privacy

Italian Privacy Authority considers "personalized" advertising based on legitimate interest unlawful and TikTok adapts

Last June, TikTok publicly announced that it would soon begin sending, to its users over 18 years of age, advertising based on behavioral profiling while browsing on the platform, without requesting consent from the data subjects, using the legal basis of the legitimate interest of the owner (i.e., Dublin-based TikTok Technology Limited itself).

In the measure adopted as a matter of urgency on July 7, the Privacy Guarantor had warned TikTok that such processing activity would be unlawful, not under the GDPR (European Privacy Regulation), but contrary to Article 5(3) of the e-privacy Directive (Directive on privacy and electronic communications) and Article 122 of the (Italian) Privacy Code. In fact, according to the Garante, the storage of information, or access to information already stored, in the terminal equipment of a subscriber or user expressly requires as a legal basis the exclusive consent of the same.

In the notice, the Privacy Guarantor, in light of the inability of TikTok (and other social networks) to identify those of legal age, had highlighted the risk that advertising could also reach minors.

The violation of the ePrivacy Directive allowed the Garante to take direct and urgent action against TikTok, outside of the international cooperation procedure under the GDPR. At the same time, however, the Authority had informed the Data Protection Commission of Ireland (the Irish Privacy Authority), the country where TikTok has its main establishment, and the European Data Protection Board.

TikTok currently indicates in its privacy policy (viewed on September 13) that personalized advertisements based on user activity on and off the platform will be shown with user consent (https://bit.ly/3xkqC5e).

TikTok, responsibly, has therefore deferred personalized advertising based on legitimate interest.

Stop the use of Analytics also by the Italian Guarantor: some alternative solutions

Managing a website or mobile application requires the use of traffic and/or performance statistics, which are often essential for service delivery. The market standard, in this area, is Google Analytics (GA), which will soon have to change because it has been declared unlawful.

Italy's Privacy Guarantor recently sanctioned the operator of a website, in an order dated June 9, 2022. Its site was using the GA service that transfers European users' data to the United States, a country lacking an adequate level of protection. An influential member of the Garante's panel also confirmed that a series of sweeping audits on this issue (as scheduled by the Garante) have begun.

The Italian Privacy Guarantor's investigation found that operators of websites using GA collect, through cookies, information on users' interactions with the aforementioned sites, individual pages visited and services offered. Among the multiple data collected are the IP address of the user's device and information about the browser, operating system, screen resolution, selected language, and the date and time of the website visit. This information (which is personal data) was found to be transferred to the United States. Therefore, the processing was declared unlawful.

This was able to happen because the Court of Justice of the European Union, in a July 2020 ruling, declared the Privacy Shield, an international treaty that regulated data transfers between the European Union and the United States, null and void. That treaty did not provide adequate safeguards against the risk of unlawful access to European residents' personal data by U.S. authorities.

In March 2022, the European Commission and the United States adopted a joint statement on a future decision to properly regulate data flows to the United States. This is only a political announcement, with no legal value. In fact, on April 6, 2022, the European Data Protection Board (the EDPB i.e., the committee that brings together European privacy authorities) issued a statement clarifying that this statement is not a legal framework that organizations can rely on to transfer data to the United States.

CNIL's contribution

The privacy authority that, to date, has analyzed these issues most "practically" is the French authority.

The French privacy authority (CNIL) has made it clear that the use of GA is considered unlawful under the GDPR and remains so even by resorting to prior pseudonymization or cryptography practices of the data being transferred.

A question then arises. Can data continue to be transferred outside the EU using the legal basis of data subjects' consent?

Explicit consent of data subjects is one of the possible exemptions provided for some specific cases in Article 49 of the GDPR. However, as stated in the EDPB guidelines these exceptions can only be used for non-systematic transfers and, in any case, cannot be a permanent long-term solution, as the use of an exception cannot become the general rule.

Since explicit consent (or even GA) cannot validly be used, are there alternative means that are legitimate?

The CNIL has published a list of software that can be exempted from consent if properly configured.

This list includes tools that have already demonstrated to CNIL that they can be configured to be limited to what is strictly necessary to provide the service, thus not requiring user consent.

Whichever software is used, it is always necessary to verify, as far as possible, that the company producing it has no patrimonial or organizational ties with a parent company located in a country that allows intelligence services to request access to personal data located in another territory (for example: the United States but also China), and it is necessary to assess the legal framework of the country of export of the data.

The list of software suggested by the CNIL.

Without going into detail about the configuration required to use these software legitimately (which depends on several variables) we indicate below the list indicated by the CNIL:

  • Analytics Suite Delta di AT;
  • SmartProfile di Net Solution Partner;
  • Wysistat Business di Wysistat;
  • Piwik PRO Analytics Suite;
  • Abla Analytics di Astra Porta;
  • BEYABLE Analytics di BEYABLE;
  • etracker Analytics (Basic, Pro, Enterprise) di etracker;
  • Web Audience di Retency;
  • Nonli;
  • CS Digital di Contentsquare;
  • Matomo Analytics di Matomo;
  • Wizaly di Wizaly SAS;
  • Compass di Marfeel Solutions;
  • Statshop di Web2Roi;
  • Eulerian di Eulerian Technologies;
  • Thank-You Marketing Analytics di Thank-You;
  • eStat Streaming di Médiamétrie;
  • TrustCommander di Commanders Act.

The following sources were used in the preparation of this article, to which we refer for further study.

  • Google: Privacy Guarantor stop the use of Analytics. Data transferred to the US without adequate safeguards
  • The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (PDF, 322 ko) - CJEU
  • Alternatives to third-party cookies: what consequences regarding consent?
  • [FR] Utilisation de Google Analytics et transferts de données vers les États-Unis : la CNIL met en demeure un gestionnaire de site web