CNIL

On November 15, 2019, the French Supervisory Authority (“CNIL”) published guidance on the use of facial recognition. The guidance is primarily directed at public authorities in France that want to experiment with facial recognition.

The guidance warns that this technology risks leading to biased results because the algorithms used are
Continue Reading French Supervisory Authority Publishes Guidance on Facial Recognition

On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here).  The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search results displayed on all the search engine’s versions.  According to the court, it suffices for search results to be deleted from the search engine’s EU versions (i.e., EU domain name extensions, such as .eu, .fr or .de).  For more information on the Advocate General’s opinion, see our prior blog post here.
Continue Reading GDPR’s right to be forgotten limited to EU websites

On June 28, 2019, the French Supervisory Authority (CNIL) announced that it will issue new guidelines on the use of cookies for direct marketing purposes.  It will issue these guidelines in two phases.

First, during July 2019, the CNIL will update its guidance issued in 2013 on cookies.  According to
Continue Reading French Supervisory Authority will issue new guidelines on cookies

On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here).  The CNIL’s decision was triggered by complaints from two non-profit organizations together representing
Continue Reading Google fined €50 million in France for GDPR violation

On January 10, 2019, Advocate General Szpunar of the Court of Justice of the European Union (CJEU) released his opinion regarding a 2016 enforcement action carried out by the French Supervisory Authority (CNIL) against Google.  In that case, the CNIL ordered Google to de-reference links to webpages containing personal data. 
Continue Reading EU Advocate General: right to be forgotten is limited to EU

On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.

 
Continue Reading CNIL imposes GDPR-consent in online advertising space

Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced.  Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging.  Enforcement appears
Continue Reading European Regulators Are Intensifying GDPR Enforcement

On November 6, 2018, the French data protection authority (the “CNIL”) published a report that discusses some of the questions raised by the use of blockchain technology and perceived tensions between it and foundational principles found in the General Data Protection Regulation (the “GDPR”).  As we noted in an earlier blog post on this topic, some pundits have claimed that certain features of blockchain technology, such as its reliance upon a de-centralised network and an immutable ledger, pose GDPR compliance challenges.  The CNIL has attempted to address some of these concerns, at least in a tentative manner, and further guidance from EU privacy regulators can be expected in due course.

De-centralised network

The CNIL acknowledges that EU data protection principles have been designed “in a world in which data management is centralised,” and where there is a clear controller of the data (“data controller”) and defined third parties who merely process the data (“data processors”).  Applying these concepts to a de-centralised network such as blockchain, where there are a multitude of actors, leads to a “more complex definition of their role.”  In brief, EU data privacy rules are the square peg to blockchain’s round hole.

Notwithstanding this, the CNIL considers that participants on a blockchain network, who have the ability to write on the chain and send data to be validated on the network, must be considered data controllers.  This is the case, for instance, where the participant is registering personal data on the blockchain and it is related to a professional or commercial activity.  By contrast, according to the CNIL, the miners, who validate the transactions on the blockchain network, can in certain cases be acting as data processors.  As a consequence, data processing agreements would need to be in place between the data controllers and the data processors on any blockchain network.

The CNIL further considers that where there are multiple participants who decide to carry out processing activities via a blockchain network, they will most likely be considered “joint controllers,” unless they identify and designate their roles and responsibilities in advance.   Individuals who use the blockchain for personal use (i.e., individuals who access the network to buy and sell a virtual currency), however, would not be data controllers as they can rely on the “purely personal or household activity” exception.  
Continue Reading The CNIL Publishes Report On Blockchain and the GDPR

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses 

Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here).  The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”).  The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.

Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users.  The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors).  They then provide advertising in the form of pop-ups to the app users.  Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address).  Both companies relied on user consent obtained by the app operator to process the personal data they collected.  The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.

The CNIL concluded that the consent obtained did not meet the requirements of the GDPR.  Under the GDPR consent must be “freely given, specific, informed and unambiguous”.  According to CNIL, the consent obtained did not meet any of these requirements.
Continue Reading French Supervisory Authority Issues 2 GDPR Warnings

As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR.

European Developments

In the EU, we previously reported on a Court of Justice of the EU (“CJEU”) decision that limits the right to be forgotten with respect to public records.  And in February, A French high administrative court raised several questions to the CJEU relating to the right to be forgotten in light of the Google v. Costeja Gonzalez decision.  The questions address whether and in what circumstances search engines must delist links to websites in response to requests from data subjects, and arose in the context of a pending dispute between Google and CNIL, the French data protection authority.

A decision by a Circuit Court in Ireland recognized the right of a former election candidate to request the removal of information posted about him on Reddit under the right to be forgotten.  And the UK recently solicited views on its own implementation of the GDPR, including input regarding the interplay between the right to be forgotten and freedom of expression in the media.
Continue Reading Developments in the Right to Be Forgotten