European Union

IAB Europe publishes guide to the post third-party cookie era

IAB Europe published, on 10 March 2022, a Guide dedicated to the post third-party cookie era, to enable brands, publishers and tech intermediaries to prepare for the impending post-third-party cookie era.

The Guide provides a complete deep-dive into the following key themes:

• the main contributing factors to the depletion of third-party cookies;
• the impact on stakeholder usage of proprietary platforms;
• the impact on measurement and ad verification;
• a detailed overview of the current non third-party post-cookie solutions; and
• information on how stakeholders can contribute to the ongoing development of these solutions.

You can read the Guide here.

National Authorities

Denmark : Datatilsynet publishes guidance on use of cloud technologies

Datatilsynet announced, on 9 March 2022, that it had published a new guide on the use of cloud services.

The guide contains, among other things :

• instructions on how to assess data processors (the minimum requirements that should be requested), and how to ensure processing takes place in accordance with set instructions;
• a section dedicated to data transfers to third countries and the US; and
• practical questions data controllers intending to use cloud services may ask themselves.

You can read the guide here.

Fines

Croatia : AZOP fines energy company €124.000 for failure to submit video surveillance recordings at request of data subjects Italy : Garante fines Clearview IA €20M and ban use of biometric data and monitoring of data subjects in Italy

The AZOP published, on 8 March 2022, its decision in which it imposed a fine of HRK 940,000 (approx. €124,000) against an unnamed energy sector company for violations of Articles 15(3) of the GDPR, for failure to submit video surveillance recordings at the request of the data subject.

AZOP initiated its investigation following a claim filed by the complainant who requested the company to submit video surveillance camera footage of the complainant, specifying the date and time. The complainant used the services of a petrol station at one of the company’s branches, however due to dissatisfaction, filed a complaint in accordance with consumer protection regulations.

The company rejected the request as it considered that there was no written request from the competent authorities to provide a copy of the recording, that the purpose of the request was not justified, and that obtaining such a copy would adversely affect the rights and freedoms of petrol station employees and customers.

At the prior request of the complainant, the AZOP gave a general opinion on the obligation of the data controller to provide copies of the requested video surveillance footage, however, the company noted that it could no longer provide the requested recordings since the footage is deleted after seven days.

Further to this, AZOP found that the company violated the right to access personal data by denying the individual the right to obtain a copy of the CCTV footage.

To determine the amount of the fine, AZOP took into account the indirect material damaged to the complainant (the company indirectly avoided potential financial damage it could suffer due to the dispute by not submitting a recording it eliminated, which could potentially be important evidence in the proceeding).

Based on these findings, AZOP deemed it appropriate to impose the company with the aforementioned fine for violation of Article 15(3) of the GDPR.

You can read the decision, only available in Croatian, here.

Italy : Garante fines Clearview IA €20M and ban use of biometric data and monitoring of data subjects in Italy

The Garante published, on 9 March 2022, its decision in Case No. 50, as issued on 10 February 2022, in which it imposed a fine of 20 million to Clearview AI, Inc., for violations of Articles 5, 6, 9, 12, 13, 14, 15, and 27 of the GDPR, following an investigation launched by the Garante further to complaints submitted by individuals and privacy advocacy organisations.

Clearview AI, a company headquartered in the US, reportedly owns a database including over 10 billion facial images from individuals all over the world, which are extracted from public web sources via web scraping. The Company offers a search service which allows, through AI systems, the creation of profiles, on the basis of the biometric data extracted from the images and associated metadata.

The complaints received by the Garante concerned the unlawfulness of the data processing carried out by Clearview AI, its failure to respond to requests of access to data pursuant to Article 15 of the GDPR, and the lack of consent to the processing.

Further to the above, the Garante examined the applicability of the GDPR to the processing carried out by Clearview AI, in response to the reiterated statements of Clearview AI according to which the same was not subject to the GDPR.

As Clearview AI had admitted, its activity requires extraction of biometric data from the images collected on the web and in using them for comparative purposes.

In light of this, the Garante determined that the GDPR applied to the processing in question.

Consequently, the Garante determined that the personal data held by Clearview AI, including biometric and geolocation information, was processed in violation of:

• Articles 5 of the GDPR :  Clearview AI had failed to adequately inform data subjects, processed data subjects’ data for purposes other than those for which it had been made available online, and had not set out any data storage period;
• Article 6 of the GDPR :  the Garante considered that no  legal basis justified the data processing ;  
• Article 9 of the GDPR : the processing of biometric data carried out by Clearview AI did not meet any of the exceptions to the general prohibition of the processing of sensitive data ;
• Article 12 of the GDPR due to the inadequacy of the responses received by the complainants, the unjustified delay in providing the same, and the excessive requests of Clearview AI for verifying the identities of the complainants;
• Article 15 of the GDPR, as the complainant had not received a precise and transparent communication with reference to the categories of information listed therein; and
• Article 27 of the GDPR, on the basis that Clearview AI had failed to nominate a representative in the EU.

In conclusion, the Garante imposed a fine of €20 million and ordered Clearview AI:

• to erase the data relating to individuals in Italy;
• to cease any further collection and processing of personal data through its facial recognition system; and
• to designate, within 30 days, a representative in the EU.

The Garante also required Clearview AI to communicate, within 30 days, the measures implemented to comply with the decision.

You can read the decision, only available in Italian, here.