ePrivacy Regulation was supposed to enter into force in tandem with the GDPR on 25 May 2018, but it is delayed and we do not expect it to enter into force before the end of 2019. The German legislator has not updated the TMA due to the upcoming ePrivacy Regulation.

The Position Paper outlines the German DPAs’ view on the relationship of the GDPR and the TMA and its consequences on the use of cookies. The Position Paper states that the GDPR shall take precedent unless national law prevails because of an opening clause or conflict of law rule. Article 95 of the GDPR is such a conflict of law rule. It provides that the GDPR shall not impose additional obligations regarding processing data in connection with the provision of publicly available electronic communications services in public communication networks in relation to matters for which they are subject to specific obligations with the same objective set out in the ePrivacy Directive. However, the German DPAs explain that Article 95 of the GDPR does not apply with regard to the provisions in the TMA that govern tracking and reach measurement.

Continue Reading German authorities: tracking and profiling cookies require opt-in consent

On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data.

Technology Law Dispatch looked at the WP29’s draft guidelines on consent earlier this year. This article examines the differences between the draft and final guidelines.

Conditions for valid consent – freely given

Under the GDPR, consent must be freely given, specific, informed and unambiguous. Where a controller wants to process personal data for additional purposes other than the provision of a requested service, individuals should be given the option to separately consent to or reject such processing.

WP29 states that consent will not be freely given where a controller argues that a choice exists between: (1) its service that include processing for additional purposes; and (2) an equivalent service offered by a different controller.

WP29 states that an individual’s freedom of choice is dependent on: (1) the practices of market competitors; and (2) whether a data subject finds other controllers’ services to be genuinely equivalent. Such an approach would imply an obligation for controllers to monitor market developments to ensure continued validity of consent for their processing activities, as competitors could always alter their services. This would not be a realistic or pragmatic approach, and WP29 has now rejected it.

Continue Reading Article 29 Working Party issues final guidelines on consent

The Winter 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We cover new case law on marketing consent, cookie consent, the liability of platform providers, employee data protection, sales of address data and the right to be forgotten. The newsletter also includes multiple recommended reads

The Regional Court of Berlin held in a judgment of 16 January 2018 (docket no. 16 O 341/15, German language version of the judgment available here) that Facebook’s default privacy settings and parts of their terms and conditions were invalid. This judgment provides important guidance on consent and transparency.

Background

The Federation of German Consumer Organizations (Federation) sued Facebook and requested cease and desist regarding some of its default settings and terms and conditions.

The Federation argued that Facebook’s default settings violated the requirement of explicit consent. For example, the default settings included a location service in Facebook’s mobile app revealing the location of the person that the user is chatting to. In addition, boxes were pre-activated allowing search engines to link to the user’s timeline.

The Federation also argued that various clauses in the terms and conditions of Facebook were invalid, including clauses that provide consent of the user (i) to transferring personal data to and processing personal data in the U.S. and (ii) using the name and profile picture of the user for commercial, sponsored or related content.

Continue Reading German court issues important judgment on consent and transparency in Facebook case

On 28 November 2017, the Article 29 Working Party (“WP29”) published its guidelines on consent under the General Data Protection Regulation (“GDPR”). The guidelines are open for public consultation until 23 January 2018. They provide an analysis of the concept of consent. They also provide practical guidance for organisations on the requirements to obtaining and demonstrating valid consent under the GDPR.

The concept of consent

Under GDPR, a data controller can only process personal data on the basis of one of six legal grounds. An individual’s consent to processing is one of these lawful grounds. The GDPR defines consent as a “freely given, specific, informed and unambiguous” indication of an individual’s wishes to signify agreement to the processing of their personal data.

Elements of valid consent

The guidelines analyse four areas relevant to free consent under GDPR:

  1. Imbalance of power: an imbalance exists wherever it is unlikely that an individual will be able to deny his/her consent to data processing without fear of detriment. For example, an imbalance of power is likely to exist in an employment context between employers and employees.
  2. Conditionality: requests for consent to the processing of personal data should not be “bundled up” with acceptance of other terms or conditions, unless necessary for the performance of a contract.
  3. Granular and specific: data controllers need to obtain separate consents from individuals for each specific purpose they intend to process individuals’ personal data. For example, separate consents should be obtained for direct marketing activities and sharing personal data with third parties.
  4. Detriment: individuals must be able to withdraw or refuse to grant consent to data processing without detriment. For example, such withdrawal or refusal should not lead to the individual incurring costs.


Continue Reading Article 29 Working Party releases guidelines on consent under the GDPR

The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act).

In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further below.

Processing sensitive personal data for advertising purposes without consent

The AEPD held that Facebook did not obtain its users’ consent for the collection of their sensitive personal data in accordance with the requirements of the Act, since the consent obtained was not valid, express and in writing.

It was noted that Facebook uses the preferences of its users to profile them based on their sensitive personal data, and offer content in relation to that profile. However, Facebook did not establish a separate procedure for the treatment of sensitive personal data, as prior consent was not requested, and all personal data was used for profiling for advertising purposes by default. For example, when configuring a user’s profile, the “Basic and Contact Information” section includes options to “add your religious beliefs” and “add your political ideology”. However, no express consent is requested from Facebook regarding the use of this information for advertising purposes, nor is the user informed at any stage that their data will be used for that purpose.
Continue Reading Spanish DPA fines Facebook €1.2 million for data protection infringements

Lyft, Inc. – the popular ride hailing service featuring the iconic pink moustache – is facing a second class action lawsuit in California alleging violations under the Telephone Consumer Protection Act (“TCPA”).

This alleges that Lyft sent unwanted and unsolicited text messages to cellphones using an automated dialing system without first obtaining express written consent

In a decision of 31 August 2015, the First-Tier Tribunal provided important clarification on the use of third-party mailing lists. Optical Express v Information Commissioner (EA/2014/0014) is significant for organisations that use or are considering using such lists.

The case was concerned with an appeal by Optical Express (‘OE’) against an Enforcement Notice issued by the Information Commissioner. The Notice required OE to stop sending unsolicited marketing text messages to individuals without their consent. OE had obtained recipient details under data supplier agreements with Thomas Cook, and Thomas Cook had obtained these details by asking individuals to complete a travel survey which had a tick-box option to indicate that they were happy to receive marketing communications from third parties. OE argued that this was valid consent, and therefore the text messages were not unsolicited.
Continue Reading Optical Express appeal highlights the need for caution over third-party marketing lists