May saw useful reminders for companies, including: (i) the need to appoint an EU – and/or UK – representative if caught by the (UK) GDPR’s extraterritorial effect; (ii) that regulators are increasingly focused on adtech and cookies compliance; and (iii) that the GDPR applies not just in the EU and UK but also Iceland, Liechtenstein and Norway.  We also saw developments in the courts on when companies will be liable to pay individuals damages for GDPR violations and the German anti-trust regulator using its new enforcement powers.

U.S. company fined €525,000 for failing to appoint an EU representative

What happened: The Dutch DPA (“AP”) fined Locatefamily.com, an international company with no physical presence in the EU, €525,000 for failing to appoint an EU representative in breach of the GDPR. The AP stressed that the lack of a representative made it very difficult for data subjects to exercise their right to erasure and ordered Locatefamily.com to appoint a representative within 12 weeks, or face additional financial penalties.

What to do: Review whether you need to appoint an EU representative. Non-EU companies, including UK companies, subject to the GDPR’s extraterritorial scope must appoint an EU representative, or face enforcement action. Post-Brexit, the same obligation also applies to non-UK companies subject to the UK GDPR’s extraterritorial scope, meaning that some companies will need to appoint representatives in both the EU and UK.

French DPA issues formal notices to over 20 companies for cookies non-compliance

What happened: The French DPA, the CNIL, issued formal notices to over 20 companies for unlawful use of cookies. The CNIL found that the entities had made it easier to accept, rather than refuse, cookies, which the CNIL considered unlawful. The entities have one month to rectify the issue, or face fines of up to 2% of their annual turnover.

These decisions follow the CNIL’s October 2020 updated cookies guidelines (see our blog post).

What to do: Irrespective of where they are based, companies may want to revisit their use of cookies and assess whether their consent mechanisms comply with the latest guidance.  Those that don’t, may face significant penalties; in December 2020, the CNIL fined Google and Amazon €100 million and €35 million respectively for their cookies practices (see our blogpost).

Developments in GDPR damages claims

What happened: Courts in the UK and across the EU have been assessing when individuals are entitled to damages for GDPR violations. In particular:

  • The Austrian Supreme Court has made a referral to the CJEU, asking whether merely breaching the GDPR is sufficient for a damages award, or whether claimants need to suffer actual harm;
  • The UK Supreme Court recently heard the case of Lloyd v Google, and will decide whether the mere loss of control of one’s data constitutes non-material damage that can be compensated under the UK GDPR; and
  • A Dutch court held that a breach of the GDPR did not automatically result in an individual being able to claim damages, and that the plaintiff’s mere statement that they had experienced distress was insufficient to secure compensation.

This follows a February 2021 reference by the German courts to the CJEU on whether the GDPR imposes a materiality threshold for damages claims.

What to do: For now, nothing, apart from continuing to monitor the progress of these cases which will have a significant impact on companies’ potential liability for GDPR violations.

German antitrust authority uses new tool to probe Google’s data use

What happened: On 25 May 2021, the German Federal Cartel Office (the “FCO”) announced an antitrust investigation into Google/Alphabet’s data use. The investigation is based on a new investigative tool, under the Act against Restraints of Competition (the “ARC”). This allows the FCO to assess whether a digital company has a “paramount significance for competition across markets” in Germany and, if so, to intervene. This is the third investigation carried out under the FCO’s new powers; it announced investigations into Facebook and Amazon earlier this year, and also previously conducted a similar investigation into Facebook in 2019 (see our updates here and here).

The FCO’s “paramount significance” assessment is based on a range of criteria, including whether (i) an entity is dominant in one or more markets; (ii) its activities are carried out across multiple markets; (iii) such activities have an important impact on third parties’ market access; and (iv) the company has access to data that is relevant for competition purposes. If the FCO establishes that Google/Alphabet holds such a position, it can impose various prohibitive orders. These may include banning the company from making the use of its services conditional upon a user consenting to their data also being processed by other services offered by the company or third parties.

What to do: The investigation highlights the FCO’s belief that the collection and use of data are relevant factors in antitrust enforcement. Companies should take note of the FCO’s continued scrutiny of digital companies’ strong market position, and be mindful of the impact of their data processing from an antitrust and consumer perspective.

Germany adopts new data protection and privacy law for telecommunications and telemedia

What happened: The German legislator adopted a new law regulating data protection and privacy in telecommunications and telemedia, Gesetz zum Datenschutz in der Telekommunikation und den Telemedien (the “Act”) which now puts German domestic law on substantially the same footing as most other EU Member States when it comes to the regulation of cookies and other online tracking technologies. The Act enters into force on 1 December 2021.

