As covered in our Annual Review, 2020 was a blockbuster year for European data protection. If January is anything to go by, 2021 will be the same.  New data breach notification guidance from the European Data Protection Board (“EDPB”), multi-million Euro penalties from DPAs in Germany, Spain and Norway, and court rulings on discriminatory use of algorithms, the one-stop-shop and GDPR’s territorial scope were all in the mix.  Here are our “need to know” stories from January.

French DPA fines company and its service provider for inadequate credential stuffing controls and issues guidance for companies.  On 27 January, the CNIL announced €150,000 and €75,000 fines against a company and its service provider respectively for inadequate credential stuffing controls which led to the exposure of approximately 40,000 website customers’ names, email addresses, order information and loyalty card balances.  The fine is a rare example of a DPA penalising both the data controller and processor for the same failing.  Deficiencies identified by the CNIL included not limiting the number of login requests from the same IP address and an absence of multifactor authentication.  The CNIL also published credential stuffing guidance, which recommends further protections, including CAPTCHA puzzle solving tests, consulting repositories of breached passwords, and usernames which are not based on users’ email addresses.  The guidance also appears to suggest that the mere use of credentials obtained elsewhere to access an individuals’ online account may not trigger GDPR notification obligations in the absence of unauthorised access to (or other interaction with) further personal data.

German electronics retailer fined €10.4m for employee and customer privacy violations. On 8 January, the Lower Saxony DPA fined German electronics retailer notebooksbilliger.de €10.4m for unlawful video monitoring of employees and customers spanning at least two years.  The company claimed that it had installed video cameras to, among other things, deter and investigate criminal acts.  However, the surveillance system was deemed to be neither limited to a specific period, nor to specific employees, as required by local law.  The DPA stressed that the alleged deterrent effect of video surveillance could not justify a permanent and unprovoked violation of the personal rights of employees and customers. The penalty is the Lower Saxony DPA’s highest to date, and comes only months after the Hamburg DPA fined retailer H&M €35.3m for monitoring employees’ private lives.  While Notebooksbilliger.de has appealed, both penalties show that companies need to be wary not only of how they treat customer data, but also employee data.

Spanish DPA hands CaixaBank record €6m fine.  Only one month after the record-breaking €5m fine against BBVA, the Spanish DPA issued a €6m fine against CaixaBank.  The Spanish DPA penalised the multinational financial services company for GDPR failings including imprecise privacy policies and unlawfully transferring data between group companies.  In contrast to last year, where the Spanish regulator appeared to opt for a higher number of lower-value penalties, the recent decisions are a reminder that businesses should not bank on historical enforcement patterns being set in stone.

Adtech back in the spotlight: Grindr faces €10m fine and ICO resumes investigations.  On 24 January, the Norwegian DPA announced a proposed €10m fine against social networking app Grindr for alleged non-GDPR compliant data sharing.  According to the DPA, Grindr shared user data – including GPS location and user profile information, such as age and gender – with ad tech companies without valid consent.  The Norwegian DPA criticised Grindr’s “take it or leave it” terms and conditions, which users had to accept in their entirety to use the app and which failed to explain Grindr’s data sharing arrangements sufficiently.  The fact that third parties could infer users’ sexual orientation through their presence on Grindr – special category data under the GDPR – further aggravated the breach.  While not final, the proposed penalty – 10% of Grindr’s annual global turnover – would be the Norwegian DPA’s largest fine to date, and signals renewed focus on the adtech industry. This was bolstered by the ICO’s announcement that it is resuming investigations into real time bidding and the adtech industry that were paused in May 2020 due to COVID-19.

EDPB publishes new data breach notification guidance. The EDPB has issued new guidelines on data breach notification which cover common incidents including ransomware, data exfiltration, and lost or stolen documents and devices.  The guidelines highlight good and bad practices, how risks should be identified, as well as what factors should be taken into account when making notification decisions.  For instance, the guidelines suggest that with a business email compromise aimed at diverting B2B wire transfers, notification to individuals may still be required where their personal data was auto-forwarded to the attacker notwithstanding that the attacker was unlikely to be targeting that data.  The guidelines also flag considerations that the EDPB feels should apply to every incident, including:

  • Establishing procedures and internal guidelines on how to handle data breaches and training staff to ensure they are prepared.
  • Assessing and identifying vulnerabilities to prevent data breaches from happening.
  • When breaches occur, assessing whether a breach is likely to result in a risk to the rights and freedoms of the data subject and documenting that analysis and the breach response.

The guidelines will be a new “go to” resource for those preparing for, and responding to, data breaches.

Deliveroo algorithm ruled discriminatory by Italian court.  At the very end of last year, a court in Bologna concluded that Deliveroo’s shift allocation algorithm was discriminatory.  The case examined an automated ranking system, where drivers could access upcoming shifts based on their reliability: those who regularly turned up to work had more shifts to pick from.  The judge found that the algorithm did not distinguish between legitimate reasons for not showing up to work – such as child caring responsibilities or going on strike – with genuine unreliability, and as a result, held that some workers were unfairly punished by having access to fewer shifts.  Deliveroo was ordered to pay €500,000 in compensation and to publish details of its automated system on its website.  The decision draws parallels with the AI-related claims brought against Uber in the Netherlands, and is another example of the cross-over between data protection and employment law.  In particular, it highlights the need to ensure that this type of decision-making does not have a disproportionate impact on individuals with particular protected characteristics.  In light of increasing scrutiny, companies using AI or algorithmic decision-making will need to think carefully about how to meet their transparency obligations.

