Following the positions expressed by the Austrian, German and French Supervisory Authorities (see our previous Alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali, Garante-) published on 9 June 2022 a specific measure, according to which website analytics solutions used to measure online audience (Analytics Service Solutions) infringe on the EU General Data Protection Regulation no. 2016/679 (GDPR) when such use implies a transfer of personal data to a third country without an adequate level of personal data protection, such as the United States. Generally speaking, the Garante, aligned its position on the matter with its counterparts.

In the case at hand, following an investigation initiated in August 2020, based on a data subject complaint, the Garante admonished (without issuing a fine) an online newspaper (the “Company“) for transferring, through an Analytics Service Solution the personal data of users to the U.S. without adopting the necessary safeguards. In particular, the Garante pointed out that the Company had no autonomy in making choices regarding data transfers to third countries, and “no possibility to verify the implementation at technical level” of any additional measures the Analytics Service Solution would dictate.

In particular, the Garante took position on a controversial topic relating to the characterization of an internet protocol (IP) address: according to the Garante the IP address should be deemed a personal data in as much as it allows the identification of an electronic communication terminal and, therefore, indirectly, the identification of a user behind that terminal. The above occurs, for instance, when users access a website while at the same time being logged to the Analytics Service Solutions’ own service (such as webmail), since the data transmitted by the website’s cookies may be reconciled with such service and account.

Furthermore, Garante disregarded the use of an “IP anonymization” functionality selected by the Company, considering that it, would not be sufficient to prevent the identification of the user and, therefore, the transfers of actual personal data. According to the Garante, the partial IP address truncation was deemed to be mere pseudonymization, unable to prevent further re-identification of the user, when using the Analytics Service Solution’s services.

In light of the above, the Garante reiterated the principle already established by the Court of Justice of the European Union (CJEU): under GDPR’s accountability framework, EU-based data exporters are required to assess  whether the data importer’s applicable regulatory framework or best practices affect the effectiveness of the standard contractual clauses safeguards. In particular, the exporter must verify whether the public authorities in the third country have access to the exported personal data through the exporter itself. Generally speaking, data exporters subject to GDPR must ensure, on a case by case assessment, that the safeguards set out under Article 46 GDPR et seq. are effective. Therefore, in the event that it is not possible to ensure compliance with GDPR safeguards, additional measures must be implemented to ensure a level of personal data protection that complies with the GDPR. In addition, the Garante pointed out that, in the case at hand, the encryption key remained in the Analytics Service Solution provider and, reiterating what the European Data Protection Board had already stated in its Recommendation 1/2020, such loss of control over the encryption key prevented any organization or technical measures from being considered adequate.

As a result of all the investigations conducted, deeming that the Company’s breach fell within the scope of Article 83 GDPR, par 2 (“minor violation“), the Garante ordered to the Company to comply with Chapter V GDPR within 90 days and failing this, to prohibit any international data flow to the Analytics Service Solution .

In addition to the above, Mr. Guido Scorza, one of the Garante’s members, highlighted in a press release that this matter affected each and all website operators in Italy, which that now all have a 90-days deadline to comply with the issued measure.

WHAT’S NEXT?

All Italy website stakeholders must now review their Analytics Service Solutions and whether they would fall within the scope of the Garante’s requirements.

  • Where such international data transfers would effectively occur, the stakeholder should assess the best way forward. If their Analytics Service Solution does not offer the sufficient safeguards, and following the similar recent decision by the French Supervisory Authority, the Italian stakeholders may notably consider the implementation of IT solutions such as encryption and proxy servers.

K&L Gates Global Data Protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global level.

First Publication: K&L Gates Hub in collaboration with Eleonora Curreri

The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

First Publication: K&L Gates Cyber Law Watch in collaboration with Noirin McFadden & Keisha Phippen

On 29 June 2022,  Decree n° 2022-946 (the “Decree”) supplemented the regulatory framework resulting from the Ordinance n° 2021-1247 of 29 September 2021 on the legal warranty of conformity for goods, digital content and digital services (the “Ordinance”). Stakeholders have under 1 October 2022 to implement the following measures, aiming at protecting consumers of digital goods.

1. General information about the Ordinance

Implementing two 2019 European directives on certain aspects of contracts for the supply of digital content and digital services and contracts for the sale of goods (respectively Directives (EU) 2019/770 and 2019/771 dated 20 May 2019), the Ordinance aimed to foster the safety of consumers when purchasing both physical and digital goods and, to a lesser extent, to reduce the environmental impact of digital goods.

This Ordinance amended the French Consumer Code in depth, notably by expanding the legal warranty of conformity, which now covers digital products and services but is also applicable to both B2C as well as B2B contracts, when the latter are executed between professionals and non-professionals (i.e. legal entities acting outside of their direct professional activities).

2. Decree specifications

The Decree supplements the regulatory provisions already in force concerning the legal warranty of conformity for digital content and digital services.

It enshrines the general obligation of pre-contractual information for the professional seller to disclose to the consumer and the non-professional the existence of the legal warranty of conformity and its implementation.

For that purpose, standard boxes containing these warranties are to be inserted within the general terms and conditions. Similar to physical goods, the purchaser of a digital good, content or service, which would not compliant with the warranty of conformity has a two-step remedy:

  • If – the digital good can be brought into conformity, it will then need (i) be repaired or replaced, (ii) free of charge, (iii) without causing major inconvenience for the purchaser and (vi) within a reasonable period of time (within 30 days).
  • If the previous conditions are not met, the purchaser can obtain a price reduction, or terminate the contract and obtain refund.

Will those additions of standard boxes lead to a more informed consumer? With the inability to ensure that terms and conditions are read, and by loading the consumers with an even more substantial set of compliance information, the objective seems unlikely to be achieved.

Moreover, the Decree also clarifies the requirements for information the purchaser with regard to software updates for digital goods and services, including the period of availability of such updates.

The producer of such digital goods or services will be required to communicate to the seller all information concerning the compatibility of the updates with the functionalities of the digital goods or services. In addition, if the purchaser acquired a benefit instead of, or in addition to a price (e.g. free access to an option of a mobile application), the professional seller will now be compelled to indicate in their general terms and conditions how the professional seller benefits from it (e.g. use of personal data). If their personal data is used in this context, the professional seller is required to specify the methods of exploitation of the data processing for advertising or commercial purposes. Such position seems counterintuitive considering the trends of the European Union data protection authorities to dismiss the information lodged in the terms and conditions, and rather require a dedicated privacy policy.

Furthermore, the producer will be required to inform the seller (who will then need to convey such information to the purchaser) about the consequences of the updates necessary for the proper operation of the software supporting the digital good, both, in a generally intelligible manner and free of charge.

Conclusion

In order to comply with this new Decree, companies now have three months left to update their BtoC terms and conditions. While the initial intent of this regulatory changes was to protect consumers, we can nonetheless wonder whether these additional compliance requirements will effectively drive a meaningful positive impact on consumers or instead add yet another layer of complexity and contribute to the information fatigue.

K&L Gates Global Data Protection team, including each of our European offices, remain available to assist you. 

First publication: K&L Gates Hub, in collaboration with Camille Scarparo & Louise Bégué

Individuals having difficulties in obtaining responses to their personal data subject access requests (DSAR) from French telephone operator Free Mobile filed several complaints before the Frenchdata protection authority (CNIL). These requests related to accessing their personal data and objecting to receiving direct marketing messages by electronic means. After its investigations, the CNIL imposed a fine of €300,000 against Free Mobile on 28 December 2021.

(more…)

Following the 2020 Court of Justice of the European Union’s (CJEU) ruling invalidating the Privacy Shield (see our alert here), personal data transfers from the European Union to the United States required EU companies to implement additional safeguard mechanisms, as the CJEU considered that U.S. legislation did not provide sufficient guarantees against the risk of access by public authorities (including intelligence services) to the imported data.

(more…)

Over the past decade, influence marketing has changed the way advertising is handled by companies. Influencers have entered the marketing world by leveraging massive followings on social media platforms, and brands have recognized the value of the new category of advertising professionals.

Even though the use of influencers has become a mainstay of advertising, French legislation has yet to meet this evolution, resulting in an often opaque legal framework.

The broad spread-out provisions applicable to influencers also generate difficulties in understanding influencers legal status, in particular when they are underage. This notably raises the question whether influencers are employees of the brands they advertise for—and therefore subject to labor law—or if they should be considered independent contractors, with their relationship with brands subject to commercial legislation.

Such opaque legal framework raises questions about the applicable regime, as well as the legal status of influencers. Even though there is no specific regime for influencers, recent legislation was adopted in order to protect children influencers (see our alert here).

(more…)

In the Queen’s speech at the state opening of parliament on 10 May 2022, the UK government announced its intention to change the UK’s data protection regime in a new Data Reform Bill. This follows a consultation last Autumn on how the UK GDPR could be reformed following the UK’s exit from the European Union (EU).

The government claims that the new Bill would:

  • Create a data protection framework focused on “privacy outcomes” that would reduce the burdens on businesses, and a “clearer regulatory environment” to encourage “responsible innovation”.
  • Ensure that citizens’ data is “protected to a gold standard”, while enabling more efficient sharing of data between public bodies.
  • Modernise the Information Commissioner’s Office and require it to be “more accountable to Parliament and the public”.

The Queen’s speech also announced plans to replace the Human Rights Act 1998, which incorporated the European Convention on Human Rights into UK law. According to the government a new “Bill of Rights” would “end the abuse of the human rights framework and restore some common sense to [the] justice system”. This would be achieved by “establishing the primacy of UK case law”, which means that UK courts would no longer be required to follow the case law of the European Court of Human Rights.

Taken together, both of these proposed new legislative measures could change the balance of protection of individuals’ rights in the UK, both generally and in the specific area of personal data regulation. Their development will be closely watched by data protection professionals, because any significant changes in the UK data protection regime could prompt the EU to review its post-Brexit UK adequacy decision, potentially leading to the end of decades of seamless transfers of personal data from the EU to the UK.

First publication on K&L Gates Cyber Law Watch in collaboration with Nóirín McFadden

WHAT YOU NEED TO KNOW IN A MINUTE OR LESS

Reported incidents of data breaches have reached record levels over the last two years1)Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.. Given this undeniable reality, a data security incident response plan is no longer a luxury; it is a vital tool in every company’s larger crisis management plan. A well-thought-out and thorough response plan can not only significantly reduce the confusion that often follows a data security incident, but can also reduce the pitfalls that often lead to regulatory scrutiny and putative class actions in the United States and the fairly recent “group actions” in the European Union.

In a minute or less, here are the essential components of a working incident response plan.

(more…)

References

References
1 Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.

‘Specialist in new technologies’, K&L Gates LLP‘s team has an outstanding reputation for legal advice on innovative technologies and data-related concerns. Claude-Etienne Armingaud and Raphael Bloch are recognised as ‘exceptional lawyers who miss no details and who know their fields to perfection’. Claude-Etienne Armingaud has developed particular knowledge of multijurisdictional transactional matters dealing with IT outsourcing and data protection for blockchain and fintech, connected cars, and big data services.

Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP

Practice head(s): Claude-Etienne Armingaud

Other key lawyers: Raphael Bloch

(more…)

K&L Gates LLP has strong expertise in innovative systems, combining strength in technology, data protection and IP. Notably undertaking innovative and complex work, the team has advised on encryption and security software for Enigma Software/Cyclonis and secure GPS services for ICaune. Developing a focus on connected transport matters, the firm advises some of the biggest names in this growing area. Claude-Etienne Armingaud is the head of  the practice.

Practice head(s): Claude-Etienne Armingaud

(more…)