The EU & UK December 2022 & January 2023 Policy Update
Data protection and privacy
The European Commission has launched the adoption process of an adequacy decision for the EU-US Data Privacy Framework. The decision recognizes the measures put in place by the US to address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020. It will enable the trans-Atlantic free flow of data. Once adopted, companies will be able to transfer personal data to the United States without having to put in place additional data protection safeguards such as standard contractual clauses and binding corporate rules. The procedure involves the European Data Protection Board (EDPB), EU Member States, and the European Parliament and is expected to be finalized by the end of Q3 this year.
The Irish Data Protection Commission (DPC) has concluded two inquiries into Meta, imposing €210 million and €180 million fines for Facebook and Instagram, respectively, for breaches of GDPR. The complaints were made on 25 May 2018, the date from which the GDPR was applicable, by the privacy rights group Noyb. They argued that users’ access to services conditioned by the acceptance of the updated Term of Service represents a ‘forced consent’ to data processing for behavioral advertising and personalized services.
The DPC found that Meta breached its obligations concerning transparency, as the information about the legal basis that it relied on was not clearly outlined to users. The DPC also found a breach of the principle that users’ personal data must be processed lawfully, fairly, and in a transparent manner.
In its analysis, the DPC considered that “the ‘forced consent’ aspect of the complaints could not be sustained”, and that Meta was not required to rely on consent, as “in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis”. Other data protection authorities have raised objections against the initial DPC’s decision, within the dispute resolution mechanism coordinated by the European Data Protection Board (EDPB). The final decision adopted by the DPC on 31 December 2022 includes the guidance provided by the EDPB, in the sense that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services.
The DPC has also announced that it will be filing a legal action with the Court of Justice of the European Union to annul aspects of the EDPB’s directions, which it considers beyond the scope of the initial case. The EDPB directed the DPC to conduct a fresh investigation that would span all of Facebook and Instagram data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The intra-institutional litigation is a clear sign of regulatory flaws. National data protection authorities often diverge in their interpretation of the rules, which leads to an inconsistent enforcement of the GDPR.
The DPC has also fined WhatsApp Ireland €5.5 million in a similar case regarding an alleged ‘forced consent’. The decision process involved EDPB’s dispute resolution mechanism as well. The final decision includes findings that WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as “IT security”) for the WhatsApp service.
The EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of “WhatsApp IE’s processing operations in its service to determine if it processes special categories of personal data (Article 9 GDPR), processes data for the purposes of behavioral advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.” The DPC announced that it would bring an action for annulment before the Court of Justice of the European Union to seek the setting aside of the EDPB’s direction.
The DPC has launched an inquiry into Twitter concerning leaked datasets. The investigation stems from multiple international media reports indicating that one or more collated datasets of Twitter user personal data had been made available on the internet. These datasets were reported to contain personal data (Twitter IDs to email addresses and/or telephone numbers) relating to approximately 5.4 million Twitter users worldwide.
The French data protection authority (CNIL) has fined Apple €8 million for privacy issues related to iOS 14.6. (circa May 2021) The breach is related to the absence of user consent before placing (and/or reading) ad identifiers on their devices, for the purpose of personalizing ads to promote mobile applications on the App Store.
The CNIL has also fined Microsoft €60 million for privacy violations on its search engine Bing and ordered the company to change its cookies policy. The CNIL has found that users of Bing were not asked for consent for cookies, even in the case of those for advertising purposes. The introduction in March 2022 of a button allowing users to reject cookies was however recognized by the CNIL.
The CNIL has closed an investigation against a non-EU company providing a browser extension, considering that its activities were not subject to the GDPR. The company, Lusha Systems inc., a US subsidiary of an Israeli company and not established in the EU was subject to complaints related to the browser extension it developed. The browser extension allows users to obtain the professional contact details (telephone number and email address) of people whose profiles they visit on LinkedIn or Salesforce’s customer platform. The CNIL took into account that the company is not established in the EU and it doesn’t offer goods or services on the EU market. It also noted that the mere collection or analysis of personal data of individuals in the EU cannot be considered as “monitoring” or “profiling”, without a specific purpose for collection and reuse (“processing which consists in analyzing or predicting a behavior, the personal preferences or the movements of a person, his interests, his economic situation or his state of health”).
