European Data Protection Roundup – July
Key takeaways from developments this July include:
- a blockbuster €746 million fine against Amazon – the largest ever GDPR penalty – showing the Regulation’s teeth;
- the challenges of GDPR-compliant facial recognition, after a Spanish supermarket chain was fined €2.5 million for ostensible GDPR failings;
- a reminder of the importance of setting and enforcing appropriate data-deletion periods following a €1.75 million fine in France for failings including retaining prospective client data too long;
- indications that companies may need to provide privacy policies in local languages after a €750,000 fine against TikTok for failing to provide a Dutch privacy notice in the Netherlands; and
- a reminder that companies collecting publicly accessible personal data may still need to issue privacy notices after Monsanto was fined €400,000 in France for transparency failings linked to collecting data about potential lobbying targets.
All of these (and more) below.
Luxembourg DPA issues largest ever GDPR fine against Amazon
What happened: The Luxembourg DPA, the CNPD, has fined Amazon €746 million, the largest ever penalty issued under the GDPR. The CNPD found that Amazon’s processing of personal data was in breach of the GDPR and has required them to revise some of their business practices. Amazon has stated that they will appeal the decision and that the fine relates to their targeted advertising practices.
What to do: Notwithstanding the lack of detail on the specific violations, make key-decision makers aware of the heightened enforcement climate the fine potentially signals, notably in jurisdictions that until recently were not considered to be at the forefront of GDPR enforcement. We will continue to report any developments on the Blog.
French DPA imposes €1.75m fine for excessive data retention and transparency violations
What happened: The French DPA, the CNIL, fined insurance company AG2R La Mondiale (“AG2R”) €1.75 million for retaining the data of 2,000 prospective clients who had not been in contact with the company for over three years, in breach of the three-year maximum retention period stated in the company’s data processing register. The company had also retained the data of more than 2 million clients, some of which were sensitive (health) or specific (bank details), beyond legal retention periods. In some cases, data was over 30 years old. The CNIL found that although AG2R did have a retention policy, it had not been implemented within its IT systems.
Separately, the CNIL found that AG2R’s telemarketing calls did not comply with the right to be informed as data subjects were not informed of:
- the calls being recorded;
- their right to object to the recording of the calls;
- the processing of their data; or
- their rights as data subjects.
What to do: (i) consider reviewing data retention periods and ensure that they are appropriate and applied in practice; and (ii) ensure that individuals are provided with adequate transparency information, even when contacted by telephone.
Dutch DPA fines TikTok for failing to translate privacy notice
What to do: Consider whether existing privacy notices should be translated into local languages in light of AP’s decision and the EDPB’s Transparency Guidelines.
Spanish DPA fines retailer €2.5 million for unlawful facial recognition
What happened: The Spanish DPA, AEPD, fined Mercadona, S.A., a Spanish supermarket chain, €2.5 million for its non-GDPR-compliant facial recognition system. Mercadona used the system to detect individuals against whom it had issued restraining orders. The AEPD found the system also captured employee and customer biometric data. Even though the system deleted images after 0.3 seconds, the AEPD held that Mercadona still required a lawful basis for processing the data and that the processing was ultimately unlawful, unnecessary and disproportionate. The AEPD further held that Mercadona had failed to discharge its transparency and data minimisation obligations.
What to do: When implementing innovative technologies like facial recognition, conduct a rigorous Data Protection Impact Assessment which considers, and addresses, potential unintended consequences and balances different stakeholders’ interests. Here the AEPD found that Mercadona confused the “utility” of the processing “with the objective “necessity” of the measure”, finding that “[t]he measure implemented may be effective, but [was] in no way necessary”.
French DPA fines multinational €400,000 for failing to inform persons of the collection of their data
What happened: The CNIL fined agrochemicals company Monsanto €400,000 for failing to provide privacy notices to more than 200 individuals whose data was collected on the company’s behalf by a third-party vendor and recorded in an internal lobbying file. The data collected included the individuals’ professional organisations, positions, addresses, telephone numbers and email addresses, as well as their mobile numbers and, in some cases, their Twitter handles. The CNIL also found that Monsanto had failed to implement the contractual provisions stipulated by the GDPR, which should normally govern relations with a vendor.
What to do: Companies should keep in mind that they may need to provide GDPR-compliant privacy notices to individuals whose personal data they process, even when only handling publicly accessible data or professional contact details. Contractual relationships with vendors have to comply with the GDPR Article 28 requirements and are now likely to be assessed against the recently issued European Commission standard form Controller-Processor clauses.
