Key takeaways from developments this August include:
- Indications of what the UK’s post-Brexit data transfer arrangements might look like – companies transferring data from the UK will want to follow the Information Commissioner’s Office (“ICO”) consultation carefully;
- Welcome news for companies defending data breach claims in the UK following a court decision which significantly narrows the kinds of harm claimants can plead;
- Another fine against Deliveroo for a series of GDPR violations relating to its algorithmic decision-making tools – showing companies that they need to be transparent about the operation and use of such tools;
- A multi-million Euro fine against a company for profiling customers on the basis of unlawfully collected data – reminding companies that if data is unlawfully collected data, any subsequent use is tainted; and
- A UK tribunal slashing the ICO’s first GDPR fine – demonstrating courts’ continuing willingness to make substantial reductions to GDPR penalties imposed by DPAs.
These developments, and more, covered below.
UK DPA launches data transfer consultation
What happened: The ICO launched a consultation covering its international data transfer guidance, draft transfer risk assessment tool (“TRA”) and draft international data transfer agreement (“IDTA”). Organisations should note that:
- the ICO is consulting on whether to issue a UK addendum to data transfer agreements issued by other countries and regions including the EU SCCs. Organisations would be able to use this for data transfers from the UK; and
- a TRA will be needed if an organisation is making a restricted transfer (defined and opinions solicited in the TRA consultation) and wants to rely on a transfer tool under Article 46 of the UK GDPR. A TRA will not be needed where an organisation is transferring data to a country covered by a UK adequacy decision or if the transfer is covered by an exception under the UK GDPR.
What to do: For now, nothing. The IDTA will ultimately replace the (modified) old EU SCCs that the ICO currently continues to recognise. We will report on the results of the consultation.
UK High Court dismisses most of the Dixons data breach claim
What happened: The UK High Court dismissed various claims against DSG Retail Limited (“DSG”), the owner of Currys PC World and Dixons Travel, relating to a 2017 – 2018 data breach where hackers accessed personal data in the company’s systems. The hackers infiltrated DSG’s systems, installed malware on 5,930 point-of-sale terminals at the stores for almost a year and accessed the personal data of millions of DSG customers.
The court struck out the claimant’s breach of confidence and misuse of private information claims on the basis that it was the criminal third-party hackers that had disclosed and misused the personal data, not DSG. The court also struck out the claimant’s negligence claim on the grounds that: (i) case law has established that negligence cannot be pleaded alongside Data Protection Act claims; and (ii) “distress” does not constitute damage, as required for a successful negligence claim. The court did transfer the claimant’s action under the Data Protection Act to a lower-level County Court, which will now hear the case.
What to do: This case suggests that, in the UK, data breach litigation will be confined to Data Protection Act-related claims. This will likely reduce the economic viability of claimant lawyers taking on low-value data litigation for two reasons:
- For smaller cases, fewer data protection claims will reach the High Court (as previously many cases were only deemed serious enough to be tried in the high court if they included a breach of confidence claim) with the knock-on impact that costs are generally not recoverable in County Court small claims.
- Claimant lawyers will no longer be able to recover after-the-event insurance premiums in data breach litigation (which are used to cover their costs if they win, and the defendant’s if they lose). Previously, lawyers pleaded data protection claims with breach of confidence and misuse of private information privacy claims, as premiums are only recoverable in the latter.
The greater difficulty lawyers now face in recovering costs may well reduce the volume of low-value data litigation companies face.
Deliveroo fined €2.5 million for opaque algorithmic processing and multiple GDPR failings
What to do: Organisations that use algorithmic decision-making tools should ensure that there is adequate transparency around how they work, as regulators and courts are increasingly scrutinising these tools. In particular, and as we have seen elsewhere in the EU, multiple violations of the data minimisation, data storage and transparency principles can result in significant fines. To help avoid this, businesses may wish to consider reviewing their privacy policies and checking that their data collection and retention practices align with their purpose.
The fine is also a reminder that the one-stop-shop mechanism does not mean that companies only have to deal with the DPA that has been identified as their lead supervisory authority. In situations where data processing takes place only within the territory of one EU member state, the lead supervisory authority does not apply and the DPA of that country has exclusive competence to deal with the matter.
Austrian DPA issues €2 million fine for unlawful profiling
What happened: The Austrian DPA fined a customer loyalty program operator €2 million (its second-highest ever) for unlawfully collecting the data of and profiling 2.3 million customers. The company profiled the shopping behaviour of customers who had signed up to the services of specific individual businesses, and then shared these profiles with other participating businesses.
The DPA found that the customer consent procedure breached the GDPR because the transparency information: (i) was provided only after customers consented; and (ii) was insufficiently prominent. The paper version of the consent form also concealed that signatories would be consenting to such profiling. While the company admitted its wrongdoing after a DPA warning, it did not inform the customers and obtain valid consent but instead continued to use the data.
The fine took account for the operator’s continued losses and slowing business due to the pandemic as mitigating factors. The decision is being challenged by the operator before the Austrian Federal Administrative Court.
What to do: Companies should note that, unless remedied, unlawfully collected personal data must not be used, particularly if a DPA has already issued a warning against its use. In addition, companies should take this as a timely reminder to review their consent practices to ensure they are GDPR compliant.
