GDPR GAZET

01     Does Google Analytics violate the GDPR?

​

​

In a perceptive decision published on 13 January 2022 The Austrian Data Protection Authority has found the use of Google Analytics on an Austrian website to be in breach of the GDPR.

​

The proceedings in question were initiated following a complaint from NOYB, the NGO of privacy activist Max Schrems, which filed no less than 101 identical model complaints throughout the EEA following the Schrems II judgment. 

​

The first decision on this now appears to have been taken by the Austrian data protection authority against the operator of an Austrian website for using Google Analytics. 

​

Due to the implementation of Google Analytics, personal data is transferred via the website of the Austrian company to Google's servers in the United States. Since Google qualifies as an electronic communications service in the US, it is subject to US surveillance regulations that allow national intelligence services to access or allow access to data managed by US companies, including personal data of Europeans.

​

Pursuant to SchremsII, a Transfer Impact Assessment must be carried out to see which additional measures must be taken to keep the processed personal data secure. 

​

The HTTPS and additional Google encryption put forward by Google were regarded as insufficient, partly because Google itself keeps the cryptographic key. Google's review of actual access by the US government services with associated reporting to customers and Google's published policies and  transparency reports were all regarded as insufficient. The anonymization of IP addresses that Google optionally provides was also regarded as insufficient protection. 

​

Conclusion

​

This decision indicates that the use of American cloud applications is not simply permitted if personal data is processed. In 2021, a similar decision was already taken by a German supervisory authority where it deemed the use of MailChimp by a German company unlawful because personal data was stored in the US without the company having carried out a transfer impact assessment.

 

Carrying out an analysis of the tool and the possible risks it entails and taking additional security measures is thus required, even for tools such as Google Analytics and Mailchimp.

​

​

​

02     Decisions of the GBA, an overview

 

​

Reprimanded Despite Infringement Answering a Deletion Request 

(Decision 01/2022 of 3 January 2022)

 

Facts:

​

If, after a request to delete his data, a person still receives e-mails with vacancies from an employment agency, he decides to file a complaint with the GBA. In addition, the employment agency had also created an account on their new online platform for this person.

 

The GBA decides that following a job application, the company can include the contact details of the job seeker on a contact list and may contact this person with future vacancies.

 

Failure to comply with a data erasure request

​

Despite several requests and an explicit confirmation that the data had been deleted, the complainant continued to receive emails from the employment agency.

​

The temporary employment agency does not deny the error, but states that the internal procedure for deleting data was not complied with due to human error. Because it seems to be a one-off fact, the temporary employment agency has already apologized to the complainant and has confirmed that the data has now been deleted, the GBA limits itself to issuing a reprimand.

​

Can an account be created for existing customers on a new online platform? 

​

With regard to the creation of an account in the name of the complainant, the employment agent states that since 2020 she has been working with an application portal that is operated by the candidates themselves. For candidates already registered at that time, such as the complainant, an account was automatically created and activated for this purpose, about which they were informed by e-mail. For this processing, the employment agent relies on the implementation of the agreement with the job seekers, just as it does for sending the vacancy emails. The Litigation Chamber hereby notes that the employment agency cannot provide proof of providing the necessary information by e-mail prior to the creation of the account, but notes that the portal site is a service that the complainant should have had in a modern online environment. expect, in particular given the privacy statement available at the time of his (online) registration for the services of the job broker in April 2019.

 

The Litigation Chamber also points out that the complainant does not provide any evidence of his first (oral) request for data erasure, although the privacy statement explicitly refers to the online portal and two functional email addresses for exercising GDPR rights. Under these circumstances, the Disputes Chamber finds that the personal data of the complainant were transferred to the new portal site of the employment agency in the context of its services before his written request for data to be erased, about which the complainant was informed when he registered. After all, the written request for data erasure only came in response to the notification via e-mail to the complainant that an account had been created for him on the portal site in March 2020. The Disputes Chamber has dismissed the complaint regarding the possible violation of the lawfulness and transparency principle for the processing consisting of the creation of the account.

​

Conclusion

​

This decision again shows that when determining a sanction after detecting violations against the GDPR, the DPA attaches great importance to a company being able to demonstrate that it had implemented written internal procedures around GDPR. The infringements were only punished with a reprimand.

