Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of December

The end of this infamous year was not unlike any other period in terms of developments in Data Protection, as in December French Data Protection Authority issued 8 figure fines to tech giants Google and Amazon for violations of cookie rules and provision of information. Meanwhile, in the Netherlands Uber was brought to court in a case surrounding conflicting interests of two sides of data subjects. Lastly, EDPB welcomes the public to reflect on its new guidelines on the restriction of data subject rights under GDPR.     

French Data Protection Authority fines Google and Amazon for cookie practice

In December, French Data Protection Authority CNIL issued three major fines against Google LLC (60 Million Euros), Google Ireland (40 Million Euros) and Amazon(35 Million Euros) for nearly identical set of breaches of the French Data Protection Act.

In the given situation, CNIL after carrying out inspections found that advertising cookies were being placed on users’ devices automatically upon the moment of visiting the website and without obtaining consent as required by the act. An identical issue was found in case of Amazon. While in the case of Google, seven cookies (out of which four were of an advertising nature) were placed on devices, Amazon went further by placing forty such cookies. The second violation that was found in case of all three companies was the failure to inform users adequately on the use of cookies and information related thereto. Thirdly, both of the Google group companies failed to implement an effective opt-out mechanism that allows one to refuse the placement and usage of the advertising cookies, as after deactivation of cookies one cookie remained on the user’s device.  

With respect to the failure to provide information to users, it was revealed that in the information banner that carried the Privacy reminder on Google website, had only two option buttons, namely, “Remind me later” and “Access now”.  The banner had no information on the usage of the cookies, even though the cookies are placed before one may view the banner, and the information was not even readily available after entering the “Access now” section. The deficiencies were not properly corrected even after the adjustments implemented in September 2020, as the newly introduced pop-up notification did not provide all the necessary information on the purposes of and option to refuse the cookies in a clear manner. 

In case of Amazon, while information was, in fact, provided to users when visiting a website directly, it was vague and not adequate, and if the site is accessed through ads on other pages, the information was not given at all. Indeed, only general one-liner explanation of purpose was provided, such as “to offer and improve our services”. In a further drop-down section information on the possibility and ways of refusal of the cookies was not provided.    

The companies did, however, have their objections as to the competence and jurisdiction of CNIL by stating that it cannot be deemed to be the lead supervisory authority considering the one-stop-shop mechanism. The arguments were based on the fact that Google is headquartered in Ireland, and Amazon’s cookie practice was not implemented by Amazon’s French company, as these decisions are done by its Luxembourgish counterpart, therefore, the infringement could not be subject to the French law.

CNIL maintained that the mechanisms in the French Data Protection Act are separate from the one-stop-shop mechanism laid down in GDPR, as the cookie requirements are set by the e-Privacy Directive, further transposed in French Data Protection law. Furthermore, CNIL, with reference to the CJEU Google Spain case, considered that use of cookies on French websites commercially targeting French people was related to activities of the companies established in France.

Uber taken to the court by the drivers for not disclosing the information gathered

In December, the British drivers of Uber, a vehicle-for-hire company, filed a case to the court in the Netherlands for accusations of refusal to disclose personal data on drivers that the company gathers through the Uber application in the course of provision of services. The accusations are based on the claims of drivers that the company assesses the performance and behaviour, as well as other personal data of drivers to determine and allocate available rides and fares for each driver. This information includes also ratings, comments and complaints provided by customers.

The British drivers, motivated by conviction that this information and algorithms is ultimately used to decide their income, had requested disclosure of such information gathered and the logic behind the algorithms used on the Uber app. However, their requests have been partially turned down due to alleged conflicting interests of customers, since the data requested by the drivers would also include customer data.

Uber stated that the information that could have been provided to the drivers without undermining the privacy of customers was provided to the extent possible. Uber further claimed that the information on specific rides carries more sensitive information on the customers, than it does about the driver. Thus, such disclosure of driver’s data is extremely dangerous. Additionally, Uber did provide an explanation of the logic of the allocation of the rides by stating that the rides are allocated based on driver’s route, location and fare preferences with exception to situations where a potential passenger is not allocated due to the driver being rated poorly as possible by the particular passenger.

The opinion of the court shall be available until 11 February 2021.

European Data Protection Board issues Guidelines on restrictions of data subject rights under Article 23 GDPR.

EDPB has taken steps to clarify the applicability of Article 23 of GDPR by publishing guidelines on the said article which shall be available for public consultation until 12 February 2021.

 Article 23 allows the member states to restrict the applicability of such fundamental data subject rights such as the data individual’s rights to obtain and receive information on the data processing and rights to be forgotten, the right to object to or to restrict the processing, among others, as well as the obligations of the controller that pertain to the exercise of these rights by individuals. These restrictions may only be made with legislative measures on a national level.

The guidelines reflect on and recap the conditions required for restriction of the fundamental rights as set in the Charter of Fundamental Rights, as well as clarify regarding the necessity and proportionality test. Furthermore, the guidelines analyse in depth the criteria for such restrictions and assessments necessary, as well as individual rights following the lifting of these restrictions and also potential consequences of violations of this article. Lastly, the guidelines tackle the examination of the legal basis of the restrictions under Article 23 and the rights and obligations to be restricted.

These guidelines follow the controversial Hungarian decree that was issued on 4 May of 2020 which activated Article 23 to tackle issues and burdens caused by the COVID-19 pandemic. The decree caused uproar from both EDPB, as well as civil liberties unions of Europe and Hungary, and was described as unnecessarily extensive and bypassing the fact that GDPR itself has mechanisms that allows states to continue to follow data protection rules without any restriction on the rights.

Share this post?

Get in

+356 2166 1273