Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
France fines facial recognition company additional €5.2 million for noncompliance
On May 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a facial recognition company an overdue penalty payment in the amount of €5.2 million for failing to comply with an October order. As previously covered by InfoBytes, last fall CNIL imposed a €20 million penalty against the company for allegedly violating the EU’s General Data Protection Regulation (GDPR) after investigations found that the company allegedly processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). CNIL reported that the company had two months after receiving the October order to stop collecting and processing data on individuals located in France “without any legal basis, and to delete the data of these individuals, after responding to requests for access it received.” Because the company did not submit proof of compliance within this time frame, CNIL imposed an additional fine on top of the original penalty.
France fines software company €60 million for data violations
In December, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €60 million penalty against a global software development company accused of making it harder for users of its search engine to reject cookies than to accept them. Based on investigations conducted in September 2020 and May 2021, CNIL claims that when users visited the search engine, cookies used for advertising purposes and countering advertising fraud, among other things, were automatically deposited on their terminal without the users’ consent. Under French law, these types of cookies may only be deposited after users have expressed their consent, according to CNIL. CNIL further observed that while the search engine offered a button to accept cookies immediately, it did not offer an equivalent button to allow the user to refuse the cookies as easily. By making the refusal mechanism more complex, users are discouraged from refusing cookies and are instead encouraged “to prefer the ease of the consent button in the first window,” CNIL said, adding that “such a procedure infringed the freedom of consent of Internet users.” Claiming violations of Article 82 of the French Data Protection Act, CNIL ordered the company to take measures within three months to modify its practices for obtaining consent from users residing in France. CNIL further stated that additional fines of €60,000 will be imposed per day of non-compliance following the end of the three-month period.
9th Circuit revives data breach class action against French cryptocurrency wallet provider
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”
France fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving complaints from individuals about the company’s facial recognition software. CNIL stated in its announcement that it cooperated with its European counterparts to share the results of the investigations, as each authority is permitted to act on its own territory since the company has no establishment in Europe. The investigations identified several violations of the GDPR, including that the company allegedly unlawfully processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). A formal notice was issued to the company last year requiring it to stop collecting and using data belonging to persons on French territory without a legal basis. The company was also ordered to “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” CNIL contended that after the company failed to respond to the formal notice, it referred the matter to a restricted committee for sanctions.
The restricted committee imposed the maximum financial penalty (€20 million) under article 83 of the GDPR, and ordered the company “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months.” Failure to comply within this time frame will result in a €100,000 penalty per day of delay. The restricted committee also cited the company for breaching its obligation to cooperate with CNIL.
France says tool for EU-U.S. data transfers is unsafe
On February 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a decision related to a multinational technology company’s practice of transferring data collected through its analytics tool to the U.S. The analytics tool, which measures the number of user visits, assigns a unique identifier to each visit (which constitutes personal data). The identifier and associated data are then transferred by the company to the U.S. CNIL stated that it received numerous complaints related to the transfer of the collected data and noted that complaints were filed against 101 data controllers for allegedly transferring personal data to the U.S. The agency analyzed the conditions under which the collected data was being transferred, and assessed the risk potential for individuals raising the concerns. According to CNIL, the company’s trans-Atlantic data transfers “are currently not sufficiently regulated” in spite of “additional measures” adopted by the company to regulate these data transfers. These measures “are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” CNIL determined, noting that “in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.”
CNIL stated that these data transfers violate Article 44 et seq. of the GDPR (which governs the transfer of personal data to a third country or to an international organization), and ordered a “website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the [analytics tool] functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU.” The website operator must comply within one month. Additional compliance orders were also issued to other website operators using the analytics tool. CNIL also recommended that the analytics tool should only be used to produce anonymous statistical data, and stated that it has launched an evaluation program to determine solutions that are exempt from consent.
French Council of State confirms €100 million fine against tech company
On January 28, the French Council of State confirmed the French data protection agency Commission Nationale de l’Informatique et des Libertés’s (CNIL) jurisdiction to impose sanctions on a multinational technology company and its Irish affiliate related to the companies’ process for managing cookies. The judgment follows an appeal by the companies against a 100 million euro fine imposed by CNIL in December 2020, for failure to obtain users’ consent and provide adequate information before depositing advertising cookies on users’ computers. The 2020 decision cited three violations of Article 82 of the French Data Protection Act (the Act). In confirming the 2020 decision, the Council of State recognized that it is within CNIL’s jurisdiction “to issue sanctions regarding cookies outside the ‘one-stop-shop’ mechanism provided for in the GDPR and therefore confirmed the sanction imposed by the CNIL on the companies[.]” Specifically, the Council of State concluded that the GDPR’s “one-stop-shop” mechanism does not apply to the deposit of cookies, which is covered by the Act. Additionally, because the cookies in question are implemented in the context of the companies’ activities in France, the Council of State determined CNIL had jurisdiction pursuant to the Act, and consequently, did not have to forward the case to the Irish Data Protection Authority (the lead supervisory authority for these companies under the GDPR). Moreover, the Council of State held that the fines imposed by CNIL were “not disproportionate in view of the seriousness [of] the violations, the scope of the processing and the financial capabilities of the companies.”
