Cookies – the CNIL publishes new practical recommendations
On July 2019, the CNIL adopted new guidelines on the law applicable to cookies. In addition to these guidelines, the CNIL published on January 14, 2020 draft practical recommendations on how to obtain consent for the installation of cookies. Following the public consultation launched by the CNIL on this topic and closed last 25 February, a final version of these guidelines should soon be released. The CNIL specified that, following the publication of the final version of its recommendations, controllers would be given a 6-month period to comply, after which the CNIL would start imposing sanctions.
- Consent must be:
- prior to the installation of any cookie on the user’s terminal equipment;
- specific ie provided purpose by purpose. The possibility to give global consent is allowed, but should be offered in addition to the possibility to specifically consent to each purpose;
- informed ie users must at least be provided with the following information in clear and simple terms: identity of the data controller, purposes of the operations of storing or gaining access to the user’s data, right to withdraw consent;
- The procedures for consenting or refusing cookies must be clear, simple and equivalent. It should not be easier to consent than to refuse. Refusals must be recorded for a sufficient period of time, so that the user is not pressured into consenting, as such a consent would be invalid.
- Consent can only be given for a limited period of time, which will depend on the context and extent of the user’s consent, as well as their expectations. The CNIL considers that a period of validity of 6 months should generally be appropriate. Users must be able to easily withdraw consent at any time.
- The controller must be able, on the one hand, to provide individual evidence of the collection of user consent (eg with a dedicated tracker) and, on the other hand, to demonstrate that the consent-collection mechanism is compliant with GDPR requirements (eg through a screenshot or software code escrow).
Whistleblowing – the CNIL publishes a new scheme
The new scheme published by the CNIL on December 2019 updates and consolidates the CNIL’s position on whistleblowing systems. It replaces the CNIL’s decision “AU- 004” and anticipates changes introduced by EU directive 2019/1937 on the protection of whistleblowers, which should be transposed by December 17, 2021.
New key points
- The scheme constitutes a single framework for all whistleblowing systems (whether statutory or not) put in place by public sector and private sector entities. It therefore covers:
- General whistleblowing systems imposed by article 8.III of the French anticorruption law “Sapin 2”;
- Whistleblowing systems to report corruption or influence peddling, as imposed by article 17.II.2 of the French anticorruption law “Sapin 2”;
- Whistleblowing systems implemented to comply with the general duty of vigilance imposed by article L.225- 102-4 of the French code of commerce;
- Optional whistleblowing systems;
- Mixed whistleblowing systems including both statutory and optional systems. In the case of mixed systems, technical and/or organisational measures must be put in place to identify the framework applicable to each report sent through the system.
- All potential data subjects must be informed of the whistleblowing system prior to its implementation. Potential data subjects include employees of the entity implementing the system, as well as third party individuals and legal entities in a direct contractual relationship with this entity. To the extent possible, relevant information should be provided individually to each potential data subject.
- Each person making a report through the system must receive a time-stamped receipt summarising the content of the report and attached documents (if any), so that this person may, to the extent applicable, benefit from the specific protection offered to whistleblowers.
- The scheme lists security measures that must be put in place (authentication of users, management of clearances, access tracking, breach management, security of workstations and servers, use of cryptographic functions…). Failing this, the entity implementing the whistleblowing system must be able to demonstrate that a given security measure is not applicable or that the security measures it has put in place are equivalent to those recommended by the CNIL.
- The CNIL points out that whistleblowing systems should not encourage anonymous reports, which is quite specific to France. This means that the possibility to make anonymous reports (if any) should not be advertised. It is possible to require that the person making a report identifies themselves.
- Data collected through the whistleblowing system (both at the reporting and handling stage) can be shared within a group of companies, if such a communication is necessary for the sole purposes of checking and handling the report.
- Whistleblowing systems are processing activities for which a data protection impact assessment (“DPIA”) is always required.
- The scheme only tackles compliance with data protection law. Other laws and regulations may apply, in particular with respect to statutory whistleblowing systems, or under French labour law, which requires employees’ representative bodies to be informed and consulted prior to the implementation of a whistleblowing system.
SCHREMS II – A conditioned upholding of the validity of standard contractual clauses
After the memorable invalidation of the Safe Harbor in the “Schrems I” case, the “Schrems II” case will have the CJEU rule about the validity of standard contractual clauses (“SCCs”) for data transfers to a data processor located outside the EU (in the case at stake, in the US). The case could also indirectly tackle the question of the validity of the Privacy Shield. The advocate general’s opinion dated December 19, 2019 provides an insight of the reasoning the Court could follow to uphold – subject to conditions – the validity of SCCs. Indeed, if this opinion is nonbinding advisory only, it seems very likely that the Court will follow its direction.