​

​

​

The importance of correct information with cookies

(Decision 11/2022 of January 21, 2022)

​

On January 21, 2022, the Disputes Chamber of the GBA has again ruled on the requirements regarding the use of cookies in a cross-border case. The procedure was initiated following a complaint lodged in 2018 with the Berlin regulator (Berliner Beauftragte für Datenschutz und Informationsfreiheit). After receiving the complaint via its German colleague, the Disputes Chamber requested further investigation by the Inspectorate, after which the proceedings on the merits could commence on 29 April 2020.

​

Object complaint

 

In the complaint, the complainant expresses his dissatisfaction with the defective functioning of the advertising preferences page on the website 'YourOnlineChoices' of the European Interactive Digital Advertising Alliance (EDAA). This website allows internet users to manage their advertising preferences with regard to the participating companies (including, for example, Google, Amazon and Facebook). More specifically, the user can centrally manage his or her advertising preferences via a specific page on the aforementioned website by enabling or disabling 'interest-based advertising' for specific or all affiliated companies. This choice then has an effect on further surfing sessions via the same browser.

​

However, the complainant argues that the opt-out feature would not work for many participating companies that allow managing advertising preferences through EDAA's website (when selecting the 'off' option, the 'on' option would automatically reset become). According to the complainant, the consent is therefore not free within the meaning of the GDPR and would not meet the requirements for withdrawing the consent. In addition, the YourOnlineChoices website would require visitors to accept cookies before selecting their advertising preferences. The complainant hereby complains about a specific cookie that informs EDAA whether or not the user's browser accepts the placement of third-party cookies.

​

​

Consent requirement cookies and information obligation

 

The complaint, the preliminary investigation and the statements of EDAA itself showed that the controversial cookie "third_party_c_t" (now no longer in use) was placed immediately when visiting the homepage of YourOnlineChoices before the information required under Article 13 GDPR had been provided through the cookie banner. The function of this cookie is to check whether the visitor's browser accepts the use of third-party cookies. EDAA tries to justify the immediate placement of this cookie without prior information under the following arguments: that the cookie was placed for technical reasons before the information banner appeared, that the visitor first had to make a choice of language in order to then receive the information in the chosen language receive, and that the data subject privacy impact for the critical cookie involved was low. 

​

However, the Disputes Chamber firmly dismisses these arguments. First, it clarifies that the prior information obligation applies to all types of cookies (including strictly necessary cookies), regardless of their impact on the rights of data subjects with regard to the protection of their personal data. It argues that if the visitor has not yet made a choice of language, it is appropriate in this case to initially display a notification about the use of cookies in English, as the language commonly used on the Internet, until the data subject selects their actual language. .  Algemeen, the Litigation Chamber points out that the information required under the GDPR must be written in a language that is easy to understand for the target audience for whom a website is intended.

​

The Litigation Chamber finds a further breach of the information obligation as the cookie banner on the website did not contain a direct link to the required information about the use of cookies, but instead referred generally to the organization's privacy statement. Since this has been rectified in the meantime, the Litigation Chamber deems this infringement no longer relevant. The Disputes Chamber hereby also refers to the following recent guidelines on cookie use from the CNIL, which it indicates its agreement with, so that it is recommended to include these elements as a website manager as much as possible as the first layer of information in the cookie banner:

“Placing a link to the general terms of use is not enough.

At a minimum, the following information should be provided to users in advance to ensure that their consent is informed:

- the identity of the person(s) responsible for data processing via cookies;

- the purpose of the data processing via cookies;

- how to accept or refuse cookies;

- the consequences of refusing or accepting cookies;

- the existence of the right to withdraw consent.

​

In addition, EDAA's privacy statement did not explicitly mention the right of data subjects to withdraw their consent, but only informed them about the possibility to delete cookies. This was amended by EDAA so that no infringement was withheld. An explicit statement to the data subject of the right to withdraw consent is therefore appropriate, both for the use of cookies and for the processing of personal data in general. 

​

Incomplete processing register

​

The Litigation Chamber also examined EDAA's processing register, which shows that EDAA uses various American processors who provide cloud services. However, the third countries to which transfers of personal data take place were not explicitly included in the processing register itself. Only a cross-reference to the relevant agreements with these processors could be found in the register, under the argument that this allows us to refer at all times to complete and up-to-date information, which may depend on the servers used and specific services. taken from the processors. The Litigation Chamber considers this insufficient and strongly recommends that the third countries to which transfers of personal data take place can be easily identified in the processing register itself. The organization is therefore ordered to supplement its processing register. It is remarkable that, despite its reference to the Schrems II case law, the Disputes Chamber does not further discuss the legality under the GDPR of these transfers of personal data to the US and any other third countries.

