European Data Protection Roundup – September

European Data Protection Roundup – September 2021

Key takeaways this September include:

• Transparency: The importance of providing individuals sufficient information to enable them to understand how their personal data is used and shared, following the Irish Data Protection Commission’s (“DPC”) €225 million fine against WhatsApp and the Hamburg DPA’s nearly €1 million penalty against an energy company for alleged transparency failures;
• Data transfer: The need to ensure the lawful cross-border transfer of personal data after the Norwegian DPA fined a company €500,000 for unlawful data transfers to a Chinese service provider and associated failings;
• Direct marketing: Guidance from the UK Information Commissioner’s Office (“ICO”) on how to obtain valid consent to direct marketing, from the ICO’s fines totalling £495,000 against a quartet of companies;
• Processor rights: Non-payment of service fees will not allow a data processor to withhold personal data from its data controller, after the Spanish DPA fines a service provider €100,000 for refusing to return or restore access to personal data it processed on behalf of a customer;
• Cookies: Continued scrutiny on cookie banners, prompting the establishment of a new European Data Protection Board (“EDPB”) taskforce; and
• Data subject rights: A €9.5 million fine against Austrian Post for channelling electronic data protection-related inquiries to a web form and not offering an additional email address, irrespective of the data subject option to also use non-electronic postal mail or customer service.

These developments, and more, covered below.

DPC fines WhatsApp €225 million for failure to discharge its GDPR transparency obligations

What happened: Concluding an investigation which began in December 2018, the Irish DPC, in its capacity as Lead Supervisory Authority under the GDPR’s one-stop-shop mechanism, fined WhatsApp €225 million for an alleged failure to discharge its GDPR transparency obligations to users and non-users. The DPC claimed that WhatsApp had failed to adequately explain how it and other Facebook group companies processed individuals’ personal data. The penalty followed the EDPB’s binding decision on various objections raised by other DPAs, including on the proposed size of the fine.

Norwegian DPA fines company €500,000 for unlawful data transfers to China

What happened: The Norwegian DPA fined a toll road operator for transferring Norwegian motorists’ personal data to a Chinese data processor. The DPA investigated the transfers following press reports, and found that the company had breached the GDPR by:

• Not having an appropriate data processing agreement in place;
• Failing to perform a risk assessment for the engagement; and
• Not having a lawful basis for transferring personal data outside the EEA to China (e.g., Standard Contractual Clauses).

Aggravating factors included the large number of people affected (in fact, 12.5 million number plate images were sent), and that the transfers had occurred for up to two years. Because the transfers took place between 2017 and 2019, prior to the Schrems II decision, the DPA did not consider the decision’s impact on the transfers.

What to do: Given the fine, companies may want to:

• Review vendor contracts to ensure they contain the GDPR Article 28-mandated data processing terms;
• Consider whether additional vendor risk assessments are needed to ensure GDPR compliance; and
• If not done recently, revisit cross-border data transfers to ensure a valid transfer mechanism is in place. See, our post on what to do in light of the new EU SCCs.

ICO fines We Buy Any Car, Sports Direct & Saga for direct marketing violations

What happened: The ICO issued fines totalling £495,000 to We Buy Any Car Limited, SportsDirect.com Retail Ltd, Saga Services Ltd. and Saga Personal Finance Limited (together, “Saga”) for failing to obtain valid consent to direct marketing communications. More specifically, in the ICO’s view:

• We Buy Any Car sent 191 million marketing emails and 3.6 million text messages without valid consent, and was unable to rely on the “soft opt-in” because it failed to give individuals the opportunity to opt out at the time their contact details were collected;
• SportsDirect.com sent over 2.5 million marketing emails but was unable to evidence valid consent (or reliance on the “soft opt-in” exception, which enables companies to email existing customers even if specific consent to electronic mail has not been given); and
• Saga relied on indirect consent obtained by affiliates and partners as a basis for sending marketing emails which the ICO considered invalid, noting that “[c]onsent will not be valid if individuals are asked to agree to receive marketing from ‘similar organisations’, ‘partners’, ‘selected third parties’ or other similar generic description.”

