Marta Moreno Sánchez’s Post

I am excited to announce that, two years after completing my internship experience, I have returned to the Legal Resource Center of IBM in Ireland, where I will be working as a lawyer in the Trust & Compliance area and providing support to the SPGI, UKI, and French markets on various matters.

The EDPB has recently published its feedback on the Commission's initiative for a voluntary business pledge to simplify the management of cookies and personalized advertising choices by consumers. By this document, the European authority clarifies its position on cookie usage and consent for online advertising. Here's a summarized overview of some of the most important takeaways: 🔹 Although it remains necessary to provide users with information about the processing of personal data via the use of strictly necessary cookies, these should be presented distinct from a consent request (for which only information relevant to the consent request, i.e. should be provided). This is because the EDPB considers that not showing information about them in the context of the request for consent will reduce the information that users need to read and understand. Therefore, EDPB proposes that information on strictly essential cookies is included, for example, via a link on the first or second layer of the cookie banner; 🔹 Users should not be presented with information referring to the collection of data based on legitimate interest in the cookie banner, as this is not a valid legal basis under the ePrivacy directive for access or storage of information; 🔹 Asking consumers to pay does not appear as a credible alternative to tracking their online behavior for advertising purposes that would legally require obtaining consent. Nonetheless, the EDPB acknowledges that the CJEU recently judged that, in certain circumstances, it must be possible for a user to refuse to give consent without being obliged to refrain entirely from using the service, being available to the user, if necessary for an appropriate fee, an equivalent alternative not accompanied by the data processing operations in question. In this context, the EDPB notes that it cannot in abstracto assess whether this casuistry would ensure that valid consent could be obtained for the aforementioned processing. Thus, a case-by-case analysis of whether consent is freely given and valid, taking into account the different options provided to the user, is required. 🔹 It is possible to consent to cookies for a specific advertising purpose without necessarily requiring users to separately consent to every single tracker or partner on the first layer of a cookie banner, provided that a more granular choice on the controller-specific purposes is made available to the user on a second layer. 🔹 It is recommended that negative choices (refusals) are recorded for at least a year to reduce cookie fatigue. Therefore, a user should not be asked to accept cookies within one year of the last request. In this sense, it must be recalled that, as per recital 37 of the DMA, this circumstance constitutes an obligation already in force for gatekeepers. Full document available here: https://lnkd.in/eycBFBte

📢 CJEU Weekly Highlights: Defining Boundaries in Data Protection This week, the Court of Justice of the European Union (CJEU) delivered four judgments shaping the landscape of data protection in the EU. 1️⃣ Administrative Fines and GDPR (Cases C-683/21 and C-807/21): By these judgements, the CJEU has provided crucial insights into the imposition of administrative fines under the GDPR. (i) Fines for wrongful acts ❌: The ruling underscores that a data controller can only face an administrative fine if the infringement was committed wrongfully – either intentionally or negligently. Thus, whether or not the controller was aware of the violation, if the conduct was inherently infringing, a fine may be imposed. (ii) Fine calculation 💵 💰: the CJEU clarifies that when the fined entity is part of a group of companies, the fine must be calculated based on the entire group's turnover. This ensures that the financial repercussion aligns with the economic power of the entire corporate entity. (iii) Liability for processings performed by a processor: a controller may have a fine imposed on it in respect of personal data processing operations performed by a processor on its behalf unless, in the context of those operations, that processor has carried out processing: 🔷For its own purposes; or 🔷In a manner incompatible with the framework of, or detailed arrangements for, the processing as determined by the controller; or 🔷In such a manner that it cannot reasonably be considered that that controller consented to such processing. 2️⃣Credit Information Agencies and GDPR (C-634/21 and Joined cases C-26/22 and C-64/22): The CJEU categorizes 'scoring' 💯 as an 'automated individual decision,' which is generally prohibited by the GDPR. Specifically, when clients, such as banks, attribute a determining role to 'scoring' in credit decisions, the GDPR comes into play. Thus, an entity shall only process personal data in such way if it relies on: 🔷The necessity for entering into, or performance of, a contract between the data subject and a data controller; 🔷A valid exception provided in the EU Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; 🔷 The data subject’s explicit consent. As regards information relating to the granting of a discharge from remaining debts, the Court considers that it is contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register.⌛❌ ------------------------------------------------------------------------------ This week's CJEU judgments define the contours of data protection in the EU. As businesses adapt to it, these judgments illuminate the path forward, emphasizing the paramount importance of precision in data governance💪 📈

