Luxembourg court suspends Amazon decision; CNIL fines Google & Facebook

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

eUrope

LuxembourG court suspends amazon decision

The President of the Luxembourg administrative court issued an order in December 2021 suspending in part the National Commission for Data Protection’s (CNPD) July 15, 2021 decision against Amazon, specifically with respect to the corrective measures imposed by the decision.

The CNPD decision had found that Amazon had violated several provisions of the GDPR, including that it did not have a valid legal basis or compliant transparency measures for its processing of personal data for behavioral advertising purposes, and that it didn’t offer conforming access, modification, erasure and opt-out mechanisms.

The decision had given Amazon a 6-month deadline (until January 15, 2022) to cure its violations to avoid a daily penalty of 746,000 euros. The order suspending the decision held that the CNPD’s decision had not been formulated in clear enough terms to enable Amazon to cure its violations within the 6-month timeline. 

WHY IT MATTERS

The CNPD’s decision had merely ordered that Amazon bring the violations into compliance with certain provisions of the GDPR, without specifying what satisfactory compliance would look like or working with Amazon in a phased process to first establish, and then execute, a plan for corrective action.

The administrative order suspending the decision will therefore likely lead to more specific instruction, giving Amazon, as well as other companies, a more precise understanding of the CNPD’s interpretation of conforming legal basis, transparency measures and user rights mechanisms with respect to behavioral advertising. 

CNIL Fines Google & Facebook

The France data protection authority (CNIL) on January 6, 2022 issued sanctions of up to 150 million euros against Google and up to 60 million euros against Facebook for failing to allow users of facebook.com, google.fr and youtube.com to refuse cookies as simply as accepting them in violation of France’s Data Protection Act.

The websites had allegedly required several clicks for users to refuse all cookies, while allowing users to accept cookies with just one click. The companies were ordered to implement a means for users to refuse cookies as simply as accepting them within 3 months to avoid a fine of 100,000 euros per day of delay. 

WHY IT MATTERS

The CNIL has placed significant focus on both enforcing and providing guidance around its requirements for use of cookies, including last month updating its GDPR guide for developers to include exactly what elements should be included in the first and second layers of a consent interface, example images of acceptable interfaces, and a step-by-step guide to what steps should be taken on the back-end.

The CNIL also issued 30 new orders for cookie non-compliance last month and says it has adopted a total of nearly 100 corrective measures (formal notices and sanctions) in connection with non-compliance with the legislation on cookies. 

UK Confirms New Information Commissioner

New Zealand’s former Privacy Commissioner, John Edwards, was confirmed as UK’s new Information Commissioner, effective January 3, 2022, for a 5-year term.

WHY IT MATTERS

The former UK Information Commissioner, Elizabeth Denham, was outspoken about her desires to evolve consumer privacy in the digital space, and had committed, with her G7 counterparts, to find better ways to secure informed and meaningful consent online, including through examination of web browsers, software applications and device settings as potential vehicles for privacy preferences.

Edwards is known for his strongly-worded tweets criticizing Facebook’s data handling practices following the 2018 Cambridge Analytica scandal, but his position and approach to digital privacy reform is yet to be seen.

USA

Biden Re-Nominates Bedoya for FTC Commissioner

President Biden included Alvaro Bedoya’s FTC Commissioner nomination in a list of nominations sent to the Senate January 4. Bedoya’s nomination last year resulted in a 14-14 vote down party lines in the Senate Commerce Committee, delaying a formal vote from the full Senate until 2022. 

WHY IT MATTERS

Bedoya has focused his research on the potential harms of algorithmic bias and surveillance technologies. His confirmation hearing included several questions from republicans about the potential for privacy rulemaking, and with the FTC recently announcing in a public filing that the commission is considering initiating a rulemaking regarding commercial surveillance, privacy abuses and algorithmic decision-making, the party-line tension around Bedoya’s nomination has likely increased.    

Privacy Act Reintroduced in New York

A bill to enact the NY Privacy Act was reintroduced (with amendments) in the New York Senate, with a “same as” bill assigned in the House.

The previous version of the bill advanced to a third reading on the New York Senate floor but failed to reach a vote before the Senate recessed in June. The bill was amended and recommitted to the consumer protection committee on January 6, 2022.

WHY IT MATTERS

The amended bill, like its predecessor, would require controllers to collect opt-in consent from consumers before processing their data, making it the first U.S. privacy law, if enacted, to require opt-in consent for general (not sector-specific) personal data processing. Many include New York as a state to watch for privacy legislation in 2022. 

GLOBAL

Jordan Introduces Draft Data Protection Law

The Jordan Ministry of Digital Economy and Entrepreneurship introduced a draft Personal Data Protection Law, which would establish a regulatory framework with restrictions and obligations for saving and processing personal data and extend individual rights to protect personal data. It would also create a Personal Data Protection Board.

WHY IT MATTERS

The Jordan constitution specifically mentions privacy, but there is otherwise no current comprehensive data protection law or authority in Jordan. Jordan is one of many countries across the globe newly considering or recently passing comprehensive privacylegislation for the first time. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.