EDPB Report on DPO Challenges, Yahoo!'s Hefty €10M French Cookie Fine, Spain's New Cookie Consent Rules

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• Too much to do, too little time: An EDPB report highlights problems faced by DPOs.
• Yahoo! (remember them?) hit by €10 million French cookies fine.
• Spain’s DPA says some analytics cookies don’t require consent.
• What we’re reading: Recommended privacy content for the week.

Before We Begin…

Privado.ai is excited to announce Bridge Summit, an event that will help you bridge the gap between privacy laws and practical privacy engineering.?

Bridge Summit takes place online on January 31, 2024, and will feature panels and talks from privacy’s leaders, innovators, and practitioners, including:

• Building Technical Privacy Programs
• Privacy by Design in a World of Agile Development
• Privacy Engineering: Stories From the Trenches
• Privacy as a Brand Differentiator
• Building a Responsible AI Governance Program
• A Framework Approach to Privacy

Register now for free . See you there!

EDPB Report Highlights Data Protection Officer Challenges

The European Data Protection Board (EDPB) has published its latest report on a coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs) across the EU.

• Appointing a DPO is mandatory under the GDPR for certain companies, including public bodies and controllers or processors engaged in large-scale monitoring or risky processing activities.
• The EDPB’s coordinated enforcement action involved distributing a survey to 61,962 recipients, receiving 17,490 responses.
• The report highlights issues around compliance with the GDPR’s rules on DPOs, including a lack of resources, conflicts of interest, and, in some cases, a failure to appoint a DPO.

What’s the point of all this?

The EDPB’s investigation was conducted by 25 Data Protection Authorities (DPAs) and aimed to discover whether organizations were meeting their DPO obligations under the GDPR.

As a reminder, such obligations include:

• Appointing a DPO when required to do so.
• Ensuring that the DPO has sufficient resources to carry out their tasks.
• Avoiding any conflicts of interest that might infringe on the DPO’s ability to carry out their tasks.

How are EU organizations doing in this area?

The EDPB identified some trends across the surveyed organizations. Mostly negative.

• Failing to appoint a DPO. Twelve respondents admitted to not appointing a DPO despite despite being obliged to do so. Twelve isn’t many, considering that 17,490 people responded. But then again, 12 respondents were willing to admit a pretty major GDPR directly to their DPA).
• Insufficient resources. Many respondents reported a lack of adequate resources for DPOs, including insufficient human resources, a need for deputy DPOs, and DPOs having to handle multiple roles or tasks.
• Incomplete assignment of tasks. Some DPOs are not given all the tasks they should be under the GDPR.
• Conflict of interests. DPOs sometimes hold additional roles or duties that conflict with their GDPR obligations, particularly those in management positions.
• Uneven awareness and compliance. As always, some member states fared better than others. But bear in mind that, for whatever reason, DPAs chose different data-gathering methods, which might have impacted the results.

Is it all bad?

No, the EDPB notes that despite the above challenges, DPOs are becoming more professionalized and having a growing impact within their organizations.

What happens next?

The next steps for the EDPB include:

• Enforcement action by some of the DPAs
• New guidelines or recommendations
• Training and awareness programs

As such, it’s a good time to ensure your DPO has sufficient resources and independence to do their job.

French Regulator Hits Yahoo! with €10m Cookies Fine

The French DPA, the “CNIL”, has fined Yahoo! €10 million for violating EU cookies rules on its website and email service.

• The fine was issued on December 29 last year, but announced on Thursday.
• The CNIL accused Yahoo! of failing to respect the cookies choices of visitors to its website, and failing to enable Yahoo! Mail users to freely withdraw cookie consent.
• The fines were issued under Article 82 of the French Data Protection Act, which implements the ePrivacy Directive into French law.

Yahoo! still exists?

Of course! While no longer an online superpower, Yahoo! is still a big company. Its latest public usership figures are from 2017, but Yahoo Mail had around 225 million monthly active users at that time.

What did Yahoo! do wrong?

There are two elements to CNIL’s enforcement decision.

• Yahoo! website: On visiting Yahoo.com , users are invited to accept or reject cookies. However, the CNIL found that even if the user did not accept cookies, 20 advertising cookies were nonetheless set on their device.
• Yahoo Mail: Yahoo Mail users wishing to withdraw consent for cookies were informed that, to do so, they’d have to stop using Yahoo Mail. Yahoo! did not offer the user any alternative, so the CNIL found that their ongoing consent to cookies was not “freely given”.

Interestingly, a recent noyb complaint to the Austrian DPA accuses Meta of breaching the GDPR’s rules on withdrawing consent.

In that case, Facebook and Instagram users wishing to withdraw their consent are required to either close their account or pay a monthly fee.

The CNIL specifically criticizes Yahoo! for failing to provide an alternative to users who wish to withdraw their consent (other than losing access to the service).?

Would Meta’s monthly subscription be deemed an adequate “alternative” in the view of the CNIL?

Spanish Regulator: Analytics Cookies Sometimes OK Without Consent

The Spanish DPA, the “AEPD”, has issued guidance on cookies indicating that some analytics cookies used for audience measurement do not require consent.

• The EU’s ePrivacy Directive generally requires consent for cookies and similar technologies, with limited exceptions.
• Interpretations of the cookies rules varies across EU member states. The EDPB has previously interpreted the rules strictly, finding that analytics cookies would likely not qualify for the consent exemption.
• The AEPD’s guidance states that cookies may be used without consent for audience measurement purposes, provided certain conditions are met.

Is this news?

Yes. While some other regulators, notably France’s CNIL and the European Data Protection Supervisor (EDPS), have said certain analytics cookies can be set without consent, the EDPB’s interpretation of the rules is very strict.?

The AEPD’s guidance deviates from the EDPB’s stricter view.

When can analytics cookies be set without consent?

The AEPD’s guidance (Spanish) provides clear conditions that must be met before such cookies fall under the consent exemption.

1. The cookies must be for “audience measurement” purposes only: used to gather statistical data regarding how many people visit a website.
2. The duration of the cookies should be as short as feasible. The AEPD suggests 13 months. This period should not be extended each time a user visits the site.
3. Any data gathered via the cookies must be retained for a maximum period of 25 months.
4. The website operator must periodically review the retention periods set out above.

Where a cookies service provider operates across multiple publishers, it must ensure a strict separation of data to avoid tracking users’ browsing activity.

Can we use a service provider?

Yes.?

The AEPD says you can use a cookies service provider for audience measurement and still benefit from the consent exemption, provided that:

• You have a data processing agreement in place that meets the requirements of Article 28 of the GDPR.
• The data processing agreement requires the provider:Not to reuse the data for any other purposeOnly to use the data for the purposes set out in the previous sectionTo always separate data across different publishersTo comply with the GDPR’s international data transfer rules if relevant
• You perform and document an assessment to ensure that the publisher’s tools can meet the AEPD’s requirements.

What We’re Reading

• The Shifting Privacy Left Podcast : This week, Debra Farber discusses privacy-preserving machine learning with Patricia Thaine, Co-founder and CEO of Private AI.
• AI & Algorithmic Risks Report Netherlands : The Dutch DPA has published a fascinating and detailed report of AI risks and how they have manifested in the Netherlands.
• Inside Biden’s secret surveillance court : A rather unflattering piece about the Data Protection Review Court established as part of Biden’s EU-US Data Privacy Framework reform package.