Facebook case forwarded

German Facebook case forwarded to ECJ with questions pending

Facebook case forwarded to ECJ after Facebook appealed German competition authority’s order to halt data collection practices. 

 

In recent times, Facebook has come under fire for its data collection practices, which span several integrated platforms. The company has been accused of ‘superprofiling’, and has been in court with German authorities regarding a pro-privacy order, to stop combining user data across platforms without consent.  This order has been met with much resistance, and an appeal from Facebook has led German authorities to seek guidance from the European Court of Justice. 

 

Facebook was accused of abuse of power for collecting and sharing data across platforms without user consent. 

 

There has been major concern over Facebook sharing data between its platforms, including Instagram, WhatsApp, and Occulus as well as third party apps. This, coupled with the volume of data Facebook collects freely without the need for user consent has led to the tech giant being accused of abuse of power by German authorities. There has been some pushback on this, particularly from Düsseldorf’s Higher Regional Court Judge in preliminary hearings regarding the matter. Judge Jürgen Kühnen argued that Facebook’s data use did not result in an abuse of its dominant position in the market. The contention here is that Facebook’s ability to build a unique database for each individual gives the tech firm an unfair market advantage over other companies who do not have access to that much intricate data on users. The Bundeskartellamt (Federal Cartel Office, FCO) claims that this data collection is not lawful under the EU’s legal framework, as it essentially does not give users a choice. 

 

German Competition Authority has attempted to place restrictions on Facebook’s collection of user data. 

 

Earlier this year, Germany’s competition authority placed restrictions on Facebook’s data-processing activities. Facebook was ordered to stop combining data collected from WhatsApp, Instagram and other third parties, until they had received voluntary user consent. This would have led to Facebook needing to considerably reduce its collection and combining of user data, until it receives consent from users. Under Facebook’s terms and conditions, users operate on the social networking platform under the precondition that their data would be collected. However, in February of this year, the competition authority came to a preliminary decision regarding this practice and ordered Facebook to stop combining and collecting user data across these platforms until it has received genuine consent from users. This decision, however, was not final and left room for appeal from Facebook. 

 

Facebook appealed the decision, arguing that its terms allowed users to fully benefit from their services, and as a result this case has been forwarded to the ECJ. 

 

Facebook appealed the decision made by the German Competition Authority in February of this year. At the time, Facebook said in a blog; “While we’ve cooperated with the Bundeskartellamt for nearly three years and will continue our discussions, we disagree with their conclusions and intend to appeal so that people in Germany continue to benefit fully from all our services.” The German authority maintains that the social media company is guilty of a level of exploitative abuse which violates EU regulation. As a result, questions regarding this case have been forwarded to the European Court of Justice in order to arrive at a final conclusion. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Belgian DPA fines Family Service

Belgian DPA fines Family Service for various breaches of the GDPR

Belgian DPA fines Family Service 50,000 euros for various breaches of the GDPR including the transfer of personal data to third parties. 

 

Family Service, a Belgian company, which brands itself as a gatekeeper in family marketing has recently been fined by the Belgian DPA for various breaches of the GDPR. The company is well known for distributing “pink boxes” to expectant parents, helping brands market their products and services targeted to families. They contain samples, special offers and information sheets for these families. These pink boxes are typically distributed by gynaecologists and hospitals. That fact may have given the recipients the idea that this is a public sector initiative, rather than a private company whose core business is trading data. 

 

The company was found to have transferred personal data to third parties without valid consent. 

 

A complaint was filed with the Belgian DPA, claiming that the company transferred personal data to third parties including data brokers and that this was done without the valid consent of the customer, and without the provision of sufficient information. Through their investigation, the Inspection Service and the Litigation Chamber of the Belgian DPA found that not only was this consent indeed invalid, but the company was renting and/or selling personal data for commercial purposes. Customers were ill informed that the company behind the distribution of those boxes was in the practice of selling and/or renting this data as this was not communicated in a clear and comprehensible manner. 

 

It became clear that the consent given to the company was neither informed, nor specific, as the consent was given based on the consumers’ receipt of those boxes. In addition, the Belgian DPA found that this consent was not freely given either, as a lack of consent in this case involved the family forgoing some benefits. 

 

The Belgian DPA imposed a fine of 50,000 euro and ordered Family Service to comply with the GDPR. 

 

The Belgian DPA, taking into account the reach of this company in determining the impact of this data breach, found that Family Service processes data of roughly 21.10% of the Belgian population. The company website itself boasts a coverage of roughly 97% of new and expectant parents in Belgium. The Litigation Chamber of the Belgian DPA decided to impose a fine of EUR 50,000, based on this reach, as well as the seriousness of the breach and the nature of the data processed (particularly data relating to children). This fine is considered to be a considerable amount based on the size of the company, however the Belgian DPA felt that a significant fine was necessary due to the seriousness of the GDPR breaches by this company. The authority also ordered the company to ensure compliance with the GDPR moving forward. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

CJEU Advocate General opinion

CJEU Advocate General opinion on Facebook case

The CJEU Advocate General delivered his opinion on the ongoing case between Facebook and the Belgian Data Protection Authority. 

