July was a busy month for data protection in the EU and UK. While the long-awaited Schrems II decision captured the most headlines, data protection authorities (“DPAs”) and Member State courts have been busy too. We cover here some of the highlights, ranging from a €16.7m fine in Italy – the fourth largest GDPR penalty to date – to court battles in Luxembourg, the Netherlands and the UK showing that companies need to be mindful not only of enforcement action but also litigation risk when handling personal data.
Enforcement
The most noteworthy GDPR enforcement action-related developments in July include:
British Airways fine potentially significantly reduced: BA’s parent company IAG has hinted that it expects a roughly 85% reduction of the ICO’s proposed £183m (c.€154m) penalty for BA’s 2018 data breach (covered by us here). IAG’s recently published Interim Management Report includes updated financial accounts setting aside just €22 million as “management’s best estimate of the amount of any penalty issued by the [ICO].” This decrease, combined with the length of time it is taking the ICO to finalise the penalty, suggests that BA has made strong arguments for why the fine originally envisaged was disproportionate to any potential GDPR violations and may encourage others to bring similar challenges in the future.
Italian telecoms company fined €16.7m for unlawful data processing: The Italian DPA fined Wind Tre €16.7m for processing personal data without a valid lawful basis during its promotional campaigns. This is the fourth largest GDPR fine to date. Among other issues, the DPA found that customers had complained about receiving unwanted calls and marketing material, and that they could not withdraw consent to their data being collected when using the company’s app. The fine is a helpful reminder of the need carefully to consider data protection compliance when developing marketing strategies.
German insurer fined €1.24m for using personal data for advertising without consent: Along the same lines as the Wind Tre fine, the Baden-Württemberg DPA fined AOK Baden-Württemberg (“AOK”), a health insurance provider, €1.24m for using around 500 individuals’ personal data for advertising without their consent. AOK organized lotteries and collected participants’ personal data in the process, including contact and health insurance details, and then used it for direct marketing. Existing technical and organizational measures aimed at ensuring that personal data was only used with individuals’ prior consent, including internal guidelines and data protection training, turned out to be insufficient. According to the DPA, AOK’s safeguards did not meet the GDPR’s Article 32 data security requirements.
Google fined €600,000 in Belgium for right to be forgotten failings: The Belgian DPA fined Google €600,000 for refusing to de-list search results relating to an unfounded sexual harassment complaint. The decision follows the 2019 record-breaking €50 million CNIL fine against Google which we covered here, as well as the Swedish DPA’s €7 million fine also for alleged failings linked to the right to be forgotten. Notably, all three fines fell outside the scope of the GDPR’s one-stop-shop mechanism and show the risk of parallel enforcement action companies may face if they do not have a lead supervisory authority for a particular data processing activity. See our blog post on the recent French court decision on the CNIL’s fine here for more information.
Danish hotel chain fined €150,000 for violating its retention policy: Reminding companies of the need to stick to the policies and procedures they set for themselves, the Danish DPA fined Arp-Hansen Hotel Group DKK 1.1m (approximately €150,000) for failing to delete around 500,000 customer profiles once the retention periods stated in its data retention policy had expired. The DPA also referred the company to the Danish police, stating that Arp-Hansen was unable to provide objective reasons to justify its continued storage of this extensive personal data. See our blog post here for tips on data minimisation.
Spanish DPA issued 21 penalties in July: July was an especially busy month for the Spanish DPA, which issued 21 fines totaling €546,600. The penalties ranged from €80,000 (for wrongfully using customers’ personal data to open unrequested telephone line contracts) to €1,000 (for sending commercial messages without consent or the ability to object). While not headline-grabbing sums, the fines show that, in some Member States at least, enforcement action is not restricted to the most serious or wide spread GDPR violations.
UK ICO adtech activity on hold: Meanwhile, the ICO announced that it does not plan to restart its work on data protection in the adtech industry until “the time is right”, stressing that it does not want to place additional pressures on the industry, given the Covid-19 pandemic. Instead, this year the ICO will focus its efforts on preparing for the end of the Brexit transition period – a hot topic, given recent doubts by the European Data Protection Board over whether the UK will qualify for an “adequacy decision” with the EU, something that is more important than ever to achieve in the wake of the Schrems II decision.
