Welcome to the eighth edition of the KPMG Global Legal Services newsletter on developments in the world of data protection and privacy law. We live in fast changing times in this area and our articles seek to demonstrate the state of development of the law in various jurisdictions whilst also showing the very broad impact that data protection law has. In this edition topics include a ruling of German courts on the abusive exercise of the right of access, a court decision in Bulgaria on balancing right of free speech and right of privacy and legislative changes in Czech Republic related to cookies.
Check out the contributions from Belgium regarding recent fines of the DPA for non-compliance with the GDPR and for publishing raw and sometimes sensitive data from social media accounts.
Discover the complete newsletter below.
Transparency and Consent Framework System not GDPR compliant
The Belgian DPA recently fined an international digital marketing organization for non-compliance with GDPR.
On 2 February 2022, the Belgian Data Protection Authority (DPA) ruled that the Transparency and Consent Framework (TCF) developed by an international digital marketing organization did not comply with several provisions of the General Data Protection Regulation (GDPR). The DPA imposed a fine of 250.000 EUR and required an action plan for compliance with the GDPR in two months.
TCF is a widespread mechanism that facilitates the management of user preferences for online personalized ads. It reflects processing purposes and user preferences with respect to potential vendors, aiming to strengthen the GDPR compliance of organizations by relying on the so called OpenRTB protocol.
This protocol is used very frequently for "Real Time Bidding". When users visit a website or application that contains ad space, technology companies, representing thousands of advertisers, can bid for that ad space "in real time" behind the scenes through an automated auction system that uses algorithms to show targeted ads tailored to the visitor's profile.
An interface (Consent Management Platform) appears upon first visit of a website or application where users can give their consent or objection to the collection and sharing of their personal data or the various types of processing, which happen based on the legitimate interests of ad tech vendors.
Fine for mass processing of social media data in connection with the Benalla affair for political profiling
The Belgian Data Protection Authority (DPA) recently fined an NGO and its researcher for publishing raw and sometimes sensitive data from social media accounts as part of an investigation.
The NGO, which aims to combat the spread of disinformation, published an analysis in 2018 to determine the possible political origin of tweets circulating about the 'Benalla affair'. The GBA and its French counterpart, the CNIL, received a total of more than 200 complaints about:
- the re-use of personal data from 55.000 social media accounts to carry out the study (in which more than 3.300 accounts were politically classified); and
- the online publication of files containing the raw data of the study (including information on the religious beliefs, ethnic origin, and sexual orientation of the persons whose accounts were analyzed).
As the NGO is based in Belgium, the Belgian DPA is responsible for the matter and made the decision in collaboration with the CNIL. The Belgian DPA decided that the NGO was exempt from its obligation to inform the persons individually about the personal data processed for the study, as this could have jeopardized the study and its publication. The Belgian DPA, however, finds that the publication of sensitive data used for the study - which was not properly pseudonymized - had no legal basis due to the disproportionate infringement of the rights of the authors of the tweets concerned. The Belgian DPA also stated that their consent was required for the publication of such non-pseudonymized sensitive data.