norm. data protection bulletin: 06th February 2023

Apple fined €8M for breach of ‘cookie law’

On December 29, 2022, the French Data Protection Authority (the “CNIL”) imposed an €8,000,000 fine on Apple for breaches of French ‘cookie law’. The CNIL concluded that Apple was collecting the identifiers of users that visited the App Store including to personalize ads shown on the App Store. Apple was collecting such data by default, without obtaining users’ consent. The collection of these identifiers could not be considered strictly necessary for the provision of a service (i.e., the App Store in this case) and be exempt from the prior consent requirement; therefore, the identifiers should not have been collected without users’ prior consent.

In this case, the targeted advertising settings available from the “Settings” icon of the iPhone were pre-checked by default. In addition, the CNIL found that users had to take too many actions in order to deactivate this setting, making consent too difficult to provide and withdraw. Accordingly, the CNIL held that Apple’s cookie practices infringed French law governing the use of cookies. That law is virtually identical to UK ‘cookie law’.

Apple has, since the investigation, reached compliance.

Comment: This shows, yet again, why organisations that collect information from those that visit their websites need to be very careful to ensure that those responsible for their websites and marketing:

• understand what identifiers are ‘personal data’; and
• only collect information with consent (where required): and
• only use information validly collected on a lawful basis and in accordance with an appropriate Privacy Notice/Policy

Data Protection Round Up 2022

It’s been another busy year for privacy professionals! In this note we will revisit some of the highlights of 2022.

In the UK

• Data Protection and Digital Information Bill 
  The government introduced the Data Protection and Digital Information Bill after a lengthy consultation process. The Bill was ‘paused’ after new DCMS Secretary of State Michelle Donelan hinted it would be changed. It is unclear whether this means there will be changes to the Bill. Details of a further consultations are likely to be announced shortly

• National Cyber Strategy
  The government published a call for information on measures designed to enhance the security of online accounts, including those processing personal data.  These are described as a “Cyber Duty to Protect”, formulated as part of the National Cyber Strategy.  Responses will be used to develop proposals which will include appropriate security measures for account providers and organisations processing user account personal data.

In the EU

• Data Governance Act
  The Data Governance Act came into force in June 2022 and will apply from 24 September 2023. It:
  • establishes conditions of re-use of certain categories of protected data held by public sector bodies, by a wide variety of stakeholders and for commercial or non-commercial purposes
  • provides for a notification and supervisory framework for the provision of data intermediation services
  • creates a framework for voluntary registration of organisations which collect and process data made available for altruistic processes
  • establishes a Data Innovation Board.

• Draft EC Data Act 
  The EC published its draft Data Act. It clarifies who can create value from data (both personal and non-personal) and under what conditions.  It is the second major legislative initiative of the European Strategy for Data and follows on from the Data Governance Act (see above) which created the processes and structures to facilitate data sharing. The Act is intended to unlock industrial data by giving business users access to data they contribute to creating, and giving individuals more control over all their data, not just personal data.  This is focused particularly on data created using connected devices and related services, for example voice assistants.  It is partially aimed at largescale manufacturers and service providers of IoT products who are likely to lose their data advantage to a degree. Third party business users will not be able to use obtained data to develop directly competing products, but they will be able to use it to create other products and services.  The Data Act is expected to come into force by mid-2024. 

• EC draft Regulation to create European Health Data Space
  As part of the European Strategy for Data, the European Commission published a Regulation to create a European Health Data Space. This is the first draft legislation on the proposed common European data spaces.  The aim is to give users control of their electronic personal health data, nationally and cross-border, as well as support their free movement by creating a genuine single market for electronic health record systems, relevant medical devices and high-risk AI systems and provide a consistent, trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities.
  
  Individuals will have access to their electronic healthcare records and will be able to add information, rectify inaccurate data, restrict third-party access, and have oversight of how their data is used. Member States will be required to ensure patient summaries, prescriptions, images, image reports, lab results and discharge reports are issued and accepted in a common European format.  There will also be mandatory interoperability and security requirements. 

• EC draft Cyber Resilience Act
  The European Commission published a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features.  It introduces mandatory cybersecurity requirements for products with digital elements throughout their lifecycle.  Manufacturers will be required to embed security by design and provide security support and software updates to address vulnerabilities.  There will be information requirements to inform consumers about the cybersecurity of products, and products will need to meet conformity assessments (subject to the type of product). The legislation is being introduced as part of the European Commission’s Cybersecurity Strategy introduced in December 2020. 

• EC Digital Operational Resilience Act 
  The European Commission proposed the Digital Operational Resilience Act (DORA) in 2020.  DORA sets uniform requirements for the security of network and information systems of organisations operating in the financial sector and for critical third parties providing services to those organisations.  It was adopted by the Council and the European Parliament in November and will be published in the Official Journal shortly. It will have a 24-month implementation period.