The Italian data protection authority (Garante) has fined Clubhouse €2 million for “numerous violations” of the GDPR. The list of issues varies from lack of transparency on the use of data, to the lack of consent for storing and sharing audio, profiling, and sharing of account information without the identification of a correct legal basis, to indefinite storage times for recordings. The app has been prohibited from any further processing of information carried out for marketing and profiling without specific consent.
Competition in digital markets
The German Competition Authority (Bundeskartellamt – BKA) has issued a statement of objections against Google’s data processing terms. The BKA considers that users are not given a sufficient choice as to whether and to what extent they agree to the processing of their data across services. The users should also be able to differentiate between the purposes for which the data are processed. The statement underlines that “the choices offered must not be devised in a way that makes it easier for users to consent to the processing of data across services than not to consent to this.” Google is investigated as a company “of paramount significance for competition across markets”, according to Section 19a GWB (national competition law). The updated rules allow BKA to prohibit such companies from engaging in certain anti-competitive practices. BKA acknowledged that its investigation partially exceeds specific requirements of the Digital Markets Act (DMA).
The European Commission has sent a statement of objections to Meta regarding abusive practices related to Facebook Marketplace. The investigation scrutinizes the tying of online classified ads service (Facebook Marketplace) to the social network (Facebook). It also examines alleged unfair trading conditions imposed on Facebook Marketplace’s competitors.
The European Commission has closed its investigation into Google and Meta’s agreement for online display advertising services (the so-called “Jedi Blue” agreement). The investigation opened in March 2022 and assessed whether Google and Meta agreed to weaken and exclude a competing technology to Google’s Open Bidding from the market for displaying ads on publisher websites and apps.
Apple was fined €1 million by the Paris Commercial Court for imposing abusive commercial clauses on French app developers for access to the company’s App Store (as reported by Reuters). The case was initiated in 2017 by the Directorate General for Competition, Consumer Affairs and Fraud Control (DGCCRF), which argued that the App Store’s contractual clauses for app developers created “a significant imbalance in the rights and duties of the parties.” With regard to remedies, the Court noted that Apple is not required to modify AppStore’s clauses right away, considering it will have to comply with the obligations under the Digital Markets Act (DMA).
The UK Competition and Markets Authority (CMA) is carrying out a market investigation on mobile browsers and cloud gaming. Stakeholders (including Developers Alliance) were invited to provide feedback on the concerns and possible remedies presented in the Statement of issues. Apple is contesting the decision to open the investigation, claiming procedural issues (as reported by Reuters).
The CMA has ordered a partial divestiture of NEC’s acquisition of SSS Public Safety Limited and Secure Solutions USA LLC (previously part of Capita plc). The merger assessment revealed that it could result in emergency services paying more for essential software and significantly reduce competition in the market. The CMA has ordered NEC to sell off its software services used by emergency control room staff, and the services NEC provides to police forces to plan shifts.
A group of 4 large European telecommunications companies wants to offer an alternative type of digital advertising. Vodafone, Deutsche Telekom, Orange and Telefónica have notified the EU Commission of their intention to collaborate and create a “digital identification solution to support the digital marketing and advertising activities of brands and publishers”.
The French Directorate General for Competition, Consumer Affairs and Fraud Control (DGCCRF) has found that 60% of influencers do not comply with advertising and consumer laws. Following the investigation, sanctions were applied, and a public consultation was opened on 11 proposed measures to better enforce the law for these specific commercial activities.