EDPB orders Irish DPC to carry out statutory investigation into Facebook
What happened: The EDPB adopted an urgent binding decision requesting the Irish DPC, in its capacity as Lead Supervisory Authority under the one-stop-shop regime for cross-border data processing, to “swiftly” investigate whether Facebook is illegally processing WhatsApp Ireland Ltd.’s (“WhatsApp”) user data for its own purposes. The EDPB found that there is a high likelihood that Facebook is combining or comparing WhatsApp user data with other datasets held by Facebook companies but said that it did not have enough evidence to determine which processing operations are being carried out and in which capacity. The EDPB therefore declined to order the Irish DPC to adopt final measures against Facebook and instead ordered an investigation.
The EDPB also decided that a number of non-Lead Supervisory Authorities’ objections to the Irish DPC’s inquiry into whether WhatsApp had complied with its GDPR-transparency obligations vis-à-vis data sharing with Facebook were “relevant and reasoned”. The Irish DPC must without undue delay adopt a final decision on the basis of the EDPB’s decision.
What to do: This is the first urgent binding decision issued by the EDPB, and the second time it has issued a binding decision under its dispute resolution mechanism. Companies should be aware that when engaging in cross-border data processing, their activities may be scrutinised not only by the Lead Supervisory Authority but also by the EDPB and non-Lead Supervisory Authorities.
Irish Government plugs Standard Contractual Clauses gap
What happened: The Irish Government passed regulations which provide data subjects with an express right to enforce third-party beneficiary rights under Binding Corporate Rules, Standard Contractual Clauses (“SCCs”) and any standard data protection clauses adopted by the Irish DPC. The new SCCs (see our blog post) must be governed by the law of an EU member state that recognises third-party beneficiary rights. Prior to the regulations, Ireland was the only EU member state that did not allow for third-party beneficiary rights under contracts; that gap is now closed for the SCCs.
What to do: Companies relying on the new SCCs, whether based in Ireland or otherwise, can now safely choose Irish law to govern the clauses.
German Federal Supreme Court rules on the scope of the GDPR right to access
What happened: The German Federal Supreme Court, the highest court in civil and criminal matters, ruled that the GDPR data subject access right must be interpreted broadly and includes the right to access:
- data that the data subject is already aware of, including correspondence between the data subject and the data controller;
- the controller’s internal notes and communications containing information about the data subject; and
- all types of information relating to the data subject, both objective and subjective, and not just limited to sensitive or private information.
The Court found, in line with CJEU case law, that only legal assessments, even where they build on a subject’s personal data, can be excluded from the scope of the right to access.
What to do: Consider the impact of the judgment on how to respond to data subject access requests and the categories of data that have to be provided in response.
EU Fines UK derivatives repository for data breaches
What happened: The European Securities and Markets Authority (“ESMA”) fined UK DTCC Derivatives Repository Plc (“DDRL”) €408,000 for infringements of the European Market Infrastructure Regulation requirements for data confidentiality, data integrity and direct and immediate access to data. The breaches related to DDRL included:
- granting certain asset managers access to data that they were not entitled to receive;
- setting up its IT system in a way which altered the substance of certain reportable information, resulting in incorrect information being provided to ESMA; and
- failing to provide ESMA with direct and immediate access to relevant data.
What to do: The fine may signal that ESMA will increasingly scrutinise regulated entities’ data security, integrity and access controls. ESMA-regulated entities may therefore want to revisit existing policies and procedures to align with ESMA’s latest expectations.
German court rules on GDPR’s right to erasure for unlawful use of data
What happened: The Higher Regional Court of the German state Schleswig-Holstein ruled that under the right to erasure, a plaintiff could request that Schufa, a credit rating agency, delete information about his past insolvency. Under German law, public insolvency registers can only publish individuals’ insolvency information for a period of six months following the discontinuation of the insolvency proceedings. The plaintiff argued that Schufa’s retention of information about his past insolvency beyond the statutory limit affected his ability to take out loans or otherwise participate in business.
The Court decided that the statutory limitation period applied to the Schufa processing and that Schufa could not rely on a legitimate business interest or code of conduct for credit agencies beyond that statutory period.
By contrast, in a similar case earlier this year, the Austrian Federal Administrative Court ruled that the Austrian statutory limit would not apply but rather the five-year period under the European Capital Requirements Regulation; it found also that the local credit rating agency could rely on its legitimate business interest, unless data subjects’ rights prevailed.
What to do: Data controllers should review their retention policies and practices to ensure they comply with both EU and local laws, including industry specific regulations that apply to particular data.
The authors would like to thank Debevoise trainee associates Olivia Collin, Clementine Coudert and Jesse Hope for their contribution to this article.
To subscribe to the Data Blog, please click here.