InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
France fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving complaints from individuals about the company’s facial recognition software. CNIL stated in its announcement that it cooperated with its European counterparts to share the results of the investigations, as each authority is permitted to act on its own territory since the company has no establishment in Europe. The investigations identified several violations of the GDPR, including that the company allegedly unlawfully processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). A formal notice was issued to the company last year requiring it to stop collecting and using data belonging to persons on French territory without a legal basis. The company was also ordered to “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” CNIL contended that after the company failed to respond to the formal notice, it referred the matter to a restricted committee for sanctions.
The restricted committee imposed the maximum financial penalty (€20 million) under article 83 of the GDPR, and ordered the company “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months.” Failure to comply within this time frame will result in a €100,000 penalty per day of delay. The restricted committee also cited the company for breaching its obligation to cooperate with CNIL.
Biden issues executive order on EU-U.S. privacy shield replacement
On October 7, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. outlines commitments the U.S. will take under the EU-U.S. Data Privacy Framework, which was announced in March as a replacement for the invalidated EU-U.S. Privacy Shield. As previously covered by InfoBytes, the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR.
Among other things, the E.O. bolsters privacy and civil liberty safeguards for U.S. signals intelligence-gathering activities, and establishes an “independent and binding mechanism” to enable “qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.” Specifically, the E.O. (i) creates further safeguards for how the U.S. signals intelligence community conducts data transfers; (ii) establishes requirements for handling personal information collected through signals intelligence activities and “extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance”; (iii) requires the U.S. signals intelligence community to make sure policies and procedures reflect the E.O.’s new privacy and civil liberty safeguards; (iv) establishes a multi-layer review and redress mechanism, under which the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) is granted the authority to investigate complaints of improper collection and handling of personal data and may issue binding decisions on whether improper conduct occurred and what the appropriate remediation should be; (v) directs the U.S. attorney general to establish a Data Protection Review Court (DPRC) to independently review CLPO decisions, thereby serving as the second level of the E.O.’s redress mechanism (see DOJ announcement here); and (vi) calls on the Privacy and Civil Liberties Oversight Board to review U.S. signals intelligence community policies and procedures to ensure they are consistent with the E.O.
U.S.-EU release statement on Joint Financial Regulatory Forum
On July 20, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S. – EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. Matters discussed focused on six themes: “(1) market developments and financial stability risks, (2) sustainable finance and climate-related financial risks, (3) regulatory developments in banking and insurance, (4) regulatory and supervisory cooperation in capital markets, (5) operational resilience and digital finance, and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”
The statement acknowledged that the Russia/Ukraine conflict, as well as “inflationary pressures”, exposes “a series of downside risks to financial markets both in the EU and in the U.S.” The statement notes that financial markets have so far proven to be “resilient” and stressed that “[i]nternational cooperation in monitoring and mitigating financial stability risks remains essential in the current global environment in light of the negative impacts on global energy and commodities markets.” During the Forum, participants also discussed recent developments related to digital finance and crypto-assets, including so-called stablecoins, as well as potential central bank digital currencies. Additionally, participants discussed various issues related to third-party providers; climate-related financial risks and challenges, including sustainability reporting standards; the transition away from LIBOR; and progress made in strengthening their respective AML/CFT frameworks.
U.S. and EU collaborate to combat ransomware attacks
On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property Section, along with representatives from the FBI, the U.S. Secret Service, the U.S. Homeland Security Investigations, European Judicial Cybercrime Network, Eurojust’s Cybercrime Team, and Europol’s European Cybercrime Centre shared “experiences, best practices, and lessons learned in directing an investigation to a successful outcome including collaborating with the tech and private sector.” Participants also discussed “relevant changes in the law, including issues related to electronic evidence, charging options, and cross-border considerations."
EU Court of Justice rules consumer protection agencies can sue companies for GDPR violations
On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect.” According to the judgment, Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against a global social media company’s Ireland division for allegedly infringing on General Data Protection Regulation (GDPR) rules governing the protection of personal data, the combat of unfair commercial practices, and consumer protection when offering users free games provided by third parties. Germany’s Federal Court of Justice called into question whether a consumer protection association has standing to bring proceedings in the civil courts against infringements of the GDPR without obtaining a mandate from users whose data was misused. Germany’s Federal Court of Justice also observed that the GDPR could be inferred to read that “it is principally for the supervisory authorities to verify the application of the provisions of that regulation.”
In its ruling, CJEU concluded that consumer protection associations in the EU can bring representative actions against the social media company for alleged violations of the GDPR, writing that the GDPR “does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data . . . where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” Permitting associations to bring representative actions is “consistent with the objective pursued by the GDPR . . . in particular, ensuring a high level of protection of personal data,” CJEU stated.
EU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework
On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here.) Under the Framework, the U.S. has committed to implementing reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement follows negotiations that began after the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.
