Last week in Privacy (week 38)

Finnish Telecoms regulator now offering immunities from cookie consent complaints


The latest cookie decision by the Finnish Telecoms regulator Traficom complicates the current cookie consent dispute in Finland. In a decision dated 14 September 2020, Traficom declared a complaint inadmissible as “it is probable that the website in question is not in breach of the Finnish Act on Electronic Communications Services.”


A complaint was filed against the website that used a simple cookie banner on its website. The banner stated that the end user accepts the cookies by continuing to use the website. The website used a mechanism that the Finnish Data Protection Authority found ‘illegal’ in an earlier decision in May 2020.


According to the final decision, Traficom provided the website operator with guidance and therefore it is probable that the website in question is not in breach of the law. Based on the guidance received, the website removed its cookie banner and now relies on browser settings to obtain consent from the end users. The current information refers to "opt-out consent" and warns that opting out will negatively effect on the website by weakeking the experience or even completely preventing the usage.


Considering the website’s current setup, this decision verifies that the consent for cookies in Finland does not have to be 1) freely given, 2) specific, 3) informed nor 4) unambiguous indication of the data subject's wishes. Despite the Finnish DPA clearly arguing that “the GDPR’s provisions on consent do not include a national margin of manoeuvre”, Traficom continues to encourage Finnish companies to rely on browser settings.


As we already predicted in May, the decision by the Finnish DPA is not likely to change the situation. The website subject to the DPA’s decision has not followed the DPA’s order to bring its practices for obtaining consent into compliance with the GDPR despite the deadline being 1st of  September 2020. The website still relies on the banner that was found in breach of the law.


A freedom of information request to the Finnish DPA reveals that the DPA has 38 pending cases against organisations for cookie consent. It is likely that some of these organisations will contest the Finnish DPA’s authority on this matter as the 'cookie consent provisions' of the Finnish Act on Electronic Communications Services is enforced by Traficom.


TikTok faces a class action lawsuit in Canada for collecting data without consent


A class action lawsuit has been filed against ByteDance in the Supreme Court of British Columbia alleging ByteDance exploits a bug in AndroidOS and collects personal information from all end users without consent.


Lead plaintiff of the case claims that ByteDance and its affiliates worked together to collect data from end users without consent and sold it to 3rd parties. The lawsuit alleges that at no point, the mobile application asks consent to the collection of personal information. Further, the lawsuit alleges that despite the prohibition on the collection of MAC addresses by Google and Apple, TikTok app collects such information from all users, including children. According the lawsuit, ByteDance exploits a bug in AndroidOS to circumvent the restriction against the collection of MAC addresses.


Read more here.


The Brasilian version of the GDPR finally here


After facing an uncertain and confusing path, the Brasilian General Data Protection Act (Lei Geral de Proteção de Dados “LGPD”) is finally taking effect after the President Jair Bolsonaro signed a bill from Brazil’s congress.


Originally postponed to May 2021 and then back to December 2020, the LGPD is now in effect with a retroactive applicability date of August 16th 2020. However, the penalties for infringements will be applied from August 2021.


Read the English translation of the LGPD from IAPP’s website.


Facebook challenges the DPC's order on transfer mechanisms


Last week Facebook confirmed of receiving a preliminary order from the Irish Data Protection Authority ("DPC") to suspend its personal data flows from EU to United States. Now Facebook has filed an appeal with the Irish High Court to challenge the DPC's order and have been granted a Judicial Review against the DPC (Case 2020/617 JR).


Facebook told the Irelands High Court that it cannot operate its services in the EU if DPC's freezes its personal data transfers. The Judicial Review allows Facebook to have the Irish Court to review the on-going dispute.


Read more here.