Privacy Highlights December 2022

Microsoft fined €60 million by French regulator - CNIL - for imposing cookies on users without consent

The National Commission for Technology and Freedoms (CNIL) found that Microsoft's search engine Bing had not set up a system allowing users to refuse cookies as simply as accepting them. During the investigations carried out, it has also been found that one cookie (MUID) is being implemented prior to any action taken by the user. 

The CNIL had found that when users visited this site, cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes. Furthermore, it was found that when a user visited the website, cookies were deposited on his terminal without consent and used for advertising purposes. This case emphasizes and guides on the lawful use of multi-purpose cookies. Read more - Cookies: MICROSOFT IRELAND OPERATIONS LIMITED fined 60 million euros | CNIL 

Spanish Data Protection Agency’s direct decision on the use of Google Analytics

The decision regards the matter of transferring personal data to the US, post Schrems II, through the use of Google’s Google Analytics, under the GDPR. The complaint demonstrates the use of Google Analytics tool on RAE’s (Royal Spanish Academy) website, which, as claimed, includes transferring of personal data to Google LLC, an organization bound to US FISA laws (Us . In this case, investigated by the AEPD due to a complaint filed by NOYB, claiming to the unlawfulness of using Google analytics in light of US surveillance laws, took a different stand from other EU Data Protection Authorities and decided to file and archive the complaint.

It is worth mentioning the specifics of this case, as noted in the decision:

• RAE used the free version of the tool. 
• Only the basic functions of Google Analytics were used, guaranteeing the minimization of the impact on the privacy of users so that there was no treatment of information referring to identified or identifiable persons but only information added to. 
• Rae have not carried out any data processing related to the IP of the users.There are also no custom or user-defined variables.
• In the present case, during the previous investigation proceedings it has been found that RAE shortly after knowing the Schrems II Judgment stopped using the Google Analytics tool. 
• In addition, RAE has never used information in order to identify users of its website.

It is also worth mentioning that the decision lacks any detailed analysis or elaborated reasoning, but it may be inferred that this late in time decision is at least partially influenced by recent EU-US updates, including president’s Biden order and the Eu commission draft on US adequacy. Read more - AEPD decision. 

‍

Epic Games to pay $520 million in fines in FTC settlement

As claimed by the FTC, Epic has violated COPPA (Children’s Online Privacy Protection Act), and has agreed to pay 520$ million - $275 million penalty for violating children’s privacy law, change default privacy settings, and pay $245 million in refunds for tricking users into making unwanted charges (also known as using ‘Dark Patterns’).

Considering ‘Privacy by Design’ principles, the FTC also took issue with Epic’s live text and voice communication features, which were set to be turned on by default. The FTC claims that children were exposed to harassment and abuse because of these features, especially since Epic had no way of making sure that children and adults would not be matched together in online play. Read the press release here.

‍

Israel publishes draft regulations on transfer of EU personal data to Israel

The ‘Draft Privacy Protection Regulations (Instructions Regarding Information Transferred to Israel from the European Economic Area)’ promoted by the Ministry of Justice, are intended to establish provisions currently lacking from Israeli Privacy Protection Law and regulations. They shall apply, in general, only with relation to personal data transferred to Israel from the European Economic Area (including Iceland, Norway, and Liechtenstein), and except for personal data directly transferred by a person about itself. 

The draft regulations are published against the backdrop of a review process conducted by the EU Commission in relation to Israel’s adequacy decision, granted to Israel by the EU in 2011, and for the purpose of examining the renewal of said adequacy status granted. The proposed regulations establish four (4) obligations that shall apply to database owners in Israel:

1. The obligation to erase personal data
2. The restriction on the possession of unnecessary information (Retention obligation)
3. The obligation to keep personal data accurate
4. The obligation to notify.

Our firm has joined the firm ‘Bird and Bird’, and commented on the draft regulations. You can find the full text of the draft and our comment here. 

‍

The Israeli Privacy Protection Authority (the “PPA”) had imposed fines (320,000NIS) on ‘Data Online’

The fines on ‘Data Online’ Were imposed after 3 years of investigation and proceedings, in light of multiple violations made by ‘Data Online’. Among them, failing to register their databases, unlawful collection of personal data and unlawful transfer of personal data to third parties. It is worth mentioning this wasn’t ‘Data Online’’s first rodeo, as it has been fined and warned before by the PPA. Read more. 

‍

The PPA published a draft guidance regarding the change of control in a database‍

Key takeaways are as follows:

• The new ‘owner’ may only use the database to its original purposes for which the data has been collected.
• If there is a change in those purposes, or the manner of use, new consent is required.
• The optimal kind of consent, according to the PPA, is an explicit consent (Opt-In).
• New consent might still be required if the new owner is materially different (in nature) from the previous owner, and where this may have an affect on the nature or purposes of intended use of the data. 

Read the full text here.

‍

The PPA published a draft opinion regarding ‘privacy aspects in remote work’

The key takeaways are as follows:

• As a default, using tools to monitor employees working remotely is allowed, in condition the means taken are reasonable and adequate, to a defined legitimate purpose, after notifying and having the employees’ consent, and taking sufficient security measures.
• No monitoring should be conducted outside of working hours.
• It should be taken into account that third party data subjects might be also monitored, and to make efforts to minimize such effects.
• Data minimization principle should be highly considered.
• Purpose limitation principle should be highly considered.

Read the full text here.

‍

The Ministry of Justice has published its opinion on the use of protected content in machine learning modules

The opinion, given in light of the rise of ‘Generative AI’, states that such use, for training purposes, would be considered as ‘fair use’, and thus shall not violate protected copyrights. The Ministry has also stated that such conclusions align with global approaches to the matter.

The opinion does not address the product and creations eventually made by the machine. If it would be found that a creation is in violation of copyrights, this opinion shall not be a shield. Read the full opinion here.

‍