European Data Protection Roundup – October 2021
Key takeaways this October include:
- Liability for excessive security footage: The need to ensure security systems are configured appropriately to minimise the scope of video and audio footage captured, after an English court found a homeowner’s use of popular smart cameras violated the UK General Data Protection Regulation (“GDPR”).
- Subject access requests: The possibility that companies responding to data subject access requests from individuals will have to provide copies of entire documents containing their personal data, rather than only extracts.
- Ransomware: The risk of penalties for inadequate data security safeguards resulting in ransomware attacks, after the Norwegian data protection authority (“DPA”) proposes a c. €400,000 penalty against a municipality for alleged deficiencies including a lack of multi-factor authentication as well as inadequate back-ups and logging.
- Transparency: The importance of ensuring that GDPR-mandated disclosures are easily accessible after the Irish DPC proposed a €36 million fine against Facebook for allegedly insufficiently clear disclosures during the user sign-up experience.
- Data in sports: The potential challenges of data monetization in sport, in light of a UK class action initiated by a former football (soccer) manager claiming a fee and ongoing royalties for players from gambling and entertainment firms processing their performance statistics.
- Direct marketing: The need for robust consent management processes for direct marketing, after the Italian DPA fined Sky Italia €3.2m for making unsolicited marketing calls to customers without their consent.
- Individual complaints: The possibility of an increased volume of complaints to DPAs following a Belgian Supreme Court decision that allows individuals to complain about companies’ alleged GDPR violations, even if their own personal data has not been processed.
These developments, and more, detailed below.
English Court confirms homeowner liable for GDPR breaches linked to home security system
What happened: An English court held that the scope of video and audio footage captured by a homeowner’s domestic surveillance device was excessive and did not have a lawful basis under the UK GDPR as it exceeded what was necessary to further the homeowner’s legitimate interest in detecting and preventing crime. The court concluded that the legitimate interest could have been furthered through less intrusive means.
What to do: Consider reviewing existing video and audio surveillance arrangements to ensure that data protection requirements are met. In particular, if relying on the legitimate interests lawful basis, considering whether appropriate steps have been taken to minimize the footage captured to what is necessary.
Norwegian DPA proposes fine for ransomware breach
What happened: Datatilsynet, the Norwegian DPA, intends to fine a local municipality NOK 4 million (c. €388,000) for data security failings exposed after a January 2021 ransomware attack allowed attackers to access employees’ and residents’ personal data, including special category data and children’s data. Stolen data was also posted on the darkweb. The DPA found that the municipality did not have two-factor authentication in place, had inadequate logging, and had backups that were inadequate.
What to do: Consider whether appropriate technical safeguards are in place to prevent and detect ransomware attacks. While the GDPR does not mandate specific technical controls, measures including multi-factor authentication are increasingly expected by regulators. Companies may also want to focus on assessing whether adequate, air gapped, back-ups are in place to reduce the potential harm a successful ransomware attack might cause.
Irish DPC proposes €36m fine against Facebook for breach of GDPR transparency rules
What happened: The Irish Data Protection Commission has issued a Draft Decision, in its capacity as Lead Supervisory Authority for cross-border processing in GDPR one-stop-shop proceedings, holding that Facebook was not sufficiently clear about its legal basis for processing users’ personal data when they sign up to the platform. Users have to accept Facebook’s Terms of Service when creating an account, which constitute a contract between Facