The big news this November was the European Data Protection Board (the “EDPB”) issuing its highly anticipated post-Schrems II data transfer guidance, followed just a day later by the European Commission’s draft updated Standard Contractual Clauses (“SCCs”) (see our blog post here).  In case you missed them while trying to solve the data transfer conundrum, here are ten more enforcement and policy developments you should know about.

Bonn Regional Court slashes Telco’s €9.55 million fine by over 90%.  On 11 November, the Regional Court of Bonn slashed telco 1&1’s fine for various GDPR violations from €9.55 million to €900,000, after concluding that the initial sum was unreasonably high.  Back in December 2019, the federal German data protection authority (“DPA”) fined 1&1 for an inadequate customer service authentication procedure, which allowed callers to obtain personal data about other 1&1 customers by providing that customer’s name and date of birth only.

While the Regional Court accepted that 1&1’s authentication procedures were insufficiently robust, it considered the breach to be minor given it did not result in the disclosure of more sensitive information, such as itemised bills or bank account details, or involve the mass disclosure of information to unauthorised recipients.  The absence of previous issues with 1&1’s customer authentication procedure was another factor which led to the over 90 percent reduction.

The reduction echoes the British Airways and Marriott fines by the UK Information Commissioner’s Office (“ICO”), which were approximately 10 and 20 percent, respectively, of those proposed initially.  The large reductions highlight the potential value of challenging penalties, either directly with DPAs or through the courts.

CNIL imposes over €3 million of fines on leading French headquartered retailer.  On 26 November, France’s DPA, the CNIL, imposed a €2.25 million fine on Carrefour France, a multinational retail corporation, and a €800,000 fine on its banking subsidiary, for breaches of the GDPR and French data protection legislation.  The CNIL found that processing of personal data through Carrefour’s loyalty programme was not sufficiently transparent, in breach of Article 13 of the GDPR, and both entities were automatically placing cookies without user consent.

The CNIL also found that Carrefour France systematically required proof of identity for data access requests, thus not facilitating the exercise of data subjects’ rights, and then subsequently failed to provide a timely response to them.  The CNIL also took issue with the French retailer retaining the data of more than 28 million customers who had been inactive for up to ten years.  See our tips on data retention here.

The fines are yet another example of the CNIL taking enforcement action in non-data breach scenarios and rolling a wide range of GDPR compliance failings into a single penalty, highlighting the need for end-to-end data protection compliance frameworks.

French Court confirms that CNIL may issue sanctions without prior notice. On 4 November, France’s highest administrative court – the Conseil d’Etat – upheld a €400,000 fine imposed on Sergic, a French real estate company, for data security and retention failures.  The CNIL found that Sergic had failed to provide adequate user authentication, which contributed to the exposure of salary details, identification documents and tax notices, and considered Sergic’s data retention periods to be excessive.

The Court rejected Sergic’s appeal and found the €400,000 fine to be proportionate, in light of the seriousness of the breach and the sensitivity of the personal data disclosed. The Court also clarified the mechanics underpinning the CNIL’s decision making process.  The CNIL’s authorised agents were found to be entitled to access data made public through a data breach to advance its investigations, and the CNIL’s president was under no obligation to issue a formal notice to Sergic before referring the case to the restricted committee, which rules on penalty decisions.

“One Stop Shop” dispute resolution mechanism used for the first time.  The EDPB issued its first decision under the GDPR’s “one stop shop” dispute resolution mechanism, after European DPAs failed to agree on enforcement action against Twitter proposed by the Irish Data Protection Commission (“DPC”) in May 2020.  Regulators reportedly disagreed over the proposed fine, the GDPR provisions that Twitter allegedly breached, and the role of Twitter International Company (Twitter’s Irish entity) as the sole data controller for the relevant processing activities.

On 9 November, the EDPB agreed by a two-thirds majority on enforcement action against Twitter. The DPC now has one month to issue the enforcement decision against Twitter.  This is the first time that the dispute resolution mechanism has been used, and shows how the EDPB helps to ensure consistency between DPAs’ enforcement action. Companies facing enforcement actions through their lead supervisory authority for cross-border GDPR issues, though, may need to factor in additional time to resolve matters if DPAs’ views differ on how they should be dealt with.

German state DPA commends Microsoft’s response to Schrems II.  The Baden-Württemberg DPA welcomed Microsoft’s proposals to strengthen data protection for EU-US data transfers. Microsoft’s measures respond to the landmark Schrems II decision, which permits international data transfers using SCCs only if the recipient country has adequate protections in place to safeguard personal data.  The wide-reaching powers of US intelligence agencies have made transfers to the US a particular area of concern for international businesses.

In response, Microsoft has announced that it is amending its standard terms in line with the EDPB’s recent guidance (see our blog post here) and is providing two additional safeguards. First, and most significantly, Microsoft says that it will review and, where appropriate, challenge every request from any government for access to its customers’ data. Second, Microsoft will compensate individuals if Microsoft unlawfully discloses their personal data to any public authority (albeit this right to compensation is already enshrined in Article 82 GDPR). Microsoft further states that it will inform its customers about any governmental orders requesting data access.

The Baden-Württemberg DPA commended Microsoft’s efforts to deliver “significant improvements for the rights of European citizens.”  The DPA acknowledged that the proposals would still fall short of solving the issues surrounding mass surveillance by US intelligence agencies.  Furthermore, a critical review of the Baden-Württemberg DPA by a member of the Berlin Supervisory Authority suggests that other German state DPAs may not share its views. Nonetheless, Microsoft’s statement shows the types of measures large corporations are implementing to attempt to comply with the Schrems II judgment.

