The past week in data protection

Here are the data protection news items which caught my eye this week:

• Firstly, a bit of breaking news. The Irish DPC has fined Meta €91m for inadvertently storing users' passwords in 'plaintext' on its internal systems. The full decision is yet to be published but the DPC has found breaches of both the general security principle under Article 32 and the obligation to notify the DPC of the breach under Article 33. Interestingly the fine appears to have been issued because of the alleged insufficiency of the measures per se rather than because there was any unauthorised use of the passwords or any harm caused to data subjects. It is also notable because over the last couple of years the DPC has seemingly been more focussed on lawful processing issues rather on security related enforcement.
   
• The CJEU has clarified that data protection authorities are not required to impose corrective measures (in particular fines) in every case where they establish that there has been a breach of the GDPR (C-768/21). The court held that DPAs have sufficient discretion to determine how best to remedy the shortcoming it identifies, and that it may be appropriate not to issue a penalty where a controller has already itself remedied the situation. This will be a welcome outcome for DPAs, allowing them to continue to use their limited enforcement resources in a proportionate way. However, the court makes clear that the discretion is still limited by the need to ensure a high level of protection for data subjects.
   
• The CNIL has published detailed guidance concerning the design and development of mobile apps, which is aimed at app publishers, app developers, SDK providers, operating system providers and app stores. In particular, the guidance contains analysis on the specific roles of each of the above parties to the development process (e.g. controller, processor, joint controller). The CNIL has also indicated that enforcement is coming, stating that it will be undertaking a specific investigation into mobile applications from early Spring 2025.
   
• NOYB has filed a complaint with the Austrian data protection against Mozilla claiming that its Firefox browser tracks users’ online behaviour without consent. NOYB alleges that Mozilla has enabled a “privacy preserving attribution feature” which has turned the browser into a tracking tool for websites. Back in 2019 Mozilla was one of the first browsers to block third party cookies by default. This latest complaint demonstrates that the roll-out of technical alternatives to third party cookies will continue to face significant scrutiny.