There were a few European data protection developments in February that companies may want to have on their radar. These include a draft adequacy decision for EU-UK data transfer, renewed focus from data protection authorities (“DPAs”) on cookies compliance, and guidance from the English courts on what constitutes unsolicited marketing. We cover those developments (and more) below.
EU publishes draft UK adequacy decisions.
What happened: In a significant boost to ensuring the long-term free flow of personal data from the EU to the UK, the European Commission has found that the UK provides an essentially equivalent level of protection to that under the GDPR and the Law Enforcement Directive. While the European Commission’s draft “adequacy decisions” still have to be reviewed by the European Data Protection Board (“EDPB”) and Member States, it is almost certain that the European Commission will issue a final adequacy decision before the end of the six-month extension for EU-UK data transfers granted by the EU-UK Cooperation Agreement from 1 January 2021. If granted, companies will be able to send personal data from the EU to the UK without having to rely on EU Standard Contractual Clauses or another data transfer mechanism, although the decision will be reviewed in four years’ time to confirm that UK laws remain aligned with EU data protection standards.
What to do: Nothing right now other than monitor progress and, in the unlikely event that the adequacy decision is not finalised, put in place an alternative transfer mechanism for EU-UK transfers. We will continue to report on progress through the Blog.
Spotlight on Schrems II litigation and enforcement risk.
What happened: On 18 February, France’s Human Rights League sued France’s Commission nationale de l’informatique et des libertés (“CNIL”) over its alleged refusal to take action against Uber France for transferring personal data to the U.S. under the defunct EU-U.S. Privacy Shield. While the CNIL referred the matter to the Dutch DPA as Uber’s lead supervisory authority, the Human Rights League argued that the French regulator should have assumed jurisdiction under the GDPR’s urgency procedure that allows a non-lead supervisory authority to take urgent action when needed to protect individuals. On the regulatory front, German DPAs have set up a taskforce to conduct random checks on companies’ cross-border data transfer compliance following Schrems II.
What to do: Companies transferring GDPR-covered personal data to the U.S. (and other third countries) may want to ensure that their review of cross-border data transfers post-Schrems II is progressing. When weighing up cross-border data transfer-related compliance risk, companies may want to take into account the French litigation and Germany DPA sweep which could signal potentially increased scrutiny now that companies have had time to digest last July’s judgment.
DPAs focus on cookies compliance and the ePrivacy Regulation progresses.
On the legislative front, the Council of the EU reached agreement on the draft ePrivacy Regulation which will now be negotiated with the European Parliament and the European Commission. While the draft may still change significantly, proposed changes to the current landscape include allowing users to whitelist cookies providers to prevent “consent fatigue” and permitting the use of “cookies walls” – where users are prevented from accessing services unless they accept cookies – in certain circumstances.
Companies should also remember that the ePrivacy Directive and Member State implementing legislation fall outside the GDPR’s one-stop-shop mechanism, meaning businesses need to address local variances in the application of cookies-related requirements.
Scope of unsolicited marketing clarified.
What happened: On 8 February, the UK’s Upper Tribunal ruled that emails containing mixed marketing content – information which subscribers have consented to and information which they have not – are unsolicited communications under the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003. The case concerned Brexit-related newsletters that included promotional material for insurance products. While the recipients had consented to receiving the political newsletters, the Upper Tribunal found that informed and specific consent was still required for the promotion of the insurance products.
What to do: When sending email campaigns, companies may want to review whether they have obtained valid consent to send all material included in the communication and not just some of it. Consent to only part will not be sufficient based on the judgment.
Italian competition authority fines Facebook €7 million over transparency failings.
What happened: On 9 February, Italy’s competition authority fined Facebook Ireland and Facebook Inc. €7 million for failing to comply with a previous order requiring Facebook to explain to Italian users how their data is monetised. While Facebook removed its statement that its service “is free and always will be”, the regulator held that Facebook was still misleading new account holders by providing inadequate information about how it makes money from their data through targeted advertising. The regulator held that user-facing notices were generic and incomplete, did not distinguish between using data for the personalisation of its service – i.e., connecting users with new friends – and for targeting advertising. Facebook reportedly intends to appeal the decision.
What to do: As we reported previously there is increasing convergence between European data protection and competition law enforcement. Companies may therefore want to keep under review their current and future data processing activities to ensure they remain compliant with both regimes. The penalty also highlights the need to ensure that companies process personal data in an open and transparent way to ensure they meet both GDPR and potentially applicable consumer protection requirements.
Further GDPR penalties challenged successfully.
What happened: As covered in our 2020 Annual Review, DPAs have sometimes had a difficult time making big fines stick. Our prediction that the trend would continue into 2021 was right. The Regional Court in Berlin recently dismissed the €14.5 million fine against a German property company, Deutsche Wohnen, which had allegedly failed to comply with privacy by design and data minimisation requirements when handling tenants’ personal data. While many fines have been challenged on their substance, the Court nullified the penalty here on a procedural error: the Berlin DPA had not identified a person within Deutsche Wohnen who was responsible for the alleged violation, as required by administrative German law. The nullification is now on appeal.
Challenges are not always successful though. On 4 March, France’s highest administrative court, the Council of State, dismissed Google’s urgent request to suspend the CNIL’s €100 million fine and €100,000 per day follow-on penalty if Google fails to comply with the French Data Protection Act cookies requirements within three months of the judgment. Google’s full challenge remains pending.
While many DPAs are seeing their fines knocked back or challenged, others are being criticised for their perceived lack of enforcement action. In February, an influential European Parliament committee submitted a draft motion calling for the European Commission to sue Ireland over its alleged failure to properly enforce the GDPR.
What to do: Nothing day to day. But the Deutsche Wohnen case highlights that companies subject to enforcement proceedings may want to be on the lookout for procedural as well as substantive missteps by DPAs. Companies weighing up GDPR enforcement risk may also want to keep in mind that given mounting pressure on some DPAs to take more aggressive action, past enforcement priorities may not be an accurate guide for future cases.
Europe’s top court to consider materiality threshold for non-material damages under the GDPR.
What happened: On 14 January, Germany’s Federal Constitutional Court ruled that the Court of Justice of the European Union (“CJEU”) must determine whether claims for damages under the GDPR must meet a materiality threshold. The case concerned an individual who claimed €500 in compensation after receiving an unwanted email, in breach of the GDPR. While some Member State courts have awarded damages for GDPR violations with minimal impact on individuals, others have applied a materiality threshold. The Federal Constitutional Court acknowledged that the GDPR’s damages provision, Article 82, is yet to be considered by the CJEU and has therefore sought clarification.
What to do: Nothing for the moment. However, businesses should be aware that a decision from the CJEU not to impose a materiality threshold could significantly increase their litigation exposure.
ICO launches data analytics toolkit.
What happened: The UK ICO launched its data analytics toolkit as part of its wider push to help businesses manage the risks that artificial intelligence systems pose to individual rights. The toolkit allows companies to answer a series questions about their data analytics systems, including relevant security measures, discrimination monitoring, and privacy notices to individuals, and then uses this information to produce a tailored report. The reports contain relevant ICO guidance, along with practical examples, which are designed to help businesses comply with data protection law.
What to do: Companies which use data analytics to process large data sets to draw conclusions, find patterns, or make predictions, should consider using the toolkit. While the ICO makes clear that it should not be viewed as a pathway to ensuring complete compliance, the toolkit will nevertheless help businesses meet their data protection obligations.
The authors would like to thank Debevoise trainee associate Jesse Hope for his contribution to this article.
To subscribe to the Data Blog, please click here.