Last week in privacy (week 40)

French Data Protection Authority CNIL amends it ‘cookie' guidelines


On 1st of October 2020, the CNIL published a revised version of its guidelines on cookies and other tracking mechanisms. The new version of the guidelines are adjusted to the earlier decision by the French Council of State (Conseil d’État) which invalidated a general prohibition of ‘cookie walls’ included the earlier version of the guidelines.


With the amendments, CNIL aims to give Internet users more control over their personal data and reminds companies about the two main principles: the Internet user must be clearly informed and the refusal of cookies and other tracking mechanism must be as easy as it is to accept them.


Cookie Walls, the practice of blocking website for users who do not consent to tracking, are no longer generally prohibited, although CNIL reminds such are likely to undermine the freedom of users to consent. While CNIL does not ban cookie walls, it highlights that the lawfulness must be assessed case-by-case.


Refusing the use of cookies and other tracking mechanisms must be as easy as accepting them and end users must not be subject to complex procedures for refusing tracking. CNIL recommends that the user interface for collecting consent should include “refuse all” -button if “accept all” -button is used to ensure that end users are not influenced with ‘dark patterns’ making refusal more difficult than acceptance.


Companies are now given an additional transition period of 6 months to comply with the new guidelines and CNIL starts enforcing the new rules by the end of March 2021.


Read the CNIL’s press release here, the updated guidelines here and the related FAQ here (in French).


H&M hit with a massive fine in Germany over illegal employee surveillance


On October 1st, 2020, the The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) issued a fine of 35 million Euros against H&M Hennes & Mauritz Online Shop A.B. & Co KG.


Earlier we shared how the Hamburg’s data protection authority (The Hamburg Commissioner for Data Protection and Freedom of Information “HmbBfDI") initiated an administrative fine proceedings against H&M. According to the HmbBfDI, they had not seen such a serious violation in a long time.


Since 2014, the H&M employees have been subject to extensive recording of details about their private lives. After absences such as vacations and sick leaves -even short absences -the managers conducted so called Welcome Back Talks with their employees.


The HmbBfDI investigated hard drives containing more than 60GB of data and found ‘massive violations of data protection rights of the employees’. H&M had been collecting detailed and systematic records of their employees including health data such as ‘bladder weakness to cancer’, as well as data from people in employees’ social environment, such as family disputes, deaths or holiday experiences. The data contained even records from personal conversations between the employees during cigarette breaks.


Read HmbBfDI's press release here.


German DPAs: Microsoft 365 cannot be used in a privacy compliant way

The German Conference of Independent Federal and State Data Protection Supervisory Authorities (“DSK”) has come into conclusion that no data protection compliant use of Microsoft’s Office 365 is possible.


DSK’s working group assessed Microsoft’s Office 365 Online Service Terms (OST) and other data protection provisions for Microsoft Online Services (Data Processing Addendum / DPA). The conclusion of the DSK came with a narrow majority of 9 votes and 8 against.


The data protection supervisory authorities of Baden-Württemberg, Bavaria, Hesse and Saarland made it clear that they also see considerable potential for improvements in terms of data protection in Microsoft Office 365, especially after the most recent decision by the European Court of Justice on international data transfers on July 16, 2020 (C-311/18 “Schrems II”).


Read the press release by the Saarland data protection authority here.


Microsoft faces a class action for allegedly using ‘business secrets’ to derive commercial benefit


A class action lawsuit has been filed against Microsoft in the United States District Court of Northern District of California alleging that Microsoft shares the content of its business customers’ emails, documents, contacts, calendars, and other data with unauthorized third parties for unauthorized purposes; and uses its business customers’ data to develop new products and services to sell to others.


The lawsuit claims that Microsoft has routinely used the content of business customers’ emails, documents, contacts, calendars, location data, audio files, and video files in order to develop new products and services sold to others; to glean business intelligence; and to otherwise derive commercial benefit.

See the lawsuit here.


Facebook criticises Netflix’s The Social Dilemma’ as distorted and sensationalist


Netflix’s recently released documentary The Social Dilemma sounds the alarm about surveillance capitalism and the negative effects of the social media. The documentary is seen as a wake-up call for a world drunk on dopamine, telling a story how social media companies ruthlessly manipulate human behaviour for profit and pose an existential threat to today’s democracy.


As expected, Facebook seems to be not happy about the Social Dilemma and published its response titled “What ‘The Social Dilemma’ Gets Wrong” as an attempt to address the concerns raised in documentary


See Facebook’s response here.


Facebook takes legal action against companies scraping their data


On October 1, 2020, Facebook published a press release stating it has filed a lawsuit in the US against two companies that scraped data from Facebook and other platforms, in order to sell “marketing intelligence” and other services. The actions of BrandTotal Ltd., an Israeli-based company, and Unimania Inc., incorporated in Delaware, violates Facebook’s Terms of Service.


See Facebook’s press release here.