Litigation
In July, five cases particularly peaked our interest and reflect the broader trend towards increased levels of data protection-related litigation in the EU and UK:
Schrems II – Privacy shield invalid and severe challenges for Standard Contractual Clauses: On 16 July, the Court of Justice of the European Union handed down its long-awaited judgment in Schrems II. Read our initial reactions to the decision here and our run-through of DPA guidance here.
Russian oligarchs secure rectification of “Trump dossiers” allegations through English courts: In early July, the English High Court issued a judgment partially in favour of three Russian individuals once more showed claimants are, in the right circumstances, willing to invest substantial sums in data protection related litigation for relatively modest monetary gain.
The case centred on the intelligence memoranda prepared by private intelligence firm Orbis Business Intelligence about alleged links between Russia, Vladimir Putin and Donald Trump, better known as the “Trump Dossiers”. As many will know, copies of the dossiers were shared with the FBI, U.S. and UK government officials and Orbis’ instructing client, Fusion – a research and strategic intelligence services consultancy firm – and ultimately found their way to BuzzFeed and the Washington Post.
Among other things, the claimants argued that Orbis breached its data protection obligations by including inaccurate personal data about them in the dossiers. In particular, that the claimants and President Putin provided significant favours to one another, that two of the claimants provided informal foreign policy advice to President Putin, conducted his “political bidding”, and delivered large amounts of “illicit cash” to President Putin when he was Deputy Mayor of St Petersburg.
The Court found that Orbis took reasonable steps to ensure that the information in the dossiers was accurate, with the exception of the statement about delivering “illicit cash” to President Putin. The Court ordered Orbis to rectify that inaccurate statement, and pay damages of £18,000 to two claimants for distress and reputational damage. Interestingly, the Court only felt able to award “modest damages” as most of the claimants’ distress arose from the news outlets’ publication of the incorrect statement, and that any distress is minimal as “each of the claimants is a robust character, not given to undue self-pity.”
The claimants also argued that Orbis has processed their personal data unlawfully by transferring it to the U.S. and UK authorities, Fusion, BuzzFeed and the Washington Post – this claim was dismissed. The court held that Orbis’ disclosure of the dossiers to the U.S. and UK authorities was necessary in order to safeguard U.S. and UK national security, and that its disclosure to Fusion was in accordance with its legitimate interest of fulfilling its contractual duties with its client. Finally, the court held that Orbis was not responsible for the disclosure of the dossiers to BuzzFeed and the Washington Post, as the papers had been leaked by an individual not under Orbis’ control.
Luxembourg court prevents disclosure of Personal Data to the DOJ: Neatly highlighting the impact GDPR can have on white collar crime investigations (see our FCPA Update for more details), a Luxembourg court issued a preliminary judgment ordering an unnamed Swiss bank not to disclose certain personal data about one of its customers to the U.S. Department of Justice under its Swiss Bank Program. While the Court did not rule on whether the transfer would in fact have breached the GDPR, it still found the position sufficiently uncertain (and the customer’s data protection rights sufficiently important) to justify an order restraining disclosure as a preliminary measure to prevent potential imminent and irreversible damage. Only with the full decision will we see exactly how the court navigates the Article 49 derogation for cross-border transfers of personal data “necessary for the establishment, exercise or defence of legal claims” which companies frequently rely on when cooperating with non-EU enforcement agencies. In the meantime, those wanting to rely on the derogation may want to consult the European Data Protection Boards guidance here.
AI-related claim against Uber: This month a number of UK Uber drivers filed a claim in the Netherlands, where Uber’s European headquarters are based, for various alleged GDPR violations. The claim asserts that Uber uses various algorithms to collect information on, profile and manage the performance of its drivers, but the content of those algorithms has not been made publicly available. Using their GDPR rights, the drivers are seeking to shed light on the company’s automated decision-making process and how it affects drivers.
