November Privacy Roundup

If you’ve ever thought ‘we’ll slightly delay the newsletter so we can cover this new bit of news, then we’ll close it off’, don’t do that… the torrent never stops!

Here’s our summary of massively impactful Privacy developments in October and early November, as always through the lens of practical impact at your organisation.

We’ve a technical decision on jurisdiction allowing Clearview to evade UK GDPR, clarity on Vehicle Identification Numbers, another iteration of DPDI (we’re calling it DPDI23), our thoughts on SRIs and DPOs, a ton of AI-related news (some less practical right now), the OSB becoming the OSA and so much more.

Let’s start with the EDPB’s resounding confirmation of the ban on behavioural advertising by Meta – but is it a blanket ban? – and Meta’s move to ‘pay or data’.

Meta – Behavioural Advertising – EEA Ban

On 27 October, the EDPB issued an ‘urgent binding decision’ to ban Meta’s use of behavioural advertising based on necessity for contract or legitimate interests, effective across the entire EEA. Either remarkable, a long time coming, or both depending on your view.

Three things to note.

1. It’s not a blanket ban as it only bans behavioural advertising based on contract and legitimate interests – it makes no comment on other legal bases, though consent is the obvious ‘last basis standing’ and was clearly signposted in CJEU decisions.
2. It highlighted this technically interesting procedure: Irelands DPA issues a decision; Norway’s DPA took action concerning Meta in Norway, because they felt Ireland’s DPA wasn’t doing anything fast enough about Meta in the EEA; Norway’s DPA then asked the EDPB to confirm EEA-wide action; the EDPB agreed; and the EDPB then instructed Ireland’s DPA to tell Meta about the order, as their lead supervisory authority.
3. The EDPB statement sounded pretty fed up with Meta after a pretty clear outcome back in December 2022. Meta likely won’t have much goodwill left in EA regulators outside Ireland.

The EU DMA & Tracking

The EU’s Digital Markets Act is now in force and will impact Meta (and others). While you should review if the DMA covers your organisation, if you’ve less than €7.5bn revenue from the EU, market cap of €75bn, or at least 45 million monthly active end users, this next part likely won’t trouble you.

In it’s list of ‘DMA dos and don’ts’ the EU states that ‘gatekeepers will for example no longer … track end users outside of the gatekeepers’ core platform service for the purpose of targeted advertising, without effective consent having been granted’.

This was the subject matter of the CJEU’s Bundeskartellamt case in July 2023 – read our blog on the GDPR aspects on that here.

See the DMA on this:

• Recitals 36 and 37 and Article 5(2) call for consent for tracking on third party sites and Recital 72 calls for consent for profiling.
• Art 6(10) calling for consent before a gatekeeper shares personal data on relevant users with a business.
• This applies to ‘gatekeepers’ whom Recitals 3 and 6 says are a ‘small number of large undertakings providing core platform services have emerged with considerable economic power’ and having ‘a significant impact on the internal market’.
• Article 3 contains the qualifying criteria we mentioned above such as €75bn market cap, so gatekeepers are not your common or garden SaaS provider.

Fines under the DMA are even bigger than GDPRs: up to 10% of the company’s total worldwide annual turnover, or up to 20% in the event of repeated infringements.

Where else does Privacy come into the DMA?

While the DMA can call for consent, GDPR trumps DMA when it comes to personal data and Art 2 of DMA defines ‘consent’ as consent under GDPR.

Pay or Data

Meta tried contract. It tried legitimate interest. So now it’s moving to consent in a ‘pay or data’ move where you can either consent to behavioural advertising or payaround €10 per month to have it without.

This has triggered a tidal wave of comment and, happily, some have highlighted that it’s not just GDPR at play here. Yes, the question of valid consent is raised but this triggers other laws too, such as those on unfair contract terms, consumer protection competition.

From the data protection side:

• the EDPB’s urgent binding decision noted that ‘The Irish DPC is currently evaluating this together with the Concerned Supervisory Authorities (CSAs).’
• Norway’s DPA has already stated it has its doubts.
• NOYB notes that the model’s been used in journalism before.

So expect some findings to be coming from the consistency mechanism on this in the next few months, alongside other DPA and regulators from competition and related fields across Europe.

Key takeaways

• If you are using contract or legitimate interests for behavioural advertising, you’re on notice that that is unacceptable to GDPR regulators in the EEA (and probably the UK).
• Review your processes and make the move to consent if you’re not using it already.
• Review your consents to ensure they meet GDPR’s requirements.
• If you’re thinking of going for a ‘pay or data’ model, you may wish to wait a few months to avoid any wasted investment.

Enforcement: Clearview wins appeal on ICO fine

We’re lucky to have a breakdown of the First-tier Tribunal’s (‘FTT’) decision overturning ClearView’s fine from 11 Kings Bench Walk, who represented both sides.