What to do: Direct marketing violations remain a high priority for the ICO which has issued 17 related penalties to date in 2021. Based on the latest fines, companies may want to:

• Review existing consent flows, particularly the use of indirect consent, to ensure they meet the regulator’s latest expectations, and the timing of opt-outs if a company relies on the “soft opt-in”;
• Assess whether the company keeps sufficiently granular records to demonstrate consent; and
• When using third parties to send marketing communications on their behalf, ensure they have processes and procedures in place to oversee that work.

Hamburg DPA fines energy company for transparency failings

What happened: The Hamburg DPA fined Vattenfall Europe Sales GmbH (“Vattenfall”) – an energy company – €901,388.84 for an unlawful attempt to prevent customers “bonus shopping”, a strategy notoriously unprofitable for energy companies. Vattenfall monitored customer behaviour to ascertain if an energy switch was likely and hence if bonus payments were payable (sometimes in cases where customers had left and re-joined in order to take advantage of favourable terms). Invoices from previous contractual relationships were reviewed as part of this strategy that affected 500,000 individuals in total. The DPA found the comparison of customers’ data contravened Vattenfall’s duty of transparency under Articles 12 and 13 of the GDPR, since customers had not been informed about this type of processing. The decision, however, did not touch on the question of whether the data comparison was permissible.

What to do: Companies should learn from Vattenfall’s response to the probe: its extensive cooperation with the DPA and immediate cessation of the non-transparent data comparison led to a significantly reduced fine. The authority also helped to develop a consent procedure, to futureproof the company if similar circumstances were to arise.

Spanish DPA fines processor for failing to return data

What happened: The Spanish DPA (“AEPD”) fined Signallia Marketing Distribution – an IT services provider – €100,000 for refusing to return or restore access to personal data it processed on behalf of Excel Resort Hotels. Signallia refused the requests, alleging that Excel owed it €410,000 in fees. The AEPD held that Signallia breached its GDPR obligation to delete or return all personal data processed for Excel, at Excel’s direction, on termination of the agreement.

What to do: No specific action, but data processors should keep in mind that the decision strongly suggests that unpaid invoices will not affect their mandatory statutory duties under the GDPR.

French DPA publishes “data protection management maturity model”

What happened: The CNIL published its draft data protection management maturity model. The model is a self-assessment tool to help companies evaluate their data protection compliance and determine how to improve their data management. The model describes eight typical activities related to data protection, and gives six maturity levels for each activity, giving examples of actions and processes required for each level.

The maturity levels are:

• 0 – non-existent or incomplete practice;
• 1 – informal practice (isolated actions);
• 2 – repeatable and ongoing practice;
• 3 – defined process (standardized practice);
• 4 – controlled process (quantitative evaluations and correction of anomalies); and
• 5 – continuously optimized process.

Examples of actions and processes illustrate each maturity level for each typical activity. For instance, for the activity of “defining and implementing data protection procedures”, the CNIL considers that level 5 maturity would mean that policies and procedures are updated as soon as potential improvements are identified. For cyber risk management, the CNIL notes that level 5 maturity would mean that risk studies and action plans are reviewed annually, that active monitoring is carried out on vulnerabilities and that corrective actions are taken in case of impact on information systems.

What to do: Companies subject to the CNIL’s jurisdiction may want to use the model to assess their current data protection controls. While the model does not guarantee GDPR compliance, it may help companies align themselves with the regulator’s latest expectations.

New EDPB taskforce to tackle NOYB cookie complaints

What happened: The EDPB established a taskforce to address over 500 complaints None of Your Business (“NOYB”), the privacy NGO headed by Max Schrems, made against companies using allegedly non-compliant cookie banners. Drawing on recent guidance, NOYB argues that to be compliant, cookie banners must:

• Include a “reject cookies” option;
• Not use pre-ticked boxes;
• Avoid potentially misleading use of different colours for “accept” and “reject” buttons; and
• Not use the GDPR “legitimate interests” lawful basis for tracking individuals online.

What to do: Companies may want to review their cookie banners and ensure they are in line with the latest DPA guidelines and monitor the outcome of the taskforce’s work for further guidance.

French DPA reports on its cookies compliance campaign

What happened: The CNIL published the outcome of its second cookies compliance campaign. As we previously reported, in May 2021 the CNIL issued formal notices to over 20 companies for unlawful use of cookies where companies had made it easier to accept than reject cookies. The CNIL issued a second round of formal notices at the end of June to 40 entities for similar violations. These entities had until September 6 to become compliant. The CNIL found that 80% of the 40 entities are now compliant, with the remainder facing enforcement action.