📢🔍 Meta announces that users will have to pay to use their services without advertising. What's behind this new decision? 🤔 It has been over five years since the European advocacy group Noyb filed a complaint against Meta for ressoting to article 6.1.b GDPR (i.e. the necessity for the performance of a contract) for processing the personal data of its more than 250 million European users to provide behavioral advertising. This ultimately resulted in a fine of over 390 million euros imposed on the internet giant by Irish Data Protection Authority or "DPA". 💶💻 As of the current date, and though it has not been a straightforward path, it appears to be clear that the referred processing of personal data, which constitutes the main source of income for the online Platform, cannot be justified by any legal bases other than user consent (For a detailed explanation on why other legal bases are not appropriate, please refer to Case C-252/21 of CJEU). It must be recalled that since August, the Norwegian DPA has imposed a daily fine of one thousand dollars on the platform for using users' personal data without a legitimate legal basis, and as per a publication posted in the official website of the norwegian DPA earlier this week, this fine will be extended to the entire territory of the European Union soon following the European Data Protection Board approval. In this context, Meta has announced that it will adjust its operations so that user consent will be the legal basis for this data processing. Although at first glance, this may seem like hopeful news for users and those interested in privacy matters, the truth is that the withdrawal of this consent is contingent on the payment of a monetary amount, which poses a problem as the legality of the so-called "pay-or-consent" model is a grey area in the EU. The truth is that national DPAs within the EU have different views about the practice’s legality. Some consider that consent provided under a regime where its refusal is subject to an economical prejudice does not meet the validity requirements set foth in article 32 GDPR. On the other hand, others consider that digital firms must have the right to be compensated for the advertising revenue they lose because they are unable to offer personalised advertising that relies on trackers that track the user’s web activity. In this context, it is not surprising that Meta's decision has caused widely differing opinions within society, bringing entities like Noyb to announce that they will challenge Meta's decision before the competnt authority. Hopefully, these circumstances will eventually lead to the EDPB and/or the CJEU to adopt a firm and clear position in this regard that brings national DPAs to adopt a firm and clear uniform criteria on the field.

📢 EU General Court denies interim EU-US Data Privacy Framework halt 🚫 On July 10, 2023, the European Commission issued a decision confirming that the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organizations established therein and listed on a register maintained and published by the U.S. Department of Commerce, i.e. the EU-U.S DPF. Consequently, as of that date, all data transfers to an entity listed in the EU-U.S. DPF can be carried out without the need for special protective measures such as the drafting of standard contractual clauses. In this context, the French MEP and member of the French Data Protection Authority, Philippe Latombe filed an action for annulment on September 6th, challenging Articles 1 and 2 of said decision and, two days later, requested for interim measures to be applied. In order to support his action, Latombe used the main following legal arguments: 🔹 Effective remedy: Latombe criticizes in his request the absence of guarantees of a right to an effective remedy, and in particular the lack of transparency in the newly created Data Protection Review Court (DPRC) procedure. 🔹 Minimization and proportionality principles: He also raises the argument of the breach of the minimization and proportionality principles of the GDPR, in particular due to what he identifies as "bulk collection of personal data" by the U.S. surveillance authorities. 🔹 Languages: Latombe also makes a point regarding the language of the DPF decision since,for now, it is only available in English and thus, it has been notified to EU countries only in that language. While a decision on the main matter is expected to take some time, an first decision concerning this case was handed down yesterday. Specifically, it was a decision rejecting the interim measures. Through this ruling, the CJEU determined that Latombe failed to present evidence substantiating the urgent requirement for suspending the decision, citing the risk of incurring severe and irreparable harm Link to the decision: https://lnkd.in/ddjwB32m

I am thrilled to share some exciting news with you all - today marks the beginning of a new chapter in my professional journey as I have embarked on a Diploma in Technology & IP Law at the Law Society of Ireland 🎓💼 In a world where innovation is driving progress at an unprecedented pace, this program is to equip me with the specialized knowledge and skills needed to navigate the complex landscape of technology, social media, data protection, and intellectual property from both an EU law and a common law perspective. I am eager to delve into topics that will shape the future of legal practice ✨