In a nutshell
According to the advocate general, SCCs (processor) are a valid transfer tool, but the execution of SCCs does not per se render a data transfer outside the EU compliant with GDPR requirements. Rather, data controllers (exporters) or, failing that, supervisory authorities are responsible for ensuring, on a case-by-case basis, for each specific transfer, that the law of the third country of destination does not constitute an obstacle to the implementation of the SCCs and, therefore, to an adequate protection of the transferred data. In case of an obstacle, transfers must be suspended and/or the processor agreement terminated.
Though the advocate general concludes that there is no need for the Court to examine this question as part of the “Schrems I” case, he voices concerns about the validity of the Privacy Shield as an adequate transfer tool. This issue should in any case be decided by the CJEU in another pending case brought by La Quadrature du Net.
Safety measures for transfers based on SCCs
- Implement a mechanism to audit and demonstrate the correct implementation of SCCs. At the end of the day, this obligation lies on the data controller. However, it is highly dependent on the processor, who is in possession the elements to evidence this compliance.
- For transfers based on SCCs which are sensitive for the controller (e.g. due to the quantity or type of transferred data), take steps to obtain information about the law of the third country of destination and determine, on a case-by- case basis, whether such law is likely to constitute an obstacle to the implementation of the SCCs.
- Think of alternate solutions where a risk has been identified (transfers to another country, use of an alternate transfer tool).
Coronavirus – The CNIL issues reminders on personal data collection
In the context of the health crisis related to the coronavirus, the CNIL published in March 2020 a reminder of some principles relating to the collection and use of personal data, in particular health data, of employees, agents or visitors.
What not to do
- Employers cannot take measures likely to infringe the privacy of the data subjects, in particular by collecting health data that would go beyond the management of suspected exposure to the virus.
- In practice, employers should therefore refrain from collecting information relating to the search for possible symptoms presented by an employee/visitor and his/her relatives in a systematic and generalised manner, or through surveys and individual requests (e.g. the collection of medical records or questionnaires from all employees or visitors).
What can be done
- The employer is responsible for the health and safety of employees/agents and must, in this respect, implement occupational risk prevention actions, information and training actions and put in place appropriate organisation and means (e.g. by inviting its employees to provide individual feedback of information concerning them in relation to possible exposure or by promoting remote working modes).
- In the event of a report, an employer may record (i) the date and identity of the person suspected of having been exposed and (ii) the organizational measures taken. This will enable the employer to provide the health authorities, upon request, with the information necessary for possible medical care of the exposed person.
- The companies may also need to establish a “business continuity plan” to maintain the core business of the organization. This plan must in particular provide for all the measures to protect the safety of the employees, identify the essential activities to be maintained as well as the people needed to ensure continuity of service.
Brexit – Business as usual?
Despite Brexit on January 31, 2020, GDPR continues to apply in the UK until December 31, 2020. The EDPB and ICO seem very eager to try and agree on a draft adequacy decision that could be adopted by the EU Commission before the end of the year. If so, controllers located in the EU who have not done so already, would be spared the necessity of implementing out of the EU data transfer tools for commercial partners, customers etc. located in the UK.
Developers – The CNIL publishes GDPR guidelines for developers
The GDPR guide for developers released by the CNIL on January 28, 2020 is composed of 16 topics to enable developers (i) to understand the core principles of GDPR (eg notion of personal data, information to be provided to individuals, notion of legal basis, rights of the individual over their personal data) and (ii) to obtain technical advice meant to ensure GDPR compliance of a processing activity (managing source code, libraries and SDKs, securing websites applications and servers…). In addition to this guide, the “LINC” (the CNIL’s think-tank) launched the “Data & Design” website. The website contains practical examples of compliant designs in terms of information and consent of data subjects and exercise of individual rights. It also features an online community.
CCPA – Entry into force of the California Consumer Privacy Act
From January 1, 2020, the California Consumer Privacy Act (“CCPA”) is applicable to French companies which (i) collect personal information about consumers who are California residents, (ii) does business in California and (iii) have an annual gross revenues in excess of 25 million dollars; annually buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or derive 50% or more of their annual revenues from selling consumers’ personal information.
Obligations provided under CCPA may appear similar to existing obligations under GDPR, but the Act also contains specific obligations, such as the right for consumers to opt- out of the sale of their personal information. The CCPA will therefore require companies to update some of their documentation and processes (information notices, consent collection forms, data processing agreements, processes for exercising individual rights…).
The Attorney General will not bring enforcement actions under the CCPA before July 1, 2020.
“P2B” REGULATION (EU) 2019/1150 – New obligations for platforms and search engines
From July 12, 2020, online platforms (marketplaces, app stores, social media…) and search engines will have to comply with the new obligations set out by the “P2B” Regulation (EU) 2019/1150 towards their business customers established within the EU who use their services to offer goods or services to consumers located in the EU.
