The French data protection authority CNIL fined the French health website http://doctissimo.fr €280k for GDPR infringements plus €100k for ePrivacy infringements:
https://www.cnil.fr/en/health-data-and-use-cookies-doctissimo-fined-eu380000
This is good, but. A few comments.
It's good they took action against a web publisher, which European regulators rarely do.
And the fine may represent a considerable amount of the site's revenue (according to internet sources). It's still not much for Reworld Media though, which appears to own the site.
I understand that regulators have to focus on certain issues. However, closing the procedure with the argument that "the company had taken measures to comply with all the infringements" is not ideal.
This makes it look like everything is fine now, which may not be the case.
There are several unresolved GDPR issues regarding digital tracking.
While doctissimo at least implements the very minimum (top level 'refuse' button), it still uses the TCF and wants users to 'consent' to personal data sharing with ~700 third parties, many of them data brokers.
These issues will remain unaddressed until a DPA starts to question if there can be 'informed' consent to opaque personal data sharing and profiling across so many opaque firms at all.
The Belgian DPA suggested that TCF consent may not be valid. Take a risk and try to prove it!
I just checked the doctissimo website.
During my initial visit, after pseudo-consenting, the site connected to dozens of third parties, from big tech (e.g. G, FB, Amzn, MS/Xandr, TikTok) to other adtech firms and data brokers (e.g. LiveRamp, Tapad, MediaMath, PubMatic, Taboola).
A lot of them received IDs from my browser and stored them, which is not just about 'cookies' but about large-scale *personal data processing*.
Several of them did not only process pseudonymous IDs, but also received the referer, which potentially enables large-scale profiling.
I don't think you can 'consent' to personal data flowing into this interlinked cesspool of tracking+profiling across the digital world.
Btw. I also cannot believe that doctissimo has now clean joint-control contracts with everyone it shares data with and across the supply chain.
To address the unresolved issues in today's interlinked real-time data industry, DPAs must move towards its core.
Take distributed processing, which looks ephemeral and almost meaningless on its own but results in massive processing at scale, seriously.
See e.g. this thread (Twitter):
https://twitter.com/WolfieChristl/status/1488168017729138689
“I want to share some more details about what we found in our investigation into gambling data that are highly relevant to GDPR enforcement and privacy regulation at large. For example, this is how companies share personal data with each other during a bunch of 'cookie syncs'.”
Look into the supply chain, the adtech firms and third-party intermediaries. What about e.g. the third parties doctissimo shared data with (or whose data processing it helped to facilitate), are there any consequences for them?
Ask whether it's possible to consent to it at all.
Don't be afraid of imposing GDPR fines and processing bans that disrupt whole business models, if they deserve to be disrupted.
Take risks. Be like Lina Khan. If this requires resources and political support, EU member states must provide them, because this fail doesn't only affect the rights of hundreds of millions.
It undermines the GDPR and trust in tech, perpetuates legal uncertainty and punishes those who comply. And it threatens the EU's ability to shape the digital economy at large.
Well this escalated, sorry for the rant. I could have written much of the above thread on decisions by other DPAs, not only on this CNIL decision. And CNIL does at least a better job than DPC Ireland and ICO.
Anyway, I think, GDPR enforcement across Europe is suffering from too much risk aversion, too much industry appeasement and too little courage.
And it is suffering from too little focus on distributed personal data processing across many parties at scale.
I want to emphasize I'm specifically addressing GDPR enforcement fails in the web/app/device/services digital economy (and of course big tech, which is mostly Ireland's fail).
It's annoying that we still are where we are today, almost 5 (7) years into the GDPR.
Several European DPAs do a good job in many other areas though, from healthcare to insurance to employment.
Btw. the irony is that I feel like the majority of the adtech industry has actually been waiting for and *expecting* a major GDPR/EU crackdown on any marketing/advertising technology that relies on linking individual-level IDs across firms, devices and contexts for years.
It just didn't happen.
@wchr yes, this is the same industry that developed detailed standards for avoiding fraudulent ad placement...and then mostly doesn't even use them so that they can continue putting ads on infringing sites. (imho publishing and other ©-holding industries have just as much of a beef with them as the people who are being tracked)
Wolfie Christl
Don Marti