The big news this November was the European Data Protection Board (the “EDPB”) issuing its highly anticipated post-Schrems II data transfer guidance, followed just a day later by the European Commission’s draft updated Standard Contractual Clauses (“SCCs”) (see our blog post here). In case you missed them while trying to solve the data transfer conundrum, here are ten more enforcement and policy developments you should know about.
Bonn Regional Court slashes Telco’s €9.55 million fine by over 90%. On 11 November, the Regional Court of Bonn slashed telco 1&1’s fine for various GDPR violations from €9.55 million to €900,000, after concluding that the initial sum was unreasonably high. Back in December 2019, the federal German data protection authority (“DPA”) fined 1&1 for an inadequate customer service authentication procedure, which allowed callers to obtain personal data about other 1&1 customers by providing that customer’s name and date of birth only.
While the Regional Court accepted that 1&1’s authentication procedures were insufficiently robust, it considered the breach to be minor given it did not result in the disclosure of more sensitive information, such as itemised bills or bank account details, or involve the mass disclosure of information to unauthorised recipients. The absence of previous issues with 1&1’s customer authentication procedure was another factor which led to the over 90 percent reduction.
The reduction echoes the British Airways and Marriott fines by the UK Information Commissioner’s Office (“ICO”), which were approximately 10 and 20 percent, respectively, of those proposed initially. The large reductions highlight the potential value of challenging penalties, either directly with DPAs or through the courts.
CNIL imposes over €3 million of fines on leading French headquartered retailer. On 26 November, France’s DPA, the CNIL, imposed a €2.25 million fine on Carrefour France, a multinational retail corporation, and a €800,000 fine on its banking subsidiary, for breaches of the GDPR and French data protection legislation. The CNIL found that processing of personal data through Carrefour’s loyalty programme was not sufficiently transparent, in breach of Article 13 of the GDPR, and both entities were automatically placing cookies without user consent.
The CNIL also found that Carrefour France systematically required proof of identity for data access requests, thus not facilitating the exercise of data subjects’ rights, and then subsequently failed to provide a timely response to them. The CNIL also took issue with the French retailer retaining the data of more than 28 million customers who had been inactive for up to ten years. See our tips on data retention here.
The fines are yet another example of the CNIL taking enforcement action in non-data breach scenarios and rolling a wide range of GDPR compliance failings into a single penalty, highlighting the need for end-to-end data protection compliance frameworks.
French Court confirms that CNIL may issue sanctions without prior notice. On 4 November, France’s highest administrative court – the Conseil d’Etat – upheld a €400,000 fine imposed on Sergic, a French real estate company, for data security and retention failures. The CNIL found that Sergic had failed to provide adequate user authentication, which contributed to the exposure of salary details, identification documents and tax notices, and considered Sergic’s data retention periods to be excessive.
The Court rejected Sergic’s appeal and found the €400,000 fine to be proportionate, in light of the seriousness of the breach and the sensitivity of the personal data disclosed. The Court also clarified the mechanics underpinning the CNIL’s decision making process. The CNIL’s authorised agents were found to be entitled to access data made public through a data breach to advance its investigations, and the CNIL’s president was under no obligation to issue a formal notice to Sergic before referring the case to the restricted committee, which rules on penalty decisions.
“One Stop Shop” dispute resolution mechanism used for the first time. The EDPB issued its first decision under the GDPR’s “one stop shop” dispute resolution mechanism, after European DPAs failed to agree on enforcement action against Twitter proposed by the Irish Data Protection Commission (“DPC”) in May 2020. Regulators reportedly disagreed over the proposed fine, the GDPR provisions that Twitter allegedly breached, and the role of Twitter International Company (Twitter’s Irish entity) as the sole data controller for the relevant processing activities.
On 9 November, the EDPB agreed by a two-thirds majority on enforcement action against Twitter. The DPC now has one month to issue the enforcement decision against Twitter. This is the first time that the dispute resolution mechanism has been used, and shows how the EDPB helps to ensure consistency between DPAs’ enforcement action. Companies facing enforcement actions through their lead supervisory authority for cross-border GDPR issues, though, may need to factor in additional time to resolve matters if DPAs’ views differ on how they should be dealt with.
German state DPA commends Microsoft’s response to Schrems II. The Baden-Württemberg DPA welcomed Microsoft’s proposals to strengthen data protection for EU-US data transfers. Microsoft’s measures respond to the landmark Schrems II decision, which permits international data transfers using SCCs only if the recipient country has adequate protections in place to safeguard personal data. The wide-reaching powers of US intelligence agencies have made transfers to the US a particular area of concern for international businesses.
In response, Microsoft has announced that it is amending its standard terms in line with the EDPB’s recent guidance (see our blog post here) and is providing two additional safeguards. First, and most significantly, Microsoft says that it will review and, where appropriate, challenge every request from any government for access to its customers’ data. Second, Microsoft will compensate individuals if Microsoft unlawfully discloses their personal data to any public authority (albeit this right to compensation is already enshrined in Article 82 GDPR). Microsoft further states that it will inform its customers about any governmental orders requesting data access.