French DPA provides additional details on record-breaking Amazon fine
What happened: The CNIL provided additional details about the nature of Amazon’s alleged GDPR breach and the Luxembourg DPA’s €746 million fine (see our July Roundup). French civil liberties group La Quadrature du Net (“LQDN”) had originally filed a complaint with the CNIL on behalf of 10,000 people in 2018. Under the GDPR’s “one-stop-shop” mechanism, the case was transferred to the CNPD, as Amazon Europe Core was established in Luxembourg. The CNPD’s decision is not public, but the CNIL informed LQDN of the decision. It confirmed that the CNPD had fined Amazon for using a targeted ad system without a lawful basis, hence violating the GDPR. Amazon has six months to comply with the GDPR, after which it will have to pay €746,000 per day of delay.
What to do: The CNIL declared that the decision signals “a turning point in the application of the GDPR and the protection of the rights of European nationals”. The decision underlines the crucial importance of obtaining valid consent from users and ongoing challenges faced by the ad tech sector. Companies should also keep in mind the importance of providing transparent information and facilitating the exercise of individuals’ rights (right to access, rectification, erasure and right to object), obligations that Amazon was also asked to comply with.
Italian DPA fines both controller and processor for inadequate technical and organisational measures
What happened: The Italian DPA, Garante, fined the Airport of Bologna (data controller) and aiComply (data processor) for failing to implement adequate technical and organisational measures for the airport’s whistleblowing app. Garante found multiple breaches of the GDPR, including:
- The airport and aiComply had failed to implement encryption;
- The airport’s firewall logs registered and stored personal information about app users without a valid lawful basis given the app was intended to be anonymous;
- The airport did not conduct a data protection impact assessment; and
- aiComply failed to inform the airport of two sub-processors it had appointed to maintain the app.
What to do: While the GDPR does not mandate specific security measures, the fine shows that encryption of sensitive data at rest is likely required. Other recent baseline security measures singled out by regulators as essentially required include password security and patching: the German Lower Saxony DPA recently fined a web shop operator who failed to implement software security updates for over seven years, rendering user passwords vulnerable. Companies operating as data processors should also note that DPAs are increasingly taking action against both controllers and processors in relation to the same incidents as the CNIL did in January this year.
Swiss DPA approves new EU SCCs
What happened: The Swiss DPA, the FDPIC, approved the new EU Standard Contractual Clauses (“SCCs” – see our June Roundup for an overview) for the transfer of personal data from Switzerland (a non-EU Member State) to countries without an adequate level of data protection. The SCCs must be adapted in order to fully comply with Swiss data protection law.
What to do: Companies can now use the EU SCCs, with some amendments, to affect data transfers from Switzerland to third countries. The old SCCs may still be entered into until 27 September 2021 and can still be used until 31 December 2022. Companies should also note that data transfers from Switzerland to non-EU countries may be subject to both Swiss data protection law and the GDPR.
UK tribunal cuts UK DPA’s first GDPR fine by 65%
What happened: The UK First-Tier Tribunal reduced the ICO’s first-ever GDPR fine against Doorstep Dispensaree (“DD”) by 65%, to £92,000. DD, a medicine supplier, was fined in 2019 for leaving approximately 66,000 documents (most of which contained sensitive personal data) in unlocked containers at the back of its premises. The Tribunal accepted DD’s arguments that: (i) they faced financial hardship so were unable to pay the original amount; and (ii) the penalty was disproportionate, as the volume of affected data was much lower than the ICO initially estimated (some 500,000 documents).
What to do: As covered in our Annual Review and February Roundup, yet again, the courts have demonstrated their willingness to make substantial reductions to GDPR penalties imposed by DPAs. Companies facing GDPR fines may want to consider carefully challenging them on substantive or procedural grounds, given the potentially significant rewards for doing so.
ICO responds to European Commission’s draft AI Regulation
What happened: The ICO published its response to the European Commission’s draft regulation governing the use of AI (the “Draft AI Regulation” – covered in our Blog Post, June Roundup and April Roundup). The ICO stated that it welcomed the Commission’s ambition to regulate the use of AI technologies so that it is safe, respects existing law on fundamental rights, facilitates the development of lawful, safe and trustworthy AI, and ensures legal certainty for businesses. In addition, the ICO noted its support for the Commission’s risk-based approach to AI regulation, agreeing that the risk management system for high-risk AI should be a continuous iterative process requiring regular systematic updates.
What to do: Organisations using or providing AI products should continue readying themselves to comply with the Draft AI Regulation. We will continue to report on the progress of the Regulation through the Blog.
German court rules non-material damage is sufficient for a GDPR damages claim
What happened: The Higher Regional Court of Bremen has ruled that data subjects must suffer material or non-material damage to support a damages claim under the GDPR. There has recently been much discussion around the level of harm that must occur before an individual can claim damages under the GDPR and, in particular, whether a mere breach of the GDPR is enough. German and Austrian courts have already referred questions to the Court of Justice of the European Union on this issue (see our May Roundup).
What to do: For now, nothing, but await the decision of the Court of Justice of the European Union on this issue.
The authors would like to thank Olivia Collin, Jesse Hope and Julien Poirier for their contributions to this article.
To subscribe to the Data Blog, please click here.