 

On January 13th the CJEU Advocate General delivered his opinion on the Facebook case, outlined in a recent press release from the CJEU. This case has been ongoing since May 25th 2018, when the Belgian DPA (which was at the time known as the Privacy Commission) found Facebook to be in serious violation of the privacy rights of Belgian citizens. The company was found to have been placing cookies on internet users’ computers and subsequently, collecting these cookies via social plugins and pixels on the websites that these users visit, resulting in the collection of information on the surfing behavior of millions of internet users in Belgium. The court of Brussels, after examining the details of this case, decided to refer to the CJEU for clarification on certain aspects of this case to determine whether the Belgian DPA could indeed pursue legal action against Facebook, under the GDPR. The CJEU Advocate General reiterated the principle defended by the Belgian DPA, that the one-stop-shop mechanism as per the GDPR, does not prevent supervisory authorities from bringing proceedings before a national judge as long as it is in situations specifically provided for in the GDPR. As a result, the CJEU will take a decision in this case. It is unknown when a judgement will be delivered. 

 

The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court. 

 

The ‘one-stop-shop mechanism’ established by the GDPR ensures cooperation between the Data Protection Authorities in the case of cross-border processing. With Facebook’s European headquarters in Dublin, Ireland, this mechanism provides that the Irish DPC is competent to take sanctions against the company. The question raised by the Belgian DPA was as to whether this one-stop shop mechanism also allows for data protection authorities (such as the BE DPA) to initiate court proceedings as well. The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court. 

The CJEU Advocate General confirmed that the Belgian DPA, though not the lead authority, may proceed with court action.

 

This case was heard by the CJEU in an initial hearing on October 5th, 2020, and on January 13th, Michal Bobek, the CJEU Advocate General delivered his opinion on this case. He confirmed that a national authority, which is not the lead authority for a cross border data processing operation may indeed initiate court proceedings in certain situations, particularly in situations where the GDPR specifies its competency to proceed with such action. In this case, the CJEU Advocate General is of the opinion that the Belgian DPA, though not the lead authority, may proceed with court action. In the press release by the CJEU, Mr Bobek was quoted as saying “The data protection authority in the State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.” With this information, the CJEU will now be the court delivering a decision in this case. At this time, it is not known when this decision can be expected. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Amazon facing lawsuit in Germany

Amazon facing lawsuit in Germany, accused of breaking EU’s privacy laws.

Amazon facing lawsuit in Germany after being accused of breaking EU’s privacy laws against the EU-US Privacy Shield.

 

The global giant Amazon is currently facing a lawsuit and has been accused of breaking the privacy laws in Europe, according to this recent article from Politico. The company has been accused of using the infamous Privacy Shield despite its previous invalidation in Europe which has led to this lawsuit. The basis is that the Court of Justice of the European Union made clear that transferring data through the Privacy Shield was no longer allowed following July’s Schrems II judgment. This ruling invalidated the EU-US privacy shield. The reason for the invalidation was that the CJEU decided that shipping data outside of the EU put it at risk. According to the CJEU, US surveillance customs are more intrusive than they should be and go beyond what is acceptable for privacy. While Amazon understands that the Privacy Shield is invalid, it appears that they have continued to use this invalidated transfer mechanism.

Standard Contractual Clauses are still a viable option for companies needing to transfer data.

Standard Contractual Clauses (SCCs) are another option for the technological giants and are used by the likes of Google and Facebook. The difference is that exporting data from the EU using the SCC requires more supervision, and better ensures the safety of the data. While the SCC gives these companies an alternative, the clauses come with caveats, and are not entirely free of problems. Right now, the giant Facebook stands against the Irish data regulators regarding their use of the clauses.

EuGD takes legal action against Amazon.

EuGD (Europäische Gesellschaft für Datenschutz) decided to take action putting forth the formal legal complaint that escalated the conflict. The recent article by Vincent Manancourt, features a statement from Johann Hermann, the current head of EuGD, the group behind the legal complaint. “The [Court of Justice of the European Union] has made it clear that data transfers to the U.S. on the basis of the Privacy Shield are no longer permitted. If the world’s leading cloud company and largest e-commerce provider remains inactive for more than two months and ignores consumer rights, that is unacceptable,” said Mr Hermann, head of Europäische Gesellschaft für Datenschutz (EuGD). Moreover, the founder of EuGD, Thomas Bindl, said that taking the legal route was a decision made taking into consideration similar conflicts.

Despite the noise and controversy surrounding the conflict and impending lawsuit, it is still necessary to wait and see the developments in court. However, regardless of the result in the ruling, this will likely inspire greater vigilance and compliance on the part of companies who may also be transferring data out of Europe.

 

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance services. Contact us today.