French data protection agency issues privacy fines over cookies
On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply with the French Data Protection Act related to the companies’ process for managing cookies. (See additional press releases here and here.) According to the CNIL, the companies provide a button allowing users to immediately accept cookies but do not provide an equivalent option to allow users to easily refuse the cookies through a single click. This process, CNIL stated, “influences [a user’s] choice in favor of consent” since a user “cannot refuse the cookies as easily as they can accept them,” and constitutes an infringement of Article 82 of the French Data Protection Act. In addition to the fines, the CNIL gave the companies three months “to provide […] users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” Failure to comply will come with the risk of an additional daily fine of 100,000 euros per day of delay.
U.S. and Israel form partnership to combat ransomware; U.S. enters cybersecurity initiative with France
On November 14, the U.S. Treasury Department announced the establishment of a bilateral partnership with the Israeli Ministry of Finance as part of the Biden Administration’s efforts to crackdown on ransomware. The partnership is part of the U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity, which was launched the same day. During the launch of the partnership, Treasury Department Deputy Secretary Wally Adeyemo and Israeli counterparts affirmed their commitment for encouraging robust fintech innovation and reinforced the importance of working together to combat cyber threats posed by nation-state and criminal actors to the global economy. The Task Force will take several measures, including immediately developing a Memorandum of Understanding that will support “(1) permissible information sharing related to the financial sector, including cybersecurity regulations and guidance, cybersecurity incidents, and cybersecurity threat intelligence; (2) staff training and study visits to promote cooperation in the area of cybersecurity and the financial system; and, (3) competency-building activities such as the conduct of cross-border cybersecurity exercises linked to global financial institutions financial and investment flows.” The Task Force also plans to launch a series of expert technical exchanges to support fintech innovation and examine ways cyber-analytics firms and fintech/regtech innovations are developing new measures to combat illicit finance risk and enhance public sector analytical and enforcement activities. According to Adeyemo, international cooperation is vital for addressing virtual currency abuses and disrupting the ransomware business model.
Separately, on November 10, Vice President Kamala Harris announced, among other initiatives, an international cybersecurity initiative with France to combat cyber threats. Harris stated that the U.S. will support the Paris Call for Trust and Security in Cyberspace, which the White House described as “a voluntary commitment to work with the international community to advance cybersecurity and preserve the open, interoperable, secure, and reliable internet.” According to the announcement, the U.S. “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.” Harris’ announcement builds on recent counter-ransomware actions taken to increase international cooperation to combat cybercrime. (Covered previously by InfoBytes here.)
2nd Circuit: Banking a known terrorist organization does not, by itself, establish Antiterrorism Act liability
On April 7, the U.S. Court of Appeals for the Second Circuit affirmed summary judgments (see here and here) dismissing amended complaints filed in two actions seeking to hold a U.K. bank and a French bank, respectively, liable under the Antiterrorism Act of 1990 (ATA) for allegedly “providing banking services to a charitable organization with alleged ties to Hamas, a designated Foreign Terrorist Organization (FTO) alleged to have committed a series of terrorist attacks in Israel in 2001-2004.” The complaints alleged that the U.K. bank and the French bank knowingly provided banking services, including sending millions of dollars in wire transfers, to organizations previously designated by the U.S. as Specially Designated Global Terrorists. The district court referred to the 2nd Circuit’s decision in Linde v. Arab Bank PLC, in which the appellate court held that “a bank’s provision of material support to a known terrorist organization is not, by itself, sufficient to establish the bank’s liability under the ATA,” and that “in order to satisfy the ATA’s requirements for civil liability as a principal,” the bank’s act must “also involve violence or endanger human life.” Moreover, the Linde opinion held, among other things, that a bank’s act must be intended to intimidate or coerce the civilian population or influence or affect a government, and that the bank “ must have been ‘generally aware of [its] role as part of an overall illegal or tortious activity at the time’” the assistance was provided.
The plaintiffs argued in a consolidated appeal that the district court misapplied the Linde holding and erred in concluding that the evidence presented was “insufficient to permit an inference that the bank was generally aware that it was playing a role in terrorism.” The banks countered that if the appellate court reversed the judgments, the claims should be thrown out for lack of personal jurisdiction. On appeal, the 2nd Circuit agreed with the district court’s dismissal of claims “on the ground that plaintiffs failed to adduce sufficient evidence that the bank itself committed an act of international terrorism within the meaning of §§ 2333(a) and 2331(1)” of the ATA. The opinion noted, among other things, that the plaintiffs’ experts said the charities to which the banks transferred funds as instructed by one of the organizations actually performed charitable work and that there was no indication that they funded terrorist attacks. As such, the banks’ conditional cross-appeal was dismissed as moot.
NYDFS and French regulator sign fintech MOU
On June 3, NYDFS and France’s Autorité de Contrôle Prudentiel et de Résolution (ACPR) signed a Memorandum of Understanding (MOU) to help ease fintech innovators’ entry into the New York and French markets. This is the first fintech cooperation agreement signed by the ACPR with a U.S. regulator. Under the terms of the MOU, the two regulators will (i) refer companies to one another for potential market entry; (ii) “exchange information about regulatory and policy issues”; (iii) ensure innovators in both jurisdictions receive equal levels of support; and (iv) “share regulatory and supervisory expertise and best practices.” According to NYDFS, the regulators aim to encourage and support financial innovation, enhance consumer protections, and encourage “healthy market competition in their respective markets.”