​

Complaint: non-functioning advertising preferences and mandatory use of cookies

​

The Litigation Chamber finds that the tool to select advertising preferences on the YourOnlineChoices website did not function properly for the complainant because he used ad blocking software. Both the Ad Preferences page itself and the EDAA Terms of Use state that this may prevent the Ad Preferences Tool from working properly. In the inspection report, the test that took place of the tool did not state that it would not work properly.

​

In line with the vision of the EDPB, the DPA therefore expressly opposes so-called “cookie walls”. Access to an application, website or other services or benefits may therefore not be denied because a user refuses to agree to the use of cookies that are not strictly necessary.

​

Finally, the Disputes Chamber reiterates that an "all or nothing" choice with regard to cookies cannot constitute valid consent, and that a more specific choice must be possible (at least per type of cookies, and possibly in a second layer also per individual cookie). . 

​

Decision

​

For the established infringements, the Litigation Chamber limits itself to imposing an order on EDAA to supplement the processing register and issuing a reprimand for the infringements of the transparency obligation in the context of the use of cookies._cc781905-5cde-3194-bb3b- 136bad5cf58d_

​

​

A database of Twitter messages may not be shared just like that

(Decision 13/2022 of January 27, 2022)

​

In a second cross-border case, the GBA Litigation Chamber has imposed a fine on EU DisinfoLab, an NGO that fights against disinformation (EUR 2,700), and on one of its researchers (EUR 1,200) for breaches of the GDPR committed in the as part of an investigation into the political origins of tweets emanating from 55,000 Twitter accounts related to the French "Benalla Affair". The sanctions relate, on the one hand, to the political profiling of the authors of the tweets analyzed and, on the other hand, to the publication of various files containing the raw and sometimes sensitive data of the investigation.

​

The procedure was triggered by more than 200 complaints lodged with the GBA and the French CNIL following an analysis published by the NGO aimed at identifying the political origins of tweets circulating about the “Benalla- affair". Alexandre Benalla is the former bodyguard of French President Emmanuel Macron, and was discredited after, among other things, he illegally passed himself off as a police officer during the 2018 May 1 demonstration of the labor movements in Paris._cc781905-5cde-3194-bb3b- 136bad5cf58d_

​

Since the NGO that conducted the controversial investigation is based in Belgium, the GBA acts as the lead supervisory authority and the CNIL as the “concerned” supervisory authority. Specifically, the controversial processing concerns the reuse of personal data of 55,000 Twitter users to carry out the study (in which more than 3,300 accounts were politically classified), and, on the other hand, the online publication by the NGO and its researcher of files containing the raw (non- anonymised) data from the study.

​

The Litigation Chamber points out that the fact that personal data are publicly available on social networks does not mean that they lose protection under the GDPR. However, the Litigation Chamber recognizes that the journalistic exception made it possible for the NGO, as controller working in the journalistic sphere, to carry out the study in order to publish it and to participate in the public debate on the Benalla affair, without individually to provide information referred to in Article 14 of the GDPR to the data subjects. The Litigation Chamber is of the opinion that the NGO was exempted from its obligation to inform the account owners individually and in advance about the personal data processed for the study, because this could have jeopardized the study and its publication afterwards.

​

However, the Disputes Chamber does have problems with the way in which accompanying documents were published online in support of the investigation. When the integrity of the research was questioned, the NGO and its researcher made files with raw data available online to prove that the research had been conducted correctly, without taking minimal security measures, such as pseudonymizing the personal data contained therein or restricting access to the files. Specifically, these files contain non-anonymous information about the political affiliation, religious affiliation, ethnic origin and sexual orientation of the persons whose Twitter accounts were analyzed in the context of the research. The Litigation Chamber notes that, despite no malicious intent, such publication entails the risk that those involved would be discriminated against or discredited. According to the Litigation Chamber, the publication of non-anonymised or non-pseudonymised sensitive data in this context can only take place with the consent of the authors of the tweets analyzed. Without consent or effective anonymization or pseudonymization, there is therefore a disproportionate violation of the rights of the authors of the tweets involved, for which there can be no legal basis. The Disputes Chamber also adds that an individual assessment per person involved between the right to journalistic freedom of expression and the right to data protection was not possible in view of the large number of Twitter accounts involved (55,000).