As previously covered by InfoBytes, the CJEU’s ruling (which could not be appealed) concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.”
According to the factsheet released by the White House, the U.S. has made “unprecedented commitments” that build on the safeguards that were in place under the annulled EU-U.S. Privacy Shield with the goal of addressing issues identified in the Schrems II decision. These commitments include (i) strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities through measures that would limit U.S. intelligence authorities’ data collection to what is necessary to advance legitimate national security objectives; (ii) establishing a new, multi-layered redress mechanism with independent and binding authority “consist[ing] of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures, as needed”; and (iii) enhancing the U.S.’s existing rigorous and layered oversight of signals intelligence activities, and requiring U.S. intelligence agencies to “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.” The factsheet further stated that participating companies and organizations will continue to be required to adhere to the EU-U.S. Privacy Shield principles, including the requirement of self-certification through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints against businesses and organizations participating in the Framework, including through alternative dispute resolution and binding arbitration.
The White House stated that President Biden will issue an executive order outlining the aforementioned commitments “that will form the basis of the Commission’s assessment in its future adequacy decision.” According to the announcement, the U.S. and European Commission “will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework.”
Irish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach notifications it received between June 7, 2018 and December 4, 2018, to examine the extent that the company complied with GDPR requirements related to the processing of personal data. Following the inquiry, the DPC found that the company violated GDPR Articles 5(2) and 24(1) by failing “to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” Article 5 outlines principles related to the processing of personal data and requires companies to ensure that EU residents’ personal data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Article 24(1) requires controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR. The DPC noted that because the processing under examination constituted “cross-border” processing, the “decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
U.S.-EU release statement on Joint Financial Regulatory Forum
On March 1 and 2, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S. – EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. Matters discussed focused on six themes: “(1) market developments and current assessment of financial stability risks, (2) operational resilience and digital finance, (3) sustainable finance and climate-related financial risks, (4) regulatory and supervisory cooperation in capital markets, (5) multilateral and bilateral engagement in banking and insurance, and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”
While acknowledging that both the U.S. and EU are “experiencing robust economic recoveries,” participants warned that significant uncertainty and risks are created by the current geopolitical situation, as well as challenges stemming from the ongoing Covid-19 pandemic, high energy prices, and supply-chain bottlenecks. “[C]ooperative international engagement to mitigate financial stability risks remains essential,” participants stressed. During the meeting, participants also discussed recent developments related to crypto-assets, digital finance, and so-called stablecoins, as well as the potential for a central bank digital currency, and “acknowledged the importance of ongoing international work on digital finance and recognized the benefits of greater international supervisory cooperation with a view to promote responsible innovation globally.”
In addition, participants discussed various topics, including those related to third-party providers; climate-related financial risks and challenges, including sustainability reporting standards; the transition from LIBOR; and progress made in strengthening their respective AML/CFT frameworks.
France says tool for EU-U.S. data transfers is unsafe
On February 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a decision related to a multinational technology company’s practice of transferring data collected through its analytics tool to the U.S. The analytics tool, which measures the number of user visits, assigns a unique identifier to each visit (which constitutes personal data). The identifier and associated data are then transferred by the company to the U.S. CNIL stated that it received numerous complaints related to the transfer of the collected data and noted that complaints were filed against 101 data controllers for allegedly transferring personal data to the U.S. The agency analyzed the conditions under which the collected data was being transferred, and assessed the risk potential for individuals raising the concerns. According to CNIL, the company’s trans-Atlantic data transfers “are currently not sufficiently regulated” in spite of “additional measures” adopted by the company to regulate these data transfers. These measures “are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” CNIL determined, noting that “in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.”
CNIL stated that these data transfers violate Article 44 et seq. of the GDPR (which governs the transfer of personal data to a third country or to an international organization), and ordered a “website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the [analytics tool] functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU.” The website operator must comply within one month. Additional compliance orders were also issued to other website operators using the analytics tool. CNIL also recommended that the analytics tool should only be used to produce anonymous statistical data, and stated that it has launched an evaluation program to determine solutions that are exempt from consent.
OFAC sanctions Nicaraguan officials connected to Ortega-Murillo regime
On January 10, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions pursuant to Executive Order 13851 against six Nicaraguan government officials. The sanctions, taken in conjunction with EU sanctions adopted the same date, relate to Nicaraguan President Daniel Ortega and Vice President Rosario Murillo’s regime’s ongoing “subjugation of democracy through effectuating sham elections, silencing peaceful opposition, and holding hundreds of people as political prisoners.” Complementing OFAC’s actions, the State Department “impose[d] visa restrictions on individuals complicit in undermining democracy in Nicaragua, including mayors, prosecutors, and university administrators, as well as police, prison, and military officials.” As a result of the sanctions, all property and interests in property of the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.”