Data Protection Weekly 1/2023

Jan 6, 2023

National Authorities

Germany: Munich Regional Court (LG München): Cookie banner with decline button only on second layer is inadmissible

The consent of the user is required for the setting of advertising and marketing cookies. This has already been decided by both the ECJ and the Federal Supreme Court. The Munich Regional Court I (judgement of 29.11.2022 – 33 O 14776/19) has now ruled that a cookie banner that only allows consent to be rejected at the second level and thus requires more effort than consent at the first level is unlawful. Read judgment (in German) here.


Google settles two more location tracking lawsuits worth $29.5 million in US

“Google has settled two more location tracking lawsuits worth $29.5 million filed in Washington, DC and Indiana states in the US.

The search giant is required to pay $9.5 million to Washington, DC and $20 million to Indiana after the states sued the tech giant for allegedly tracking users’ locations without their consent.

The $29.5 million settlement adds to the $391.5 million Google agreed to pay to 40 states over similar allegations last month.” Read more here.

Twitter in data protection probe after ‘400 million’ user details up for sale

“A watchdog is to investigate Twitter after a hacker claimed to have private details linked to more than 400 million accounts.

The hacker, “Ryushi”, is demanding $200,000 (£166,000) to hand over the data – reported to include that of some celebrities – and delete it.

Ireland’s Data Protection Commission (DPC) says it “will examine Twitter’s compliance with data-protection law in relation to that security issue”.

Twitter has not commented on the claim.

The data is said to include phone numbers and emails, including those belonging to celebrities and politicians, but the purported size of the haul is not confirmed. Only a small “sample” has so far been made public.” Read more from the BBC here.


Romania: Kaufland Romania fined for breach of GDPR

In November 2022, the National Supervisory Authority completed an investigation at Kaufland Romania SCS and found a breach of Articles 29 and 32(2). (1) (b) and para. (2) and para. (4) of the GDPR (Regulation (EU) No 2016/679).

As such, the operator Kaufland Romania SCS was fined 14,779.80 lei (equivalent to 3000 EURO). […]In the course of the investigation, it emerged that the store manager had allowed an employee access to the monitoring room, who had captured images of the running video footage with his personal mobile phone and transmitted them via WhatsApp to a third party. Subsequently, the images were transmitted by posting them by an online publication. As a result, the image and the car’s registration number were revealed and two people were affected by the incident. Press release (in Romanian) here.

Ireland: Meta prohibited from use of personal data for advertisement

“Meta (Facebook and Instagram) prohibited from using personal data for advertisement. Major blow to Meta’s business model in Europe, following noyb litigation. Fine for Meta more than tenfold from € 28 million to € 390 million. Third case on WhatsApp pending.

As confirmed by the Irish Data Protection Commission (DPC), the European Data Protection Board (EDPB) has rejected the Irish DPC and Meta’s bypass of the GDPR based on noyb complaints against Facebook and Instagram. Meta is now prohibited to bypass the GDPR via a clause in the terms and conditions. Meta has to get “opt-in” consent for personalized advertisement and must provide users with a “yes/no” option. The decision on a third parallel case on WhatsApp is delayed until mid-January.” Read full article at noyb here.

France: Apple fined 8 million EUR in French privacy case

“France’s data protection authority CNIL has fined Apple €8 million for privacy violations.

The regulator found that the U.S. tech giant did not “obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals,” according to a statement released Wednesday.

The case stems from a March 2021 complaint lodged by start-up lobby France Digitale, which argued Apple did not respect data protection rules. POLITICO first reported last year on the CNIL’s doubts about Apple’s privacy compliance.” Read full article at Politico here.