Facebook class action filed in the UK.  The ‘Facebook You Owe Us’ group has filed a claim in the English High Court against Facebook’s U.S. parent company and its Irish subsidiary.  The class action is being brought on behalf of almost one million UK residents affected by the Cambridge Analytica scandal, who are seeking compensation for the unlawful collection and use of their personal data between 2013 and 2014. The court case comes one year after the ICO’s settlement with Facebook, which resulted in a £500,000 fine, despite the social media giant denying liability for data protection violations.

The campaign group has said that it will seek compensation “for loss of control of personal data”.  While the Facebook class action is likely to hinge on the outcome of the Lloyd v Google appeal to the Supreme Court, due to be heard in April 2021, it reflects the wider trend of data protection class actions being brought before English courts with potentially huge financial consequences (see our September Roundup).

Google Sweden delisting fine upheld but reduced. On 23 November, the Stockholm Administrative Court ruled that Google’s policy of informing website operators, known as webmaster notification, after taking down search results following right-to-be-forgotten requests, breached the GDPR.  The Swedish DPA previously concluded that Google’s policy was likely to identify requesters, which would allow website owners to republish the relevant pages, effectively invalidating the right-to-be-forgotten delisting. Google maintained that its policy was protected by freedom of expression and information laws and reaffirmed that it was not sharing personal data in the delisting process.

The court took a different view, and found that the webmaster notifications amounted to processing of personal data for which there was no legal basis. The court upheld the Swedish DPA’s decision to fine Google, but reduced the fine from €7.3 million to €5 million.  The decision sheds light on the practicalities of the right-to-be-forgotten principle under the GDPR, and may lead to other European DPAs following Sweden’s lead given Google’s pan-European reach.

ICO taken to court over perceived failures to investigate adtech industry.  Privacy Campaigners at the Open Rights Group have filed a legal challenge against the ICO over its perceived lack of enforcement against the online advertising industry.  The ICO halted its investigation into the adtech industry’s GDPR compliance during the COVID-19 pandemic, having published a report into the regulator’s “systematic concerns” in June 2019.  The UK Competition and Markets Authority published a similarly scathing report in July 2020 and recently announced that a Digital Markets Unit will be set up to regulate tech giants and their digital advertising practices.

The claim comes at a time when there is growing appetite across Europe to take a tougher stance on targeted advertising.  Last month the Belgian DPA reached an initial conclusion that the Interactive Advertising Bureau Europe, an industry body which oversees ad auctions and online bidding marketplaces, most likely breached the GDPR.  The Irish DPC also continues to investigate Google’s advertising tools and how it handles personal information, while in Germany, the federal competition authority is investigating the dominant players in the online advertising sector.

The European Commission takes action against Amazon’s use of marketplace data. The European Commission has reached a preliminary view that Amazon abuses its dominant position as a marketplace service provider in France and Germany, a claim which Amazon strongly refutes.  The Commission’s statement of objections claims that Amazon is using the business data of independent sellers on its marketplace to compete with them.

As a marketplace service provider, Amazon has access to non-public business data of third-party sellers, such as the number of visits to their offers, the number of products sold, and their revenues. The Commission found that this information flowed directly into Amazon’s retail business systems, which it then allegedly uses to calibrate Amazon’s retail offers and strategic business decisions. The Commission, therefore, alleges that Amazon’s access to extensive, granular and real-time market data gives it an unfair advantage over its competitors. As covered in previously blog posts, the interface between data protection and competition law is becoming an increasingly frequent area of regulatory scrutiny.

EU Council publishes revised draft ePrivacy Regulation.  Last month, the German presidency of the EU Council published the latest draft ePrivacy Regulation.  Initially intended to enter into force at the same time as the GDPR, the draft Regulation has undergone several iterations. The most notable revisions to the draft Regulation in the latest update include the removal of the “legitimate interests” carve out for processing communication data – a position supported by the EDPB, but condemned by mobile and telecoms associations, who claim that it will hamper data-driven innovation.

The latest draft would also allow Member States to remove supplementary restrictions on data retention and reintroduces provisions which state that information from end-users’ terminal equipment should only be collected if it is “strictly technically necessary” for services “specifically” requested.  While it remains unclear when the Regulation will be finalised, it will have far reaching consequences when it does and companies may need to devote significant resources to ensure compliance.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise trainee associates Clementine Coudert, Jesse Hope, Diana Moise, and Charles Thompson for their contribution to this article.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Christopher Garrett is an English-qualified associate who is a member of the Debevoise Data Strategy & Security practice and part of the Corporate Department, also specialising in employment law. He can be reached at cgarrett@debevoise.com.

Author

Dr. Friedrich Popp is a senior associate in Debevoise's Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law. He can be reached at fpopp@debevoise.com.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Hilary Davidson is a corporate associate and a member of Debevoise's Mergers & Acquisitions Group. Ms. Davidson’s practice focuses on private M&A, with particular experience advising private equity clients. This has included advising on joint ventures, cross-border mergers and acquisitions and secondary and co-invest transactions. She can be reached at hdavidson@debevoise.com.

Author

Jennifer Deschins is an associate in the Frankfurt office and a member of the firm’s Litigation Department. Her practice focuses on Arbitration, Litigation, Internal Investigations, Cyber Privacy, Data Protection, Anti-Money Laundering and Competition Law.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Ariane Fleuriot is an associate in Debevoise's Litigation Department. She can be reached at afleuriot@debevoise.com.

Author

Sara Ewad is an associate in the London office and a member of the firm’s International Dispute Resolution Group.