ICO prosecutes employee for stealing data. The UK Information Commissioner’s Office (“ICO”) prosecuted a car insurance company employee for sharing insureds’ personal data with an accident claims management firm, TMS, without authorisation.  The data included partial names, phone numbers, and vehicle registration numbers.  TMS used the data to make marketing calls to people who had been involved in accidents.  The employee pleaded guilty to conspiracy to secure unauthorised access to computer data and to selling unlawfully obtained personal data under the Computer Misuse Act 1990, and was handed a suspended sentence of eight months’ imprisonment.  The case is a useful reminder that, although relatively rare, the ICO can criminally prosecute individuals for data protection related violations.  Businesses may want to remind employees of those risks.

CJEU Opinion clarifies the one-stop-shop. On 13 January, the Advocate General issued its much-anticipated Opinion on when the GDPR’s one-stop-shop (“OSS”) mechanism prevents a non-lead DPA from initiating court proceedings for cross-border infringements of the GDPR.

The Belgium DPA initiated legal proceedings against Facebook Belgium, claiming that it used tracking technologies without users’ consent.  Facebook countered that the Belgian DPA did not have competence to issue the proceedings as it is not Facebook’s lead supervisory authority (rather, the Irish DPC is).  The Advocate General’s Opinion says that generally only a lead supervisory authority can issue legal proceedings against a company for cross-border breaches of the GDPR.  However, non-lead DPAs can initiate proceedings in a limited number of situations, including:

  • Where the GDPR permits non-lead DPAs to retain supervisory competence, such as investigations into cross-border data processing by public authorities.
  • If the lead supervisory authority decides not to act.
  • Where the processing is not cross-border, or there is no lead supervisory authority.

Full judgment from the CJEU is expected in the next few months.  While not bound by the Advocate General’s Opinion, the CJEU usually follows it.

The Opinion underscores the importance of the OSS principle at a time where it has faced challenges from overlapping legislation (see the CNIL’s decision against Google).  The Advocate General noted that it was not immediately obvious why the Belgian authorities were pursuing action under the GDPR – which has an OSS principle – rather than the e-Privacy Directive – which does not.  The case highlights the benefits of having a main establishment in the EU and, therefore, a lead supervisory authority, which may reduce the risk of parallel enforcement action.

English court rules GDPR does not apply to U.S. website.  The English High Court recently ruled that a Californian news website and a number of U.S.-based journalists were outside the GDPR’s territorial scope following data protection claims by a UK resident.  The claimant alleged that the processing of his personal data in connection with online posts linking the claimant with corruption and political scandals breached the GDPR, although the judgment does not detail the specific allegations.  However, the court ruled that the defendants fell outside GDPR’s territorial scope because:

  • The defendants had no establishment in the EU, as there were no employees or representatives in the UK.
  • The defendants did not target the UK. While the website delivered merchandise to the UK and took payments in euros and pound sterling, it did not concern their “core” activity (journalism) which the claims concerned.
  • While there may have been an arguable case based on the online publication’s use of cookies, which profile readers, that activity was related to advertising, rather than the journalistic processing the claimant complained about.

TalkTalk faces UK post-breach class action suit.  Internet service provider, TalkTalk, is facing a new class action for alleged data protection failings linked to the company’s 2014 and 2015 data breaches.  Interestingly, the particulars of claim go beyond the ICO’s conclusions that TalkTalk’s data security was inadequate.  The claimants, victims of the data breaches, also allege that TalkTalk carried out an illegal international transfer when it transferred data to Indian-based information technology contractor, Wipro, kept customer data for an unnecessarily long time, and processed personal data without a lawful basis.  The action is another example of data privacy class actions being filed in the English courts, and the long tail that data breaches can have for companies.

CMA investigates Google’s “Privacy Sandbox” proposals. The UK’s competition authority has launched an investigation into Google’s plans to remove third-party cookies from its Chrome browser.  The privacy concerns associated with the online tracking technology are well known, and bans have already been introduced by Apple, Mozilla, and Microsoft.  But given that Google Chrome holds a 50% share of the UK web browser market, the CMA is concerned that the proposals could reduce competition in the online advertising market.  A significant number of digital marketers would arguably be denied tracking data and may find it harder to compete with larger players such as Facebook and Google.  Following concerns raised in its digital advertising market study (see our Blog Post), the adtech industry remains a key enforcement priority for the CMA.  The CMA is carrying out the investigation alongside the ICO.  Businesses, particularly those in the adtech sphere, should be wary that dual regulatory scrutiny from competition and privacy regulators may be here to stay.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise trainee associates Clementine Coudert, Jesse Hope, and Diana Moise for their contribution to this article.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Hilary Davidson is a corporate associate and a member of Debevoise's Mergers & Acquisitions Group. Ms. Davidson’s practice focuses on private M&A, with particular experience advising private equity clients. This has included advising on joint ventures, cross-border mergers and acquisitions and secondary and co-invest transactions. She can be reached at hdavidson@debevoise.com.

Author

Jennifer Deschins is an associate in the Frankfurt office and a member of the firm’s Litigation Department. Her practice focuses on Arbitration, Litigation, Internal Investigations, Cyber Privacy, Data Protection, Anti-Money Laundering and Competition Law.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.