March gave companies plenty to take stock of. A multi-million euro fine for deficient vendor oversight, scrutiny of unlawful data transfers to a well-known U.S. email marketing service provider, and a €475,000 penalty for late reporting of a data breach affecting just a few thousand individuals, and more. Here are our highlights of what you need to know.
Spanish DPA fines Vodafone Spain €8.15 million for vendor oversight failings, unlawful cross-border transfers
What happened: The AEPD, the Spanish data protection authority (“DPA”), fined Vodafone Spain €8.15 million for various breaches of the GDPR and Spanish e-privacy laws, topping the €6 million CaixaBank penalty from earlier this year.
€4 million was for allegedly deficient oversight of Vodafone’s data processors. Most notably, failing adequately to verify that they had appropriate technical and organisational measures in place to safeguard personal data.
€2 million was for failing to implement appropriate safeguards when making cross-border data transfers to Third Countries.
The remaining €2.15 million related to various direct marketing-related violations and the continued processing of individuals’ data despite their objections.
What to do: Penalties for cross-border transfer and vendor diligence failings have been rare. Given the large penalties though, companies may want to:
- Vendor Diligence – Revisit their vendor diligence program to ensure that it meaningfully scrutinises vendors at the outset of the relationship and periodically thereafter. The AEPD specifically criticised Vodafone’s “Yes” / “No” vendor diligence checklist for failing to adequately assess processors’ safeguards.
- Cross-border Transfers – If not in place already, consider introducing formal procedures to map cross-border data transfers to help ensure appropriate safeguards are in place for third-country transfers. See our blog post here for further tips on managing the latest landscape.
Booking.com fined €475,000 for late data breach notification
What happened: The Dutch DPA announced its €475,000 December 2020 fine against Booking.com for failing to meet the GDPR’s 72-hour data breach notification timeline. According to the DPA, the personal data of over 4,000 customers was compromised, including nearly 300 individuals’ credit card details after an unauthorised third party gained access to a Booking.com reservation system through a social engineering attack. The Dutch DPA determined that Booking.com became aware of the breach on 13 January 2019, after it had received multiple reports of social engineering attacks on Booking.com customers using data about forthcoming reservations. The DPA held that this was sufficient to trigger the 72 hour notification timeline and Booking.com’s notification on 7 February 2019 following further investigation was out of time.
What to do: Given the high fine for a relatively small incident, companies may want to revisit their incident response procedures to ensure that (potential) personal data breaches are escalated appropriately internally, and notification decisions made promptly, even if a full investigation is not yet complete.
Dutch court opines on oversight and explainability of algorithmic decision making
What happened: The Amsterdam District Court issued highly anticipated judgments on algorithmic decision-making tools used by ride-hailing apps, Uber and Ola. The Court found that Ola relied entirely on an automated system to penalise drivers for invalid rides, in breach of Article 22 of the GDPR, and ordered the taxi app to publish the assessment criteria the algorithm uses to reach decisions. In contrast, the Court rejected claims that Uber had unfairly dismissed drivers based solely on an automated tool that flags suspected fraudulent journeys. The Court concluded that Uber employees reviewed fraud alerts before decisions were made, which amounted to “meaningful oversight” under the GDPR. These decisions come hot on the heels of an Italian court finding that Deliveroo’s shift allocation algorithm was discriminatory.
What to do: Companies using or developing algorithmic decision-making tools for determinations that have a significant impact on individuals should think carefully about: (i) the level of human oversight involved; and (ii) what information they provide individuals about those tools and how to communicate it.
Companies should be aware that similar claims are likely to be brought in the future, especially following recent announcements of a new EU AI legislative framework, which would introduce new obligations on businesses using AI. See our post here for ways to help manage AI-related risk.
Post-Schrems II data transfer to Mailchimp deemed unlawful
What happened: The Bavarian DPA (“BayLDA”) determined that the transfer of individuals’ email addresses from a Munich-based company to Mailchimp – the U.S.-based email marketing services platform – was unlawful under the GDPR. While the company had been relying on Standard Contractual Clauses (“SCCs”) for the transfers, BayLDA found that Mailchimp was potentially an “electronic communication service provider” subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act, meaning the data transferred would be subject to potential access by U.S. authorities. Following the Schrems II decision, BayLDA held that the company should have ascertained whether “additional safeguards”, supplementing the SCCs, were required to make the transfers compliant with data protection requirements and safeguard individuals’ privacy. The DPA found that failing to do so rendered the transfers unlawful. BayLDA did not sanction the company because it had already stopped using Mailchimp.
What to do: As covered in previous posts, following Schrems II, companies may want to review carefully their data transfers to non-EEA recipients of all types to ensure appropriate measures are in place to protect personal data if required. Companies using Mailchimp and other similar providers may want to revisit those transfers in particular following BayLDA’s decision.
GDPR Fines: German courts divided over need to identify individual failings
What happened: Courts across the EU have seen an increase in appeals against GDPR penalties. Two recent German decisions differed on whether, in order to penalise a company, a German DPA can merely point to the wrongdoing of the legal entity under the GDPR or must identify, in addition, wrongdoing by specific individuals, such as directors, in accordance with local administrative laws.
In December 2020, the Regional Court of Bonn held that, when reducing a €9.6 million fine to €900,000, the company could be fined without the DPA pin-pointing failings by specific individuals.
As covered in our February Blog Post, the Regional Court of Berlin took a different approach when it struck down the €14.5 million GDPR fine against German property company, Deutsche Wohnen, applying the local administrative law requirement that a company is only liable for wrongdoing if it can be attributed to certain individuals.
The same issue has also arisen in Austria. In November 2020, the Austrian Federal Administrative Court overturned a €18 million GDPR fine because the Austrian DPA had failed to attribute wrongdoing to a relevant individual.
What to do: Given the issue has not been finally settled by a court of last resort in Germany, monitor the development. If the Berlin court’s interpretation prevails on appeal, companies would only be liable if certain persons specified under German administrative law infringed the GDPR, increasing the burden of proof for DPAs. It seems likely though that this issue will make its way before the Court of Justice of the European Union in due course, given its potential to cause divergence between Member States.
French data protection authority investigates Clubhouse
What happened: The CNIL, the French data protection authority, announced that it is investigating GDPR compliance at Clubhouse, the fast growing, audio-only, social networking app. The announcement follows the Hamburg DPA’s announcement last month that it had requested information from Clubhouse regarding GDPR compliance.
While the CNIL did not detail specific concerns, it noted a French petition highlighting, among other things, Clubhouse’s alleged collection of users’ contacts’ contact details during the sign-up process. The CNIL also noted that given Alpha Exploration Co. Inc. – Clubhouse’s US owner – does not have an EU establishment, it falls outside the GDPR’s “one stop shop” mechanism and that it is open to any European DPA to investigate.
What to do: The investigations highlight that companies launching or scaling products or services in the UK and EU should be ready to field questions from (multiple) data protection regulators about their GDPR compliance, even if the company has no on-the-ground presence. Focusing on GDPR compliance during the design and implementation phase – in line with the GDPR’s “data protection by design and default” principle – will help ensure compliance.
The authors would like to thank Olivia Collin, Jesse Hope, and Valentin Schmidt for their contributions to this article.
To subscribe to the Data Blog, please click here.