As covered in our Annual Review, 2020 was a blockbuster year for European data protection. If January is anything to go by, 2021 will be the same. New data breach notification guidance from the European Data Protection Board (“EDPB”), multi-million Euro penalties from DPAs in Germany, Spain and Norway, and court rulings on discriminatory use of algorithms, the one-stop-shop and GDPR’s territorial scope were all in the mix. Here are our “need to know” stories from January.
French DPA fines company and its service provider for inadequate credential stuffing controls and issues guidance for companies. On 27 January, the CNIL announced €150,000 and €75,000 fines against a company and its service provider respectively for inadequate credential stuffing controls which led to the exposure of approximately 40,000 website customers’ names, email addresses, order information and loyalty card balances. The fine is a rare example of a DPA penalising both the data controller and processor for the same failing. Deficiencies identified by the CNIL included not limiting the number of login requests from the same IP address and an absence of multifactor authentication. The CNIL also published credential stuffing guidance, which recommends further protections, including CAPTCHA puzzle solving tests, consulting repositories of breached passwords, and usernames which are not based on users’ email addresses. The guidance also appears to suggest that the mere use of credentials obtained elsewhere to access an individuals’ online account may not trigger GDPR notification obligations in the absence of unauthorised access to (or other interaction with) further personal data.
German electronics retailer fined €10.4m for employee and customer privacy violations. On 8 January, the Lower Saxony DPA fined German electronics retailer notebooksbilliger.de €10.4m for unlawful video monitoring of employees and customers spanning at least two years. The company claimed that it had installed video cameras to, among other things, deter and investigate criminal acts. However, the surveillance system was deemed to be neither limited to a specific period, nor to specific employees, as required by local law. The DPA stressed that the alleged deterrent effect of video surveillance could not justify a permanent and unprovoked violation of the personal rights of employees and customers. The penalty is the Lower Saxony DPA’s highest to date, and comes only months after the Hamburg DPA fined retailer H&M €35.3m for monitoring employees’ private lives. While Notebooksbilliger.de has appealed, both penalties show that companies need to be wary not only of how they treat customer data, but also employee data.
Spanish DPA hands CaixaBank record €6m fine. Only one month after the record-breaking €5m fine against BBVA, the Spanish DPA issued a €6m fine against CaixaBank. The Spanish DPA penalised the multinational financial services company for GDPR failings including imprecise privacy policies and unlawfully transferring data between group companies. In contrast to last year, where the Spanish regulator appeared to opt for a higher number of lower-value penalties, the recent decisions are a reminder that businesses should not bank on historical enforcement patterns being set in stone.
Adtech back in the spotlight: Grindr faces €10m fine and ICO resumes investigations. On 24 January, the Norwegian DPA announced a proposed €10m fine against social networking app Grindr for alleged non-GDPR compliant data sharing. According to the DPA, Grindr shared user data – including GPS location and user profile information, such as age and gender – with ad tech companies without valid consent. The Norwegian DPA criticised Grindr’s “take it or leave it” terms and conditions, which users had to accept in their entirety to use the app and which failed to explain Grindr’s data sharing arrangements sufficiently. The fact that third parties could infer users’ sexual orientation through their presence on Grindr – special category data under the GDPR – further aggravated the breach. While not final, the proposed penalty – 10% of Grindr’s annual global turnover – would be the Norwegian DPA’s largest fine to date, and signals renewed focus on the adtech industry. This was bolstered by the ICO’s announcement that it is resuming investigations into real time bidding and the adtech industry that were paused in May 2020 due to COVID-19.
EDPB publishes new data breach notification guidance. The EDPB has issued new guidelines on data breach notification which cover common incidents including ransomware, data exfiltration, and lost or stolen documents and devices. The guidelines highlight good and bad practices, how risks should be identified, as well as what factors should be taken into account when making notification decisions. For instance, the guidelines suggest that with a business email compromise aimed at diverting B2B wire transfers, notification to individuals may still be required where their personal data was auto-forwarded to the attacker notwithstanding that the attacker was unlikely to be targeting that data. The guidelines also flag considerations that the EDPB feels should apply to every incident, including:
- Establishing procedures and internal guidelines on how to handle data breaches and training staff to ensure they are prepared.
- Assessing and identifying vulnerabilities to prevent data breaches from happening.
- When breaches occur, assessing whether a breach is likely to result in a risk to the rights and freedoms of the data subject and documenting that analysis and the breach response.
The guidelines will be a new “go to” resource for those preparing for, and responding to, data breaches.