​

The Litigation Chamber therefore establishes violations of various GDPR obligations, such as the lawfulness of the processing, the transparency principle and the security obligation. This leads to a fine of EUR 2,700 for the NGO and EUR 1,200 for the researcher involved personally. In addition, a reprimand is issued. In determining the sanctions, the Litigation Chamber took into account the fact that the defendants are a small non-governmental non-profit organization and a natural person respectively.

​

​

​

03     EDPB: New guidelines on data breaches and right of access

​

New data breach guidelines

​

The European Data Protection Board (EDPB) has on January 3, 2022 after a public consultation de second version of its guidelines published on concrete examples of the GDPR obligation to notify data breaches. The guidelines fill de previous Working Party 29 General Guidance on Data Breach Notifications aan that were published in the run-up to the GDPR.

​

The guidelines therefore aim to assist controllers and DPOs in handling data breaches and provide factors that they should take into account when making the necessary risk analyses. The EDPB does this through a hands-on case-based approach based on typical cases from the collective experience that supervisory authorities have accumulated with data breach notifications so far. In no less than 18 detailed examples, the EDPB elaborates on the risk analyzes that organizations must perform when a data breach occurs and the reporting obligations that may be linked to this with regard to the competent supervisory authority on the one hand and the data subjects themselves on the other hand. This in addition to the internal documentation of the data breach, which must in any case take place without any risk for those involved. The EDPB also provides possible mitigating measures for different types of data breaches. In this way, the guidelines provide more insight into the relatively abstract approach of Articles 33-34 GDPR, which impose a risk-based reporting obligation on controllers without offering much practical guidance.

​

The EDPB addresses sequentially data breaches due to ransomware attacks, data exfiltration, internal human sources of risk, loss or theft of devices and physical documents, internal human errors in data transmission due to negligence, and social engineering. In each case, it indicates whether, in the light of the specific facts of the case, internal registration of the incident is sufficient, or whether a report to the supervisor and, if necessary, to those involved is urgent. In doing so, it takes into account, among other things, the nature and sensitivity of the leaked data, the context in which they are processed, the number of affected data subjects, and the preventive and available or recommended mitigating measures taken. Due to its concrete approach, the document provides useful guidance for data controllers and their DPOs and/or internal data protection officers. 

​

New guidelines on right of access on the way

​

The EDPB at its January 2022 plenary sessionguidelines adopted on the right of access. These are intended to support controllers in responding to access requests from data subjects by providing concrete examples of this. They will discuss, among other things, the scope of the right of access, the data to be provided to the data subject, and the question of when there are unfounded or excessive requests. The text is currently undergoing the necessary verifications and will soon be made available on the EDPB website for a 6-week public consultation during which comments can be submitted.

​

​

​

04     newsflash

​

• The EDPB has onestudyperformed  on government access to personal data in China, India and Russia. Not surprisingly, the conclusion was that these countries, just like the US, do not offer an adequate level of protection, which means that the transfer of personal data to these countries requires additional measures.

• The EDPB has one brief  reiterating its commitment to ensuring the harmonized application of data protection rules throughout the EEA. This statement comes after the EDPB received letters from French organizations requesting a consistent interpretation of the cookie consent requirement. Partly for this reason, the EDPB has also recently set up a specific task force for coordinating the handling of complaints about cookie banners across the EU.NOYB has recently filed 422 complaints due to potential breaches of cookie banners that it identified automatically on European websites using its own tool. 

• The European Supervisory Authority (EDPS) has issued a reprimand given to the European Parliament because its corona testing website does not comply with the GDPR. For example, when placing cookies from American service providers such as Google Analytics and payment provider Stripe on the website, a Transfer Impact Assessment must now be carried out. In addition, the cookie banner was not sufficient and access requests were not handled correctly. In addition to the reprimand, the European Parliament was forced to adjust the website.

• Since mid-2021, infringement proceedings against Belgium have been pending before the European Commission in connection with the potential lack of independence of the Data Protection Authority. Certain members of the GBA are also closely involved in other government projects that the GBA has to monitor. For this reason, 20 lawyers affiliated with the law faculties of various Belgian universities have a opinion piece  in which they call for the establishment of an independent data protection authority in Belgium. Belgium may soon have to answer to the Court of Justice of the EU for the potential lack of independence of the GBA.

​