Among other changes, the Act introduces consent requirements for cookies – something not previously needed under German law. Under the Act, non-essential cookies may only be set “if the end user has consented on the basis of clear and comprehensive information.” Under the Act, consents can be managed through a centralised Personal Information Management Systems (“PIMS”), where users can predefine their conditions for cookie consent. PIMS will then pass the specifications automatically on to the websites to set the correct cookie preferences.

The Act also:

  • Prohibits the inclusion of hidden microphones and cameras in products, to prevent undisclosed recording of sound and video;
  • Permits the use of location data only if the data is anonymised or the user has consented; and
  • Creates a legal right to internet access and a list of services which – at a minimum – must be facilitated to ensure digital participation of all German citizens.

The Federal Commissioner for Data Protection and Freedom of Information will be the sole regulator for the new Act. It is also a competent authority for GDPR-related breaches. Violations of the Act can lead to fines of up to €300,000.

What to do: German website providers must ensure that they are compliant with the Act by 1 December 2021. The most significant change will likely involve ensuring that any necessary consents have been obtained for the use of cookies to the extent they have not already been obtained under the GDPR.

UK Government publishes draft Online Safety Bill

What happened: The UK has published a draft Online Safety Bill (the “Bill”).The Bill proposes duties of care on digital service providers, including social media companies and search engines, to detect, moderate and prevent illegal or otherwise harmful content online.

Under the proposals, covered entities will have to:

  • Carry out risk assessments and ensure their service has systems designed to minimise the presence and dissemination of any illegal content;
  • Keep written records of illegal content risk assessments, and any steps taken to comply with the duties of care;
  • Regularly review compliance with their obligations under the Bill – including the duty to respect users’ rights to freedom of expression and privacy when implementing safety policies and procedures; and
  • Have systems and processes that allow users to easily report illegal or harmful content, and an easily accessible and effective complaints procedure.

If passed, the Bill provides for a maximum penalty of the greater of £18 million or 10% of qualifying worldwide revenue.

What to do: Although the Bill still needs to pass a number of stages before it takes effect, digital services providers should start considering what steps they will need to take to ensure compliance with the wide-ranging potential duties of care.  Many large covered entities will already have measures in place that will satisfy at least some of the requirements.

Norwegian DPA issues multi-million adtech fine

What happened: The Norwegian DPA published its proposal to fine Disqus, a public comment sharing platform and adtech company, €2.5 million for collecting data about Norwegian data subjects and disclosing it to third-party advertising partners without a legal basis, and having not discharged its GDPR transparency obligations. The DPA’s notice highlights that Disqus seemingly failed to comply with the GDPR at least in part because it did not realise that the Regulation applied to Norway, as a member of the European Economic Area (“EEA”).

What to do: Companies should take this as a timely reminder that the GDPR applies not only in the EU, but also across the EEA (the EU plus Iceland, Liechtenstein and Norway) as well as the UK. Those operating in the adtech space, should also take note of the increasingly aggressive enforcement climate.

European Parliament and EU LIBE committee urge Commission to amend and review UK adequacy decisions

What happened: The European Parliament and the EU LIBE committee adopted resolutions urging the European Commission to amend and review its UK adequacy decisions. The bodies found that the decisions are not consistent with EU law and expressed concerns about onward transfers of data from the EU, via the UK, to other third countries. One of the main focuses of the adequacy decisions, and the Parliament and LIBE committee’s concerns, are the UK’s surveillance laws: the European Court of Human Rights recently found that elements of GCHQ’s surveillance regime were in breach of the ECHR.

What to do: Companies should continue to monitor the progress of the decisions. Given that the current transitional measures are only valid until the end of June, a final decision is likely to be imminent. With opposition to the decisions mounting, companies should prepare to adopt data transfer mechanisms to maintain data flows if the decisions are not adopted.

***

The authors would like to thank Olivia Collin, Valentin Schmidt and Céline Lefebvre for their contributions to this article.

To subscribe to the Data Blog, please click here.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Dr. Andrea Pomana is a senior associate in Debevoise's Frankfurt office and a member of the firm’s Antitrust & Competition Group. She focuses on European and German competition law, antitrust compliance and foreign investment, with nearly 15 years of experience in these fields. She can be reached at apomana@debevoise.com.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Christina Heil is a corporate associate and a member of the Mergers & Acquisitions Group at Debevoise, based in Frankfurt. She can be reached at cheil@debevoise.com.