The claims include that Uber has allegedly repeatedly failed to provide the drivers with access to their personal data, thereby violating their data subject access rights under the GDPR. The personal data sought by the claimants includes their driver profiles, any internal notes on their profiles, information about trip ratings and other driver performance information such as punctuality, attitude and behaviour. The claimants argue that they need access to this information to ascertain how the algorithm works, and whether it complies with the automated decision-making protections in Article 22 GDPR. The claimants have requested that the court fines Uber €10,000 for each day that the company continues to be in breach of the GDPR.
Though still at an early stage, these proceedings show how the GDPR intersects with, and can be used to regulate, AI and other automated decision-making processes. The case could provide useful guidance on how much information companies have to provide individuals about algorithms that use personal data in order to be GDPR-compliant.
The allegations include that Facebook failed to adequately disclose its relevant data processing activities, and that it unlawfully shared users’ personal data with third-party app developers. Relying heavily on a 2017 ruling by the Dutch DPA that Facebook’s privacy notices did not adequately disclose the fact that users’ personal data was being processed for targeted advertising and associated data sharing, the proceedings are yet another example of claimants using DPA enforcement findings as the foundation for civil litigation.
Sanctions
On 30 July, the EU Council decided to impose restrictive measures against six individuals and three entities (listed in the decision) responsible for, or thought be have been involved with, cyber attacks against the EU or its Member States. These include the attempted cyber-attack against the Organisation for the Prohibition of Chemical Weapons, and the “WannaCry”, “NotPetya”, and “Operation Cloud Hopper”’ campaigns. The restrictive measures include travel bans and asset freezes, as well as a prohibition on EU persons and entities making funds available to those subject to the sanctions. This is the first time that the EU has exercised its powers under the cyber-attacks sanctions regulation since the legislation was introduced on 17 May 2019.
As highlighted in our ransomware blog post, before making ransomware payments companies should check whether the recipient of the payment is sanctioned or might be subject to terrorist financing restrictions. Those that make payments in breach of these restrictions could face criminal penalties, including significant fines or custodial sentences.
Competition
There were a number of developments in July which further cemented the relationship between data protection and competition law issues in the EU and UK, reminding companies of the need to consider both in parallel (something that we will be covering in more detail in an upcoming blog post):
EU inquiry into smart device data protection: The EU competition agency launched an inquiry into the Internet of Things market due to fears that the market may become monopolised. The inquiry focuses on: (i) how voice assistant products interact with customers, and whether they restrict consumer choice by presenting limited options in response to user queries; (ii) how data is collected and monetised; (iii) whether products direct online consumers to preferred providers; and (iv) whether the products are capable of interacting with other smart devices without locking consumers into specific products. The inquiry report is expected to be published in spring 2021.
Germany’s competition authority proposes smart TV regulation: Germany’s competition authority, the Federal Cartel Office (“FCO”), proposed a reform to the way in which smart TV devices collect user data. These recommendations follow a three-year inquiry which examined smart TV manufacturers’ terms of use.
The FCO found that current practices violate a number of German consumer laws, including rules on data protection, consumer protection and unfair competition. In its recommendations, the FCO stressed that smart TV users should be able to make decisions in relation to their data at any time, including the decision to withdraw consent to data transfer services, requirements which the inquiry found are not currently implemented in many cases.
The FCO called for manufacturers to make privacy policies more accessible, and suggested that an option to withdraw consent should be implemented in device menus. The FCO also noted inadequate levels of transparency surrounding the type of personal data collected, the legal basis for processing and data transfers internally, externally and to third countries, as well as data retention periods.
UK proposes new Digital Markets Competition Unit: On 1 July, the UK competition authority (“CMA”) published a proposal under which a newly established Digital Markets Unit would have powers to force companies to share consumer data with competitors. The UK government has already signalled its support for the proposal which followed the CMA’s finding that around 80% of all digital advertising income in the UK is generated by Google and Facebook.