What to do: Irrespective of where they are based, companies may want to revisit their use of cookies and assess whether their consent mechanisms comply with the growing expectation that rejecting cookies should be as easy as accepting them. Companies in France may, in particular, find the CNIL’s October 2020 guidelines (see our blog post) a helpful guide.

Irish DPC and Italian Garante scrutinise Facebook’s new smart glasses

What happened: The Irish DPC and Italian Garante are scrutinising Facebook’s launch of smart glasses in collaboration with Ray-Ban. The voice-activated glasses allow users to create images and videos that can be shared online. Both DPAs have raised concerns over how user (and non-user) privacy has been baked into the product’s design and functionality. Areas of focus appear to be:

• The lawful basis for processing personal data;
• Measures implemented to protect those recorded by the glasses (particularly minors) – including how individuals are notified that they are being recorded;
• Tools used to anonymize any data collected; and
• How the voice assistant operates.

The DPAs are encouraging Facebook to run an information campaign to inform the public on how the glasses work and how to identify recording devices (currently a small LED lights up in the corner of one of the frames).

What to do: The scrutiny is a useful reminder to companies of the need to comply with the GDPR’s requirement for data protection by design and default when developing and bringing new or and innovative products to market. In short, to recognise the need to address data protection compliance at every stage of the development and deployment process.

Another referral to the CJEU on non-material damages for GDPR violations

What happened: Germany’s Federal Labour Court, the highest employment tribunal in the country, has become the latest court to refer questions of non-material damage compensation under the GDPR to the Court of Justice of the European Union (“CJEU”). The case involves an employment dispute over the processing of employee health data. It follows referrals made by an Austrian court and a separate German court earlier in 2021, reflecting the increased scrutiny on the interpretation of GDPR provisions on damages. Here, the court asked if the GDPR provision for non-material damages not only has a compensatory nature but also a component of general or special prevention that has to be considered in the assessment. The court further asked if a small degree of fault, or indeed the absence of fault, would work in favour of the infringing controller or processor.

What to do: Companies should monitor the developments in the compensation of GDPR damages, as these will define the risks for the organisation.

Austrian DPA mandates the provision of an email address in electronic data protection-related inquiries

What happened: In the wake of the 2019 data scandal, the Austrian DPA has issued another fine, this time for €9.5 million, against Austrian Post. Here Austrian Post invited data protection-related inquiries in electronic form only via a web contact form in order to automate the process of inquiries and to obtain all the information required to process the inquiries. Data subjects could exercise their data subject rights also in non-electronic form by postal mail or customer service. The DPA took issue with Austrian Post for not providing data subjects with an additional electronic communication means in form of an email address. Austrian Post challenges the still unpublished decision before the Austrian Federal Administrative Court.

What to do: The GDPR requires the controller to facilitate the exercise of data subject rights. As the grounds of the decision are still unpublished it is unclear how the channelling of electronic requests to a web form may have impeded the exercise of data subject rights. Against the backdrop of heavy fines companies should already now ensure that the communication channels opened for data subject requests actually facilitate the communication and have, in particular, no chilling effect.

UK proposes reforms to its data protection regime

What happened: The UK government launched a consultation on plans for a new data regime. The UK government has been vocal about wanting to diverge from the EU’s data protection regime post-Brexit, and this is the first tangible step towards change. Key proposed amendments include:

• tightening the data breach reporting threshold so that only breaches resulting in a material risk to individuals are reportable;
• extending the scope of website cookies that can be used without user consent;
• increasing the scope of the soft opt-in for direct marketing purposes;
• establishing a number of pre-approved legitimate interests for data processing – if one applies, businesses would not need to conduct a legitimate interests assessment; and
• adopting a more flexible, risk-based approach to cross-border transfer adequacy decisions – which should allow the UK to increase the number of jurisdictions it decides are adequate for the purpose of UK data transfers.

What to do: For now, nothing. It remains to be seen which proposals, if any, will become law. We will report on further developments on the blog.

The authors would like to thank Gavin Benson for his contribution to this article.