May saw useful reminders for companies, including: (i) the need to appoint an EU – and/or UK – representative if caught by the (UK) GDPR’s extraterritorial effect; (ii) that regulators are increasingly focused on adtech and cookies compliance; and (iii) that the GDPR applies not just in the EU and UK but also Iceland, Liechtenstein and Norway. We also saw developments in the courts on when companies will be liable to pay individuals damages for GDPR violations and the German anti-trust regulator using its new enforcement powers.
U.S. company fined €525,000 for failing to appoint an EU representative
What happened: The Dutch DPA (“AP”) fined Locatefamily.com, an international company with no physical presence in the EU, €525,000 for failing to appoint an EU representative in breach of the GDPR. The AP stressed that the lack of a representative made it very difficult for data subjects to exercise their right to erasure and ordered Locatefamily.com to appoint a representative within 12 weeks, or face additional financial penalties.
What to do: Review whether you need to appoint an EU representative. Non-EU companies, including UK companies, subject to the GDPR’s extraterritorial scope must appoint an EU representative, or face enforcement action. Post-Brexit, the same obligation also applies to non-UK companies subject to the UK GDPR’s extraterritorial scope, meaning that some companies will need to appoint representatives in both the EU and UK.
French DPA issues formal notices to over 20 companies for cookies non-compliance
Developments in GDPR damages claims
What happened: Courts in the UK and across the EU have been assessing when individuals are entitled to damages for GDPR violations. In particular:
- The Austrian Supreme Court has made a referral to the CJEU, asking whether merely breaching the GDPR is sufficient for a damages award, or whether claimants need to suffer actual harm;
- The UK Supreme Court recently heard the case of Lloyd v Google, and will decide whether the mere loss of control of one’s data constitutes non-material damage that can be compensated under the UK GDPR; and
- A Dutch court held that a breach of the GDPR did not automatically result in an individual being able to claim damages, and that the plaintiff’s mere statement that they had experienced distress was insufficient to secure compensation.
This follows a February 2021 reference by the German courts to the CJEU on whether the GDPR imposes a materiality threshold for damages claims.
What to do: For now, nothing, apart from continuing to monitor the progress of these cases which will have a significant impact on companies’ potential liability for GDPR violations.
German antitrust authority uses new tool to probe Google’s data use
What happened: On 25 May 2021, the German Federal Cartel Office (the “FCO”) announced an antitrust investigation into Google/Alphabet’s data use. The investigation is based on a new investigative tool, under the Act against Restraints of Competition (the “ARC”). This allows the FCO to assess whether a digital company has a “paramount significance for competition across markets” in Germany and, if so, to intervene. This is the third investigation carried out under the FCO’s new powers; it announced investigations into Facebook and Amazon earlier this year, and also previously conducted a similar investigation into Facebook in 2019 (see our updates here and here).
The FCO’s “paramount significance” assessment is based on a range of criteria, including whether (i) an entity is dominant in one or more markets; (ii) its activities are carried out across multiple markets; (iii) such activities have an important impact on third parties’ market access; and (iv) the company has access to data that is relevant for competition purposes. If the FCO establishes that Google/Alphabet holds such a position, it can impose various prohibitive orders. These may include banning the company from making the use of its services conditional upon a user consenting to their data also being processed by other services offered by the company or third parties.
What to do: The investigation highlights the FCO’s belief that the collection and use of data are relevant factors in antitrust enforcement. Companies should take note of the FCO’s continued scrutiny of digital companies’ strong market position, and be mindful of the impact of their data processing from an antitrust and consumer perspective.
Germany adopts new data protection and privacy law for telecommunications and telemedia
What happened: The German legislator adopted a new law regulating data protection and privacy in telecommunications and telemedia, Gesetz zum Datenschutz in der Telekommunikation und den Telemedien (the “Act”) which now puts German domestic law on substantially the same footing as most other EU Member States when it comes to the regulation of cookies and other online tracking technologies. The Act enters into force on 1 December 2021.
Among other changes, the Act introduces consent requirements for cookies – something not previously needed under German law. Under the Act, non-essential cookies may only be set “if the end user has consented on the basis of clear and comprehensive information.” Under the Act, consents can be managed through a centralised Personal Information Management Systems (“PIMS”), where users can predefine their conditions for cookie consent. PIMS will then pass the specifications automatically on to the websites to set the correct cookie preferences.
The Act also:
- Prohibits the inclusion of hidden microphones and cameras in products, to prevent undisclosed recording of sound and video;
- Permits the use of location data only if the data is anonymised or the user has consented; and
- Creates a legal right to internet access and a list of services which – at a minimum – must be facilitated to ensure digital participation of all German citizens.
The Federal Commissioner for Data Protection and Freedom of Information will be the sole regulator for the new Act. It is also a competent authority for GDPR-related breaches. Violations of the Act can lead to fines of up to €300,000.
UK Government publishes draft Online Safety Bill
What happened: The UK has published a draft Online Safety Bill (the “Bill”).The Bill proposes duties of care on digital service providers, including social media companies and search engines, to detect, moderate and prevent illegal or otherwise harmful content online.
Under the proposals, covered entities will have to:
- Carry out risk assessments and ensure their service has systems designed to minimise the presence and dissemination of any illegal content;
- Keep written records of illegal content risk assessments, and any steps taken to comply with the duties of care;
- Regularly review compliance with their obligations under the Bill – including the duty to respect users’ rights to freedom of expression and privacy when implementing safety policies and procedures; and
- Have systems and processes that allow users to easily report illegal or harmful content, and an easily accessible and effective complaints procedure.
If passed, the Bill provides for a maximum penalty of the greater of £18 million or 10% of qualifying worldwide revenue.
What to do: Although the Bill still needs to pass a number of stages before it takes effect, digital services providers should start considering what steps they will need to take to ensure compliance with the wide-ranging potential duties of care. Many large covered entities will already have measures in place that will satisfy at least some of the requirements.
Norwegian DPA issues multi-million adtech fine
What happened: The Norwegian DPA published its proposal to fine Disqus, a public comment sharing platform and adtech company, €2.5 million for collecting data about Norwegian data subjects and disclosing it to third-party advertising partners without a legal basis, and having not discharged its GDPR transparency obligations. The DPA’s notice highlights that Disqus seemingly failed to comply with the GDPR at least in part because it did not realise that the Regulation applied to Norway, as a member of the European Economic Area (“EEA”).
What to do: Companies should take this as a timely reminder that the GDPR applies not only in the EU, but also across the EEA (the EU plus Iceland, Liechtenstein and Norway) as well as the UK. Those operating in the adtech space, should also take note of the increasingly aggressive enforcement climate.
European Parliament and EU LIBE committee urge Commission to amend and review UK adequacy decisions
What happened: The European Parliament and the EU LIBE committee adopted resolutions urging the European Commission to amend and review its UK adequacy decisions. The bodies found that the decisions are not consistent with EU law and expressed concerns about onward transfers of data from the EU, via the UK, to other third countries. One of the main focuses of the adequacy decisions, and the Parliament and LIBE committee’s concerns, are the UK’s surveillance laws: the European Court of Human Rights recently found that elements of GCHQ’s surveillance regime were in breach of the ECHR.
What to do: Companies should continue to monitor the progress of the decisions. Given that the current transitional measures are only valid until the end of June, a final decision is likely to be imminent. With opposition to the decisions mounting, companies should prepare to adopt data transfer mechanisms to maintain data flows if the decisions are not adopted.
The authors would like to thank Olivia Collin, Valentin Schmidt and Céline Lefebvre for their contributions to this article.
To subscribe to the Data Blog, please click here.