Quick overview of “information technology” news for the weeks of December 12, 19, 26, 2022 and January 2, 2023 – IP/IT and Communications
Condemning DPC’s Meta, Ireland’s data protection authority for being held back by its peers!
Following complaints filed on the day GDPR started, May 25, 2018, by Max Schrems’ association, Noyb, the Irish authorities (finally!) sentenced Meta, the parent company of Facebook and Instagram, to a fine of 390 million euros.
Most of the processing operations carried out by Meta are based on the contract concluded with the users of the platforms (the general conditions of use), including one of the main activities of the giant: behavioral advertising . Likewise, it is impossible for a user who wishes to access Facebook and Instagram services without being subject to targeted advertising to isolate his agreement: refusing to accept the T&C prevents him from accessing on the platforms, the acceptance of the CGU forces him to accept behavioral advertising related to the services he wishes to access.
According to Meta, Facebook and Instagram provide personalized services that include personalized or behavioral advertising. This system is at the heart of the user acceptance model. The Irish authority initially held that Meta had failed in its obligations in terms of transparency, but the complaint related to the compulsory nature of the consent could not survive because the processing was unfounded, and did not need to be, in consent of users.
The EDPS, which intervenes in the procedure under the enhanced cooperation procedure due to the lack of consensus in the face of the opposition of some authorities who consider the solution proposed by the Irish authority too lenient, rejects the use of the contract as a legal basis for processing for the purposes of behavioral advertising.
Incorporating these binding instructions, the Irish authorities finally condemned Meta to pay 390 million euros, and the amount to be complied with within 3 months. Specific and separate consent of platform members to personalized advertising must be requested in the future.
This penalty comes at the end of the implementation of the enhanced cooperation procedure between the regulatory authorities set for Article 60 of the GDPR, which shows all the usefulness and opportunities of such a mechanism, especially in front of of forum procedures. shopping implemented by these Internet players who will organize where the leading authority can be more skeptical of the condemnation pronounced. The EDPS also asked the Irish authority to conduct a new investigation covering all data processing operations of Facebook and Instagram, in particular to examine the special categories of personal data that may or may not be processed as part of these operations.
The Irish authority, however, has indicated that it is considering an appeal to the Court of Justice of the European Union on the grounds of the illegality of these existing instructions from the Committee. It should be noted that, surprisingly, the decision submitted to Meta was not sent to the opposing party (Noyb, an association for the defense of online freedoms), for the reason that Meta had to redact everything they considered “sensitive ” in the decision. The decision is therefore not yet public.
The judgment on Apple by the CNIL on December 22, 2022
The CNIL fined Apple 8 million euros for not obtaining the consent of French iPhone users (in its previous version iOS 14.6) before setting up identifiers, used for advertising purposes, on their telephone.
The CNIL was taken by the France Digitale association of a complaint about the processing implemented by Apple through its iOS and MacOs operating systems. The association criticized in particular that the “Personalized advertising” privacy setting, which is in the iPhone settings, is activated by default. This parameter, activated by default, effectively prevented the proper collection of users’ prior consent to…