Several of these obligations are similar to obligations imposed to platforms under articles L.111-7 and following of the French consumer code. Others prohibit certain unfair practices and contract terms. Note that the validity of such contract terms is already questionable under article 1171 of the French civil code and article L.442-1 of the French code of commerce, which prohibit terms creating a “significant imbalance”, as a result of which Amazon was imposed a 4-million fine by the commercial court of Paris on September 12, 2019.
Obligations applicable to both platforms and search engines
- Transparency on ranking parameters in order to enable business users to improve the presentation of their goods and services. Platforms and search engines will therefore have to disclose the general criteria, processes, specific signals incorporated into algorithms or other adjustment or demotion mechanisms used in connection with the ranking. This should not however lead to the disclosure of algorithms or any information that would result in the enabling of deception of consumers through the manipulation of search results.
- Transparency on any differentiated treatment given or potentially given by the platform or search engine for its own benefit or that of a third party, notably in terms of ranking, access to certain data, functionalities or remuneration.
Main obligations specific to platforms
- Providing clear and unequivocal terms and conditions, on a durable medium.
- Prohibition of retroactive changes to terms and conditions or changes effective immediately without prior notice, except when they are required to respect a legal obligation or for urgent security reasons.
- Prohibition of account suspension, termination or access restriction without reason. In addition, platforms will only be allowed to terminate the provision of their services to a given business user if they have provided such user with at least 30 days prior notice, unless termination results from a legal obligation, an imperative reason pursuant to applicable law, or in case of repeated infringements of the business user.
- Transparency regarding access to data. Platforms will have to specify if and under what conditions they access data (whether personal or not) provided by their business users, but also by consumers who buy their goods or services from the latter, through the platform. Similarly, they will have to specify if business users can access such data, and under what conditions.
- Providing a free internal complaint-handling system. Platforms will also be expected to make available annual statistics regarding this system (number of lodged complaints, main types of complaints, average time period needed to process the complaints and complaints outcomes).
- Identification of at least two mediators with which the platform is willing to engage to attempt to reach an agreement in case of a dispute with a business user. In France, platforms could for example name the business mediator of the Ministry of Economy and Finance (“médiateur des entreprises”).
Paris Court rulings against Twitter, Google and Facebook - unfair contract terms to ban from B2C general conditions
Three judgments handed down by the Paris court against Twitter (August 7, 2018), Google (February 12, 2019) and Facebook (April 9, 2019) following action brought by the UFC Que Choisir consumer association, are a useful reminder that, in B2C contracts, “clauses which aim to create or result in the creation, to the detriment of the consumer, of a significant imbalance between the rights aFnd obligations of the parties to the contract, are unfair” (article L.212-1 of the French consumer code).
The court also reiterates that sections of the French consumer relating to unfair contract terms apply to any B2C contract, whether concluded for a price or not.
Interestingly, several terms qualified as unfair by the court were linked to the use of consumer’s personal data and could therefore also be sanctioned under GDPR.
Our selection of unfair contract terms (among over 700 identified by the court)
- Terms leading the consumer to believe that the business is offering a service which is in fact imposed by law. This means that B2C general conditions should not include terms presenting a consumer’s right to access or obtain their data as resulting from the business’s good will, when such are statutory rights of the consumer.
- Terms limiting the business’s liability. This notably targets contract terms which lead the consumer to believe that they are solely responsible for securing their account or for contents they publish, as well as those which allow the business to amend or suspend its service without cause, without prior notice and without any liability.
- Terms making it look like use of the consumer’s data is meant to improve the quality of the service for the benefit of the consumer when they first and foremost benefit to the business, which derives substantial remuneration from such use.
- Terms by which the consumer grants the business a general copyright licence to use in any way it wants all contents published by the consumer, free of charge. Such contract terms are not allowed under the French intellectual property code, which prohibits total transfer of future works and provides that copyright transfers are subject to each of the assigned rights being separately mentioned and the field of exploitation of the assigned rights being defined in a written agreement. What’s more, the court considers that, because the business does not comply with applicable intellectual property law with respect to IP rights of the consumers, terms requiring consumers to comply with such law with regard to IP rights owned by the business should be considered as unfair.
- Terms referring the consumer to a foreign law or documents written in a foreign language.
Terms which are found unfair by the court are deemed unwritten. Businesses also face publicity sanctions as well as administrative fines up to 15,000 euros.
Class actions can also be envisaged.
As a matter of fact, further to the court’s ruling against Google, UFC Que Choisir decided to launch a class action with a view to obtaining – among other things – a compensation of 1,000 euros for each consumer owning Android equipment.
It must finally be noted that EU directive 2019/2161 as regards the better enforcement and modernisation of Union consumer protection rules (which must be transposed by November 28, 2021) provides for a significant increase in applicable fines in case of non-compliance with rules regarding unfair contract terms (up to 4% of the business’s annual turnover in the Member State(s) concerned or, when this information is not available, up to 2 million euros).