Rest of World

• A number of other countries updated their data protection regimes in 2022, including the UAE, Oman, Sri Lanka, China and Switzerland.  India didn’t manage to get its planned new legislation over the line and tabled a new Bill in November.

• There are also global privacy initiatives. The 38 member countries of the Organisation for Economic Cooperation and Development (OECD) have adopted a ground-breaking framework for how governments access personal data held by companies. By providing a common standard for democratic rule-of-law-based countries, the Declaration on Government Access to Personal Data Held by Private Sector Entities seeks to promote trust in the increasingly complex international data transfer landscape. Although not legally binding, the OECD framework could assist companies in transferring personal data to certain jurisdictions. In moving data to OECD countries, businesses could leverage the framework to help justify their decisions – particularly with regulators.

• And at the second International Counter Ransomware Initiative Summit, 36 countries including the UK and US as well as the EU committed to developing coordinated guidelines on preventing and responding to ransomware attacks.  There are plans to establish an International Counter Ransomware Taskforce to share knowledge and resources, and to coordinate on enforcement in line with national law and policy.

EU proposal for ‘European Health Data Space’

As part of its ‘European Strategy for Data’, the European Commission has published a proposal to create a ‘European Health Data Space’ of centralised and accessible electronic health records (‘EHR’).

The primary motivation for this proposal is the Covid-19 pandemic, which highlighted that the EU does not have a centralised platform for the health records of EU citizens, which resulted in data not being available to practitioners and authorities across the EU . This had consequence when citizens travelled to other countries within the EU.

The secondary motivation is the perceived impairment for the use of health data for secondary purposes such as research, policy making and the development of medicines.

The industries and sectors that will be affected are:

• Health care providers in the EU (both public and private)
• Manufacturers and suppliers of EHR systems
• Wellness providers (apps, devices, etc.)
• Any entity (either private or public) processing electronic health data in the EU, such as service providers
• Health investigators and pharmaceutical companies
• Entities that wish to make use of health data for other secondary purposes (e.g., insurance companies, providers of health IT devices)

For the avoidance of doubt, the above applies to the EU, but not the UK.

New court decision about SARs

In a preliminary decision. The European Court of Justice (CJEU) has delivered an opinion relating to the right of access under Article 15(1) GDPR. 

An individual, (JM), was seeking information about the identity and positions of people who had accessed JM’s personal data at the Bank (at which JM was both an employee and a customer).  The Bank refused to provide the information arguing that the right of access does not apply to log data of the Bank’s data processing system that recorded which employees had access to the customer data and at what times. The court decided that:

1. The employees acting on the Bank’s (controller’s) instructions could not be regarded as recipients of the personal data.
2. The GDPR, does not give the data subject the right to know the identity of the employee(s) who accessed their personal data under the authority and/or instructions of the relevant data controller.

Comment: This decision is good news for organisations in receipt of Subject Access Requests (SARS). It shows that courts are prepared to limit what information can be obtained via SARS and that requests that are intended to identify who has accessed personal data can be refused.

UK government code of practice for app store operators and developers

On 9 December 2022, the Department for Digital, Culture, Media and Sport (DCMS) published a new voluntary code of practice for app store operators and app developers. The Code sets out minimum security and privacy requirements in the form of 8 principles. In summary the eight principles are as follows:

Principle 1: ensure only apps that meet the code’s security and privacy baseline requirements are allowed on the app store. 

Principle 2: ensure apps adhere to baseline security and privacy requirements.

Principle 3: implement a vulnerability disclosure process. 

Principle 4: keep apps updated. 

Principle 5: provide important security and privacy information to users in an accessible way.

Principle 6: provide security and privacy guidance to developers. 

Principle 7: feedback for developers. 

Principle 8: ensure appropriate steps are taken when a personal data breach arises. 

There will be a nine-month period for app store operators and app developers to adhere to the Code which will be reviewed and, if necessary, updated no later than every two years in light of technological developments.

Some of the above principles are already mandated through existing legislation, including data protection law. The government will now start to consider how any of the Code’s requirements which are not already mandated in law could be legislated for. 

€5m fine for cookie consent failings

In France, the CNIL (equivalent to our ICO) continues its scrutiny of cookie consent practices and has fined TikTok €5m for breaches of ‘cookie law’ on the basis that:

• TikTok’s consent mechanisms did not allow users to refuse cookies as easily as accepting them, and
• TikTok did not give users sufficiently precise information about the purposes of the different cookies.

The CNIL focused on the fact that while there was an ‘accept all’ button, there was no ‘reject all’ button. Also, several steps were required to reject cookies.

Comment: In the UK, there is no specific requirement for a website to have ‘Accept’ and ‘Reject’ buttons re cookies. However, there is a requirement to easily enable users to reject cookies and a ‘Reject’ button is arguably the best way to do this (and is increasingly being adopted by many organisations in the UK and elsewhere).  If you would like to discuss your website’s cookie compliance, let us know.

Further reading:

09th January 2023 Threat Bulletin