Deliveroo algorithm ruled discriminatory by Italian court. At the very end of last year, a court in Bologna concluded that Deliveroo’s shift allocation algorithm was discriminatory. The case examined an automated ranking system, where drivers could access upcoming shifts based on their reliability: those who regularly turned up to work had more shifts to pick from. The judge found that the algorithm did not distinguish between legitimate reasons for not showing up to work – such as child caring responsibilities or going on strike – with genuine unreliability, and as a result, held that some workers were unfairly punished by having access to fewer shifts. Deliveroo was ordered to pay €500,000 in compensation and to publish details of its automated system on its website. The decision draws parallels with the AI-related claims brought against Uber in the Netherlands, and is another example of the cross-over between data protection and employment law. In particular, it highlights the need to ensure that this type of decision-making does not have a disproportionate impact on individuals with particular protected characteristics. In light of increasing scrutiny, companies using AI or algorithmic decision-making will need to think carefully about how to meet their transparency obligations.
ICO prosecutes employee for stealing data. The UK Information Commissioner’s Office (“ICO”) prosecuted a car insurance company employee for sharing insureds’ personal data with an accident claims management firm, TMS, without authorisation. The data included partial names, phone numbers, and vehicle registration numbers. TMS used the data to make marketing calls to people who had been involved in accidents. The employee pleaded guilty to conspiracy to secure unauthorised access to computer data and to selling unlawfully obtained personal data under the Computer Misuse Act 1990, and was handed a suspended sentence of eight months’ imprisonment. The case is a useful reminder that, although relatively rare, the ICO can criminally prosecute individuals for data protection related violations. Businesses may want to remind employees of those risks.
CJEU Opinion clarifies the one-stop-shop. On 13 January, the Advocate General issued its much-anticipated Opinion on when the GDPR’s one-stop-shop (“OSS”) mechanism prevents a non-lead DPA from initiating court proceedings for cross-border infringements of the GDPR.
The Belgium DPA initiated legal proceedings against Facebook Belgium, claiming that it used tracking technologies without users’ consent. Facebook countered that the Belgian DPA did not have competence to issue the proceedings as it is not Facebook’s lead supervisory authority (rather, the Irish DPC is). The Advocate General’s Opinion says that generally only a lead supervisory authority can issue legal proceedings against a company for cross-border breaches of the GDPR. However, non-lead DPAs can initiate proceedings in a limited number of situations, including:
- Where the GDPR permits non-lead DPAs to retain supervisory competence, such as investigations into cross-border data processing by public authorities.
- If the lead supervisory authority decides not to act.
- Where the processing is not cross-border, or there is no lead supervisory authority.
Full judgment from the CJEU is expected in the next few months. While not bound by the Advocate General’s Opinion, the CJEU usually follows it.
The Opinion underscores the importance of the OSS principle at a time where it has faced challenges from overlapping legislation (see the CNIL’s decision against Google). The Advocate General noted that it was not immediately obvious why the Belgian authorities were pursuing action under the GDPR – which has an OSS principle – rather than the e-Privacy Directive – which does not. The case highlights the benefits of having a main establishment in the EU and, therefore, a lead supervisory authority, which may reduce the risk of parallel enforcement action.
English court rules GDPR does not apply to U.S. website. The English High Court recently ruled that a Californian news website and a number of U.S.-based journalists were outside the GDPR’s territorial scope following data protection claims by a UK resident. The claimant alleged that the processing of his personal data in connection with online posts linking the claimant with corruption and political scandals breached the GDPR, although the judgment does not detail the specific allegations. However, the court ruled that the defendants fell outside GDPR’s territorial scope because:
- The defendants had no establishment in the EU, as there were no employees or representatives in the UK.
- The defendants did not target the UK. While the website delivered merchandise to the UK and took payments in euros and pound sterling, it did not concern their “core” activity (journalism) which the claims concerned.
TalkTalk faces UK post-breach class action suit. Internet service provider, TalkTalk, is facing a new class action for alleged data protection failings linked to the company’s 2014 and 2015 data breaches. Interestingly, the particulars of claim go beyond the ICO’s conclusions that TalkTalk’s data security was inadequate. The claimants, victims of the data breaches, also allege that TalkTalk carried out an illegal international transfer when it transferred data to Indian-based information technology contractor, Wipro, kept customer data for an unnecessarily long time, and processed personal data without a lawful basis. The action is another example of data privacy class actions being filed in the English courts, and the long tail that data breaches can have for companies.
CMA investigates Google’s “Privacy Sandbox” proposals. The UK’s competition authority has launched an investigation into Google’s plans to remove third-party cookies from its Chrome browser. The privacy concerns associated with the online tracking technology are well known, and bans have already been introduced by Apple, Mozilla, and Microsoft. But given that Google Chrome holds a 50% share of the UK web browser market, the CMA is concerned that the proposals could reduce competition in the online advertising market. A significant number of digital marketers would arguably be denied tracking data and may find it harder to compete with larger players such as Facebook and Google. Following concerns raised in its digital advertising market study (see our Blog Post), the adtech industry remains a key enforcement priority for the CMA. The CMA is carrying out the investigation alongside the ICO. Businesses, particularly those in the adtech sphere, should be wary that dual regulatory scrutiny from competition and privacy regulators may be here to stay.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise trainee associates Clementine Coudert, Jesse Hope, and Diana Moise for their contribution to this article.