The Baden-Württemberg DPA commended Microsoft’s efforts to deliver “significant improvements for the rights of European citizens.” The DPA acknowledged that the proposals would still fall short of solving the issues surrounding mass surveillance by US intelligence agencies. Furthermore, a critical review of the Baden-Württemberg DPA by a member of the Berlin Supervisory Authority suggests that other German state DPAs may not share its views. Nonetheless, Microsoft’s statement shows the types of measures large corporations are implementing to attempt to comply with the Schrems II judgment.
Facebook class action filed in the UK. The ‘Facebook You Owe Us’ group has filed a claim in the English High Court against Facebook’s U.S. parent company and its Irish subsidiary. The class action is being brought on behalf of almost one million UK residents affected by the Cambridge Analytica scandal, who are seeking compensation for the unlawful collection and use of their personal data between 2013 and 2014. The court case comes one year after the ICO’s settlement with Facebook, which resulted in a £500,000 fine, despite the social media giant denying liability for data protection violations.
The campaign group has said that it will seek compensation “for loss of control of personal data”. While the Facebook class action is likely to hinge on the outcome of the Lloyd v Google appeal to the Supreme Court, due to be heard in April 2021, it reflects the wider trend of data protection class actions being brought before English courts with potentially huge financial consequences (see our September Roundup).
Google Sweden delisting fine upheld but reduced. On 23 November, the Stockholm Administrative Court ruled that Google’s policy of informing website operators, known as webmaster notification, after taking down search results following right-to-be-forgotten requests, breached the GDPR. The Swedish DPA previously concluded that Google’s policy was likely to identify requesters, which would allow website owners to republish the relevant pages, effectively invalidating the right-to-be-forgotten delisting. Google maintained that its policy was protected by freedom of expression and information laws and reaffirmed that it was not sharing personal data in the delisting process.
The court took a different view, and found that the webmaster notifications amounted to processing of personal data for which there was no legal basis. The court upheld the Swedish DPA’s decision to fine Google, but reduced the fine from €7.3 million to €5 million. The decision sheds light on the practicalities of the right-to-be-forgotten principle under the GDPR, and may lead to other European DPAs following Sweden’s lead given Google’s pan-European reach.
ICO taken to court over perceived failures to investigate adtech industry. Privacy Campaigners at the Open Rights Group have filed a legal challenge against the ICO over its perceived lack of enforcement against the online advertising industry. The ICO halted its investigation into the adtech industry’s GDPR compliance during the COVID-19 pandemic, having published a report into the regulator’s “systematic concerns” in June 2019. The UK Competition and Markets Authority published a similarly scathing report in July 2020 and recently announced that a Digital Markets Unit will be set up to regulate tech giants and their digital advertising practices.
The claim comes at a time when there is growing appetite across Europe to take a tougher stance on targeted advertising. Last month the Belgian DPA reached an initial conclusion that the Interactive Advertising Bureau Europe, an industry body which oversees ad auctions and online bidding marketplaces, most likely breached the GDPR. The Irish DPC also continues to investigate Google’s advertising tools and how it handles personal information, while in Germany, the federal competition authority is investigating the dominant players in the online advertising sector.
The European Commission takes action against Amazon’s use of marketplace data. The European Commission has reached a preliminary view that Amazon abuses its dominant position as a marketplace service provider in France and Germany, a claim which Amazon strongly refutes. The Commission’s statement of objections claims that Amazon is using the business data of independent sellers on its marketplace to compete with them.
As a marketplace service provider, Amazon has access to non-public business data of third-party sellers, such as the number of visits to their offers, the number of products sold, and their revenues. The Commission found that this information flowed directly into Amazon’s retail business systems, which it then allegedly uses to calibrate Amazon’s retail offers and strategic business decisions. The Commission, therefore, alleges that Amazon’s access to extensive, granular and real-time market data gives it an unfair advantage over its competitors. As covered in previously blog posts, the interface between data protection and competition law is becoming an increasingly frequent area of regulatory scrutiny.
EU Council publishes revised draft ePrivacy Regulation. Last month, the German presidency of the EU Council published the latest draft ePrivacy Regulation. Initially intended to enter into force at the same time as the GDPR, the draft Regulation has undergone several iterations. The most notable revisions to the draft Regulation in the latest update include the removal of the “legitimate interests” carve out for processing communication data – a position supported by the EDPB, but condemned by mobile and telecoms associations, who claim that it will hamper data-driven innovation.
The latest draft would also allow Member States to remove supplementary restrictions on data retention and reintroduces provisions which state that information from end-users’ terminal equipment should only be collected if it is “strictly technically necessary” for services “specifically” requested. While it remains unclear when the Regulation will be finalised, it will have far reaching consequences when it does and companies may need to devote significant resources to ensure compliance.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise trainee associates Clementine Coudert, Jesse Hope, Diana Moise, and Charles Thompson for their contribution to this article.