Artificial Intelligence
A report on the AI Act impact on startups, in Europe, shows concerns about the consequences of the upcoming regulation on innovation and the startup ecosystem in the EU. According to the respondents, 33% – 50% of the AI systems would classify as ‘high-risk’, which goes way beyond the assumption in the European Commission’s impact assessment (5-15%). Also, 45% would consider their solution as a General Purpose AI. The requirements proposed for ‘high-risk’ AI systems will raise significant challenges for startups in terms of technical and organizational complexity and compliance cost. It is also expected that VC investments will shift toward AI Systems with a specific purpose in low-risk applications and, to some extent, to non-AI startups and outside of Europe.
The European Commission has published the draft standardization request to the European Standardisation Organisations for the AI Act. The request, “in support of safe and trustworthy artificial intelligence,” is addressed to the European Committee for Standardisation (CEN) and the European Committee for Electrotechnical Standardisation (CENELEC). The European Telecommunications Standards Institute (ETSI), one of the three European standardization bodies, is envisaged to have only a consulting role. The draft specifies the date for the adoption of standards as January 31, 2025.
A Joint Roadmap for Trustworthy AI and Risk Management was adopted at the 3rd meeting of The EU-US Trade and Technology Council (TTC). It aims “to advance shared terminologies and taxonomies, but also to inform the approaches to AI risk management and trustworthy AI on both sides of the Atlantic.”
Nine European cities have developed a free-to-use open-source ‘data schema’ for algorithm registers in cities. The initiative, a collaboration through the Eurocities network, sets common guidelines on the information to be collected on algorithms and their use by a city and supports the responsible use of AI by the public sector. The data schema was developed by Barcelona, Bologna, Brussels Capital Region, Eindhoven, Mannheim, Rotterdam, and Sofia, based on the example set by Amsterdam and Helsinki.
The Netherlands has announced a special department for algorithms set up within the Data Protection Authority (Autoriteit Persoonsgegevens). It will supervise and coordinate across the administration the generic and specific risks and effects of algorithms.
Miscellaneous
Developers Alliance has joined 12 other associations in a joint industry statement, asking for legal clarity in the EU Data Act text. The industry coalition is urging the EU lawmakers to clarify the scope, take into account legitimate business interests and ensure protection of trade secrets, ensure a practical approach for cloud infrastructure services, and avoid hindering international data transfers. The proposal for the Data Act is part of the EU Data strategy and aims to foster B2B data sharing, especially for after-market services.
The UK government has published a Code of practice for app store operators and app developers. It sets out minimum security and privacy requirements for app store operators and app developers. The initiative aims to foster good practices and increase security across app ecosystems.
In an important decision about the right to be forgotten, the EU Court of Justice provided that: “the operator of a search engine must dereference information found in the referenced content where the person requesting dereferencing proves that such information is manifestly inaccurate.” The decision states that such proof need not, however, result from a judicial decision made against the publisher of the website. The case is C-460/20 Google (De-listing of allegedly inaccurate content). Two managers of a group of investment companies requested Google to de-reference results of a search based on their names, which provided links to particular articles that they consider to contain inaccurate claims. They also requested Google to remove photos of them, displayed in the form of ‘thumbnails’, from the list of results of an image search made based on their names. The Court indicated that “account must be taken of the informative value of those photos without taking into consideration the context of their publication on the internet page from which they are taken”.
The European Parliament has adopted a report on video games, calling for better protection of gamers “from addiction and other manipulative practices” and special protection measures for minors. The report underlines that video game developers should also prioritize data protection, gender balance, and the safety of players and should not discriminate against people with disabilities. MEPs also recognize the value and potential of the video games sector in Europe and call on the European Commission to implement a European Video Game Strategy.
The State of European Tech 2022 has presented a slowdown in funding and growth, layoffs, persistent discrimination, and diversity issues. However, the report notes that “commitment to purpose-driven companies has remained strong despite the macroeconomic headwinds.” Founders respondents to the survey indicated they are struggling to keep up with regulation, administrative complexity, and the general policy fragmentation across Europe.
The European Commission and the US Government have launched a new multi-stakeholder group of Internet measurement experts. The group’s objective is “to document Internet shutdowns and their effects on society as rapidly and comprehensively as possible.”