• The FTT overturned the ICO’s fine on Clearview on a jurisdictional point which came down to the fact that acts of foreign governments are not in scope for EU law (Clearview’s acts having occurred before Brexit took effect).
• The FTT then decided in (what’s in our view) a huge stretch to say that because Clearview’s customers were US law enforcement, that meant US government, which meant the processing by Clearview was in fact for law enforcement by a foreign government, and so outside EU GDPR’s scope.

We think the FTT was wrong, and we’re not alone, in that Clearview are clearly (in our view) processing for themselves in a way that falls within GDPR.

But we’re not fancy lawyers. 11 KBW are though, and their review ends:

‘It is a nice [meaning precise, intricate] question whether the processing by Clearview – an act of service provision undertaken for commercial activities – should be treated as being undertaken “in the course of an activity which falls outside the scope of Union law”, even if that processing by the client is undoubtedly undertaken in the course of such an activity, and even if the processing is the same processing. And if that is the case as regards ‘Activity 2’ processing, the question might be thought even more acute in the context of ‘Activity 1’ processing, where the client has no role at all.’

So watch this space. We’ll see if the ICO is going to put taxpayers’ money into an appeal.

Key takeaways

• Do not take this decision to mean GDPR doesn’t apply to you because you’re outside the EEA.
• This was decided on a very technical point and, if you don’t exclusively work for law enforcement, it likely won’t apply to you.
• Commercial processing of data subjects in the UK or EEA is likely to be covered by UK or EU GDPR (yes we still have a UK GDPR…).

CJEU: VINs, Legal Obligation & what is personal data?

In the CJEU’s decision in Scania, we’ve one superfluous finding and two interesting findings.

The superfluous finding is that VINs are personal data if they are linked to an individual, and not if they’re not, for example where a company owns the car and no individual appears on the registration certificate.

When is a law a legal obligation?

The first interesting finding is confirmation that the EU law requiring manufacturers to make VINs (and more information on cars) available to repair garages etc is indeed a legal obligation to share personal data (where a VIN qualifies as personal data) for GDPR’s Art 6.

The CJEU quickly ran through the test that the law setting out the legal obligation must:

1. ‘define the purposes of the processing’
2. ‘meet a public interest objective’ and
3. ‘be proportionate to the pursuit of such an objective’.

We recommend looking at paras 53 to 62 of the decision, which provide a clean example to follow if you have to do that determination yourself.

What is personal data?

The second interesting finding is about when data qualifies as personal data, and it’s interesting because the UK GDPR reform bill (DPDI) is back in Parliament (see below).

• Para 44 of Scania notes that personal data is defined as ‘any information relating to an identified or identifiable natural person’.
• Para 45 says that definition is met ‘where, by reason of its content, purpose and effect, the information in question is linked to a particular natural person …. In order to determine whether a natural person is identifiable, directly or indirectly, account should be taken of all the means likely reasonably to be used either by the controller, … , or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity …’.
• Para 49 then decides the point: ‘… where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person, …, that VIN constitutes personal data for them, …, and, indirectly, for the vehicle manufacturers making it available, even if the VIN is not, in itself, personal data for them, ...’

In other words: the VIN is personal data for the garages if they can identify an individual from it, and it’s personal data for the manufacturers even if they can’t do so, because the people they’re going to give it to (the garages) can.

That makes total sense under current law.

This may be ‘cold towel around the head’ stuff, but it gets more so when you see that the UK’s bill to reform UK GDPR, the DPDI, was mentioned in the King’s Speech and is moving towards the statute books…

DPDI23

On 7 November, King Charles gave the King’s Speech, setting out the government’s agenda and the explanatory note lists the DPDI Bill on pages 28 to 30. It’s the third iteration, but it’s in 2023 so we’re calling it DPDI23.

We’ve updated our crosswalk of UK GDPR, now against DPDI23, and you can download that from our website. Here’s the RoPA side-by-side:

And here’s how the RoPA exemption has travelled:

UK DPOs are a bit nervous about disappearing from the law and SRIs coming in, however we believe this will be a much bigger burden on UK business and a bonanza for current DPOs and providers such as Keepabl.

You can see more in our SRI breakdown, for now we’ll just highlight that the SRI’s tasks are much heavier than the DPO’s:

Cookies

Belgium’s DPA, the APD, has issued a cookie checklist which doesn’t contain any shockers but does continue the push for a Reject All button at the same level as an Accept All button:

It’s unsurprising as it’s inline with the EDPB Cookie Banner Taskforce report which said that the ‘vast majority’ of DPAs considered not having the ability to reject at the same level as accept was an infringement, but it’s nuanced:

‘[A] Few authorities considered that they cannot retain an infringement in this case as article 5(3) of the ePrivacy Directive does not explicitly mentioned a “reject option” to the deposit of cookies.’