📢 📢 📢

La Comisión de Protección de Datos de Irlanda (DPC por sus siglas en inglés) anunció el pasado viernes 15 de septiembre de 2023 una multa de 345 millones de euros a la red social TikTok 🔏 Esta sanción es consecuencia directa de una investigación iniciada a solicitud de la autoridad competente en la materia holandesa y la autoridad francesa y se ha centrado en analizar el cumplimiento del RGPD por la plataforma en relación con el tratamiento de datos personales de los usuarios menores de 16 años (perfiles infantiles) en la plataforma, durante el período comprendido entre el 31 de julio de 2020 y el 31 de diciembre de 2020. En este contexto, las conclusiones de la DPC que sustentan la sanción impuesta son las siguientes: - La configuración de perfil para los usuarios infantiles de TikTok estaba establecida como pública por defecto, lo que permitía a cualquier persona ver el contenido publicado por estos usuarios, infringiéndose así el principio de minimización de datos (art. 5.1.c). Además, esta configuración predeterminada no tuvo en cuenta los posibles riesgos para los derechos y libertades de los usuarios infantiles, sobre todo teniendo en cuenta la especial vulnerabilidad de los usuarios menores de 13 años. Por lo tanto, la DPC concluye que TikTok no implementó medidas técnicas y organizativas apropiadas, contraviniendo el Artículo 24(1) del GDPR. - La información relativa al tratamiento de sus datos personales proporcionada a los usuarios infantiles era insuficiente, incumpliéndose así el principio de transparencia (art. 12.1) y el principio de información previa en lo que respecta a la identificación de los destinatarios de los datos personales (art. 13.1.e) - El proceso de registro de los usuarios infantiles en la red social, así como el proceso de publicación de videos incluía varios "dark patterns" o patrones oscuros que fomentaban que el usuario optara por la configuración más intrusiva en relación con su privacidad. Esto supone una vulneración del principio de licitud, lealtad y transparencia recogido en el artículo 5.1.a - A través de la configuración "Family pairing" o "sincronización familiar" implementada por la plataforma para usuarios infantiles, un usuario mayor de edad podía vincular su cuenta a la de un usuario infantil, lo que permitía el intercambio de mensajes directos entre ambos. La DPC ha considerado que este proceso no garantizaba la adecuada seguridad de los datos personales, y la falta de implementación del principio de integridad y confidencialidad se consideró una violación del Artículo 5(1)(f) y 25(1) del GDPR. Puedes conocer todos los detalles de esta resolución aquí: https://lnkd.in/dBCiG8Kk

Is the processing of biometric data considered a processing of special categories of data? Until now, the Spanish Data Protection Agency, or "AEPD," had held that biometric data were only considered a special category when used for identification (1-to-many) and not for authentication (1-to-1). This controversial stance of the AEPD had been questioned on various occasions, stemming from circumstances such as the clear opposition presented by the APDCAT on this matter. They had consistently argued that the processing of biometric data through automated identification or verification methods with the aim of confirming the unique identification of an individual always falls under the restrictions of Article 9 of the GDPR. They even fined entities like the UOC university for resorting to facial recognition as a method of control during online exams, citing the absence of a suitable legal basis to justify the treatment of this special category of data. However, it wasn't until the publication of the Guidelines on the use of facial recognition technology in the area of law enforcement by the European Data Protection Board, or "EDPB," that we were able to see a more or less clear resolution of this conflict. The EDPB clarifies through these Guidelines that although authentication and identification functions are distinct, both refer to the processing of biometric data related to an identified or identifiable natural person and therefore constitute a processing of special categories of personal data. The consequences of this decision have been evident since the publication of the very first draft of the guidelines, as the AEPD already refers to this change in its decision 0098/2022, which questions the use of fingerprinting as a method of control at football stadium entrances. As a result, thousands of treatments validated as per the AEPD's former criteria are now witness to an important change that will undoubtedly reduce the use of biometric data and increase the use of consent as a legitimate basis. Further details at: https://lnkd.in/dcM7WQEf

It's fascinating to observe how the digital landscape continues to shape our world, right down to the tiniest pixels. France, Norway, and Israel stand out as examples of countries that have integrated legal provisions to oversee the use of Photoshop in social media and/or advertising domains. What's truly intriguing is how this movement is gaining traction across the globe. Legislators, associations, and courts are recognising the significance of addressing not only the impact on users' mental health but also the intricate legal challenges posed by this phenomenon. One pivotal aspect is the classification of Photoshop manipulation as a deceptive practice within the advertising sector. As we navigate this intricate terrain, it's essential to acknowledge the evolving dynamics of our digital age. I invite you to delve deeper into this subject through the article linked below. It sheds light on the dimensions of this issue and offers a glimpse into its prospective trajectory, one that is bound to receive amplified attention in the foreseeable future 📣 🌍 🌐 https://lnkd.in/dvYqqGmQ