CNIL's Cookie Fine, UK GDPR Reforms, Meta Lawsuit, EU-US Data Privacy Framework

By Robert Bateman and Privado.ai

This week’s Privacy Corner Newsletter covers:

• The French regulator’s latest cookie fine against health website Doctissimo.
• The UK data protection authority’s support for government GDPR reform plans.
• Meta’s defense against a Pixel-related privacy class action lawsuit.
• The European Parliament’s rejection of the EU-US Data Privacy Framework.
• The French regulator’s new AI Action Plan.

---

Hear the news live

Register now for The Privacy Corner Livestream conducted every week Thursday at 8 AM PT

Click here to register for today's session happening in under an hour

---

French Regulator Fines Health Website for Cookies Violations

The French data protection authority (DPA) (the “CNIL”) has fined health website Doctissimo €380,000 ($412,000) for various GDPR and ePrivacy violations.

• Doctissimo is a website offering health-related articles, quizzes, and discussion forums.
• The CNIL found that the company violated the GDPR’s rules on consent, storage limitation, joint controllership, and special category data concerning health.
• The company also received a penalty under the French implementation of the ePrivacy Directive, which sets the rules on cookies.

Some further thoughts…?

The CNIL is among the EU’s toughest DPAs when it comes to policing Europe’s cookie rules. Tech firms such as Google , Microsoft , and TikTok have all felt the sting of the CNIL’s cookie enforcement.

The GDPR’s rules on “special category data” are particularly strict, and violations concerning information about people’s health can lead to more severe enforcement action.

The CNIL gives an unsparing account of Doctissimo’s privacy practices, finding that the company kept data from health quizzes for too long, failed to obtain explicit consent for processing health data, and set cookies even after users had refused them.

But the company is just one of many (many) companies likely to be making the same mistakes.?

We’ve seen similar enforcement against health-related companies in the US already this year, including the FTC’s actions against BetterHelp and Doctolib for using tracking cookies and pixels to fuel their ad-targeting campaigns.

And in fact, a British Medical Journal study into health apps found that 90% contain code that could collect sensitive data.

The CNIL’s fine is another reason for health app providers to start paying serious attention to privacy.

UK Regulator Offers Strong Support for Government’s GDPR Reforms

The UK’s regulator, the Information Commissioner’s Office (ICO), has formally endorsed the government’s plans to reform the UK’s data protection and privacy laws.

• The Data Protection and Digital Information Bill (DPDIB) would amend the UK’s versions of the GDPR and ePrivacy Directive.
• The government claims the reforms will save businesses billions without reducing protections for individuals.
• The UK Information Commissioner gave evidence in Parliament last week, providing strong support for the bill and dismissing concerns that it would weaken data protection and harm EU relations.

Some further thoughts…

The UK government’s proposed reforms would amend several parts of the UK GDPR, including areas such as record-keeping, risk assessment, and the legal basis of “legitimate interests.”

But the bill would also make higher fines possible for violations of the Privacy and Electronic Communications Regulations (PECR), which covers electronic direct marketing and cookies.

Critics of the government’s plans argue, among other things, that the UK risks losing its coveted EU “adequate” status, which is granted to countries with strong data protection regimes.?

While it’s hard to predict any impact on the UK’s adequacy decision, other critics argue that the bill “undermines trust, furthers economic instability, and erodes fundamental rights.”

Meta Court Filing Claims Third Parties Are Liable for Tracking Pixel Violations

Meta has filed a motion to dismiss a class action against “misuse” of its Pixel trackers.

• The case alleges that Meta is liable for how healthcare providers used the Meta Pixel tracking tool to transfer sensitive health data to Meta.
• Meta claims it “never intended, and did not want, to receive” such data and that healthcare providers are responsible for any allegedly unlawful use of the tool.
• Meta describes the class action as a “grab-bag complaint” and says its terms of service make users liable for any damage arising out of their decision to use the Meta Pixel.

Some further thoughts…

Due to Meta’s history of data protection issues—and the omnipresence of its tracking tools across millions of websites and apps—many commentators are naturally suspicious whenever the company attempts to defend itself against allegations of privacy violations.

But in this case, Meta arguably has a point.

If a company uses pixels, cookies, and other tracking tools in a way that violates the law (and its contract with the provider), the courts will usually hold that company responsible—not the provider of the tool.

In the EU, data protection authorities have repeatedly found European companies responsible for the illegal use of tools such as Google Analytics and Meta Pixel .?

Providers can face enforcement for their subsequent use of whatever data they receive via their products. But users of the products are usually held responsible for ensuring they obey the law when collecting or sharing data.

European Parliament Votes Against EU-US Data Privacy Framework

The European Parliament has voted against supporting a new framework that would make it easier to transfer personal data from the EU to the US.

• The EU-US Data Privacy Framework (EU-US DPF) is the third attempt at a scheme enabling US companies to freely receive personal data from the EU.
• The previous two attempts, known as “Safe Harbor” and “Privacy Shield,” were shot down by the EU’s top court following cases by privacy campaigner Max Schrems.
• The European Parliament has no formal role in the approval process but claims the EU-US DPF does not sufficiently restrict US surveillance activities and will likely meet the same fate as its predecessors.

Some further thoughts…

The EU-US DPF represents two years of negotiations between Brussels and Washington as they try to solve one of data protection’s hardest problems: How to bridge the gap between intrusive US intelligence-gathering and strong EU fundamental rights.

Since the last such attempt was invalidated in the Court of Justice of the European Union (CJEU)’s “Schrems II” judgment, thousands of businesses have been forced to paper over the EU-US data transfer cracks with legally dubious safeguards.

The European Parliament claims the EU-US DPF is an improvement over its predecessors. But its resolution cites major concerns around US “signals intelligence” activity, legal certainty, and individual redress for victims of unlawful surveillance.

The Parliament is not directly involved in approving the “adequacy decision” that will bring the EU-US DPF into EU law. That job is for the European Commission and a select body of member state representatives known as the “comitology committee.”

Nonetheless, the Parliament’s scathing assessment of the framework lends further support to the Commission’s opponents.

French Regulator Gives Details of AI Regulatory Action Plan

The French data protection authority (“CNIL”) has published an action plan setting out its approach to regulating AI.

• The French DPA is one of several EU regulators that have announced a focus on AI enforcement.
• The wide-ranging plan addresses many areas where AI interacts with the GDPR, including individual rights, data security, and transparency in the training process.?
• The European Data Protection Board (EDPB), which hosts a representative from each of the EU’s 27 national data protection regulators, has also set up an “AI Task Force” to coordinate AI enforcement across EU countries.

Some further thoughts…

The Privacy Corner Newsletter covered OpenAI’s run-in with the Italian regulator a few weeks ago after the company’s GDPR compliance efforts allowed it to reinstate Italians’ access to ChatGPT.

But while OpenAI managed to temporarily satisfy one European regulator, generative AI’s data protection issues are far from resolved.

The CNIL’s AI Action Plan appears much wider in scope than Italy’s OpenAI investigation. In addition to the tricky problems of transparency and data rights, the French regulator has its sights set on issues such as bias and discrimination, web-scraping, and security.

The CNIL states that it is already investigating several complaints against AI developers. Besides these ongoing enforcement efforts, the AI Action Plan will focus on:

• Assessing the impacts of AI systems on individuals.
• Enabling the development of “AI that respects personal data.”
• Supporting “innovative players” in the European AI market.
• Auditing AI systems to “protect people.”