December Newsletter

1. Meta’s advertising practices were found to be in violation of the GDPR

Meta received a significant blow from European Union regulators, who ruled that the company had violated EU law by illegally requiring users to accept personalized ads. The decision included a fine of 390 million euros, which has the potential to force Meta to make significant changes to its advertising business in the EU, a major market for the company. The ruling is significant as it is one of the most significant judgments since the EU implemented a data privacy law in 2018, which aims to prevent companies like Facebook from collecting user data without their consent. The case revolved around Meta's obtaining legal permission from users to collect their data for personalized advertising. The company's terms of service agreement, which users must accept to use services like Facebook, Instagram, and WhatsApp, included language that effectively required users to either allow their data to be used for personalized ads or stop using Meta's services. You can read more here.?

2. Irish authorities to investigate data breach at Twitter

Ireland's Data Protection Commission (DPC) announced on Friday that it is launching an investigation into a data breach at Twitter that affected over 5 million users. In August, Twitter confirmed that hackers had exploited a vulnerability in its system to obtain users' profiles linked to phone numbers and emails. The Irish DPC decided to investigate after exchanges with Twitter led them to believe that the company may have violated the EU's General Data Protection Regulation. This news comes after the Irish DPC fined Twitter €450,000 for a separate data breach in the past and after it fined Meta €265 million last month for a similar incident involving the scraping of user data. The DPC's investigation will also bring renewed scrutiny on Twitter after the head of the Irish regulator, Helen Dixon, expressed concerns about a range of issues at the company following Elon Musk's takeover. Find more here.?

3. WhatsApp’s challenge to EU Data Protection Board decision dismissed by EU court

The European Court of Justice has ruled that an action brought by WhatsApp against a decision of the European Data Protection Board is inadmissible, according to a statement issued on Wednesday. The Irish Data Protection Commission had imposed corrective measures and fines totaling 225 million euros on WhatsApp in 2021 following complaints about the company's use of personal data in Ireland and a ruling on the matter by the European Data Protection Board. WhatsApp had challenged the decision in an Irish court and also asked the European Court of Justice to annul the ruling of the EDPB, but the court ruled that WhatsApp's action was not allowed. It added that the EDPB's decision could be challenged in a national court. Details can be found here.?

?

Decisions

1. Finland - the Office of the Data Protection Ombudsman's Sanctions Board has imposed an administrative penalty on Viking Line Oy Abp for data protection violations.

Viking Line Oy Abp is a brand in passenger traffic on the northern Baltic Sea.? DPOSB investigated Viking Line's activities on the basis of a complaint instituted with the Office. A former employee of Viking Line informed the Office of the Data Protection Ombudsman that they had not received all of their personal data being stored in the company's systems despite their request. According to the former employee, Viking Line had been keeping their health data in the HR system for 20 years. For example, Viking Line had saved diagnoses in connection with information on absences due to illness into the HR system. According to the complainant, some diagnostic information stored into the system was inaccurate, because it was not possible to enter all diagnosis codes into it.

The Deputy Data Protection Ombudsman finds that there have been a number of serious shortcomings in Viking Line's practices for processing personal data. Not only had Viking Line unlawfully saved its employees' diagnosis information in the HR system, but some of the data was inaccurate as well. The Sanctions Board found the company's activities to be particularly reprehensible in this regard. Health data should have been erased immediately when its storage was no longer necessary.

The Office of the Data Protection Ombudsman's Sanctions Board ordered Viking Line Oy Abp to pay an administrative fine of EUR 230,000 for several violations of data protection legislation. The company was also reprimanded.

The Sanctions Board emphasised that even inaccurate diagnosis information had been stored for a considerable period of time. Inaccurate diagnosis information can pose a risk to an individual's legal protection.

The matter was resolved in cooperation with the Swedish, Norwegian and Estonian data protection authorities.

Read more here.

2. Spanish Data Protection Authority reduces a fine for Vodafone Spain to €56,000

Following a complaint, the Spanish data protection authority ('AEPD') announced its judgement in Proceeding No. 00296/2022 on December 12, 2022, fining Vodafone Espa?a, S.A.U. €70,000, which was later reduced to €56,000, for violating Article 6(1) of the General Data Protection Regulation. The complaining party claimed that Vodafone Espa?a had given a duplicate of their SIM card to a third party without their permission and without confirming the identity of the third party. As a result, the complaining party claimed, the third party had access to the complainant's bank information, carried out several fraudulent transactions using electronic banking, and gained access to the complainant's Gmail account. Vodafone Espa?a was charged with violating Article 6(1) of the GDPR. As a result, the AEPD imposed a fine of €70,000 on Vodafone Espa?a for violation of Article 6(1) of the GDPR. However, the AEPD provided that Vodafone Espa?a had already paid the fine in the amount of €56,000, making use of voluntary payment and acknowledging its responsibility.

3. Microsoft fined €60M for inadequately facilitating refusal of cookies in France

The French data protection authority ('CNIL') published, on 22 December 2022, a decision in which it fined Microsoft Ireland Operations Limited €60 million for failing to make it as easy to reject consent to the use of cookies as it is to accept the same on bing.com. One of users made a complaint to the CNIL and carried out an online audit on the bing.com domain, and found that when users visited this site, cookies were deposited on their terminal without their consent, while these cookies were used for advertising purposes, among others. CNIL detailed that, while the search engine offered a button to accept cookies immediately, it did not offer an equivalent solution (button to refuse or other) to allow the user to refuse them as easily.

As a consequence CNIL sanctioned Microsoft Ireland Operations Limited with a fine of 60 million euros.

Read details here.