• That’s right, the ePrivacy Directive does not require this and DPAs cannot create law, much as they may wish to.
• We think ‘Reject All’ is untrue as well as confusing for the regular person (we all work in such a bubble) because it’s really ‘reject all apart from strictly necessary’.
• Isn’t this going down a rabbit hole? Simply closing the cookie tool (meaning no consent is given) is as easy a way to reject consent-based cookies as clicking Accept All.

California’s DELETE Act

We reported on California’s Age Appropriate Design Code being declared unconstitutional in our last newsletter. Which we’ll take as a ‘down’.

As a significant ‘up’, California has passed the Delete Act.

The Delete Act introduces over the next couple of years a register of data brokers and a centralised system for erasure requests with a 45 day compliance deadline.

Transfers: The EU-US DPF

The first legal challenge to the EU-US DPF failed on 12 October 2023 as the claimant, a French MEP, had not shown the urgency or particular harm to himself, so the court did not need to look at the other parts of the test for issuing an injunction preventing the DPF taking effect. H/T Norman Aasma.

Now we hear that NOYB is near to launching its challenge, which will likely be more threatening.

Transfers: DPDI & Adequacy

If you’ve a coffee break, do read this blog from Bates Wells on the changes to the meaning of ‘fundamental rights and freedoms’ after Brexit and the impact of the EU Retained Law Bill.

Then notice that the EDPS just posted a piece on respecting the essence of fundamental rights – coincidence? Maybe, but it shows that we fiddle with human rights underlying data protection at our peril.

Recent shennanigans in the Tory party / UK government mean the threat to our membership of the ECHR regime may have abated for now, but the threat isn’t over.

UK Online Safety Act

The UK Online Safety Bill became the Online Safety Act on 26 October. The regulator is Ofcom.

Now, this law is a behemoth and, to prove it, on 9 November Ofcom released some 1,500 pages of draft guidance:

• That’s not even a complete set, it’s ‘the first of four major consultations’.
• There are 6 Volumes and 16 Annexes.
• The ‘At a glance’ guide to the consultation is itself 15 pages.
• The summary of each chapter is 39 pages.

Feeling overwhelmed? You’re in good company. Decoded’s Neil Brown’s blog is a good read and will make you feel you’re not alone.

The consultation is open until 23 February 2024 so do get involved.

AI

OK. AI. There is so much to say. We’ll say a bit about 3 practical developments and then give you the links and leave you to it – we’ve already kept you long enough this month!

UK ICO reprimand on Snap

On 6 October, the UK ICO issued Snap with a ‘preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’ … Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.’

The chatbot was ‘powered by OpenAI’s GPT technology’.

Key takeaways

• Do an assessment before using AI.
• Consider your use case and personal data usage.
• Particularly consider the risks to vulnerable data subjects.

AI Liability

Oliver Patel is always a good follow on AI and his post gives you an inroad to Google and Microsoft’s recent rollout of IP indemnities for certain claims from use of their AI products.

But is IP enough?

• Yes, IP infringement is a major concern – if you use AI to create a 100 page guide exactly where does that come from? There have been reports (which we’ve not verified) of users being able to get Generative AI to regurgitate original material – which would be very scary indeed if those claims turn out to be true.
• But AI also raises issues about personal data. What happens to the personal data you put into it, does it get shown to others? Does it go into the training data? What about that training data? Will you get personal data from third parties without realising and then infringe?
• And AI raises discrimination. Is that training data fair? Is the model going to discriminate against particular groups?

So, while the IP indemnity is very nice – and inline with decades of IP indemnities in such contracts though do read the limits of the indemnity carefully – in our view it’s the tip of the iceberg.

Biden’s EO on AI

The EO dictates how federal government will buy and use AI and so it will impact all private sector suppliers to the US government. That will extend its scope considerably.

It was cheekily timed considering the UK’s Bletchley Park event and announcement but it’s clearly been a while in the making and builds on all the work we’ve reported on in previous newsletters.

Generative AI

Here’s where we leave you with the links – enjoy!

• Global Privacy Assembly, 20 October 2023, Resolution on Generative Artificial Intelligence Systems
• CNIL: Roles in AI
• CNIL AI Guides
• CNIL: Creating datasets
• G7 AI Code
• UK on Frontier AI
• UK on Emerging processes Frontier AI
• UK Bletchley Declaration
• BofE on AI
• Nothing on AI in King’s speech! Reactions from the House of Commons SITC and from Steve Wood
• EDPS on the EU AI Act – is it just us or does this recent round of horsetrading feel particularly opaque and undemocratic (and we’re Remainers). Is it right that such fundamental EU law is finalised in this way?
• OECD Principles 4 years on

Simplify Your Compliance with Keepabl

Need to upgrade (or even establish) your RoPA into something that’s easy to create and maintain? Need automated Breach and Rights management?

Do contact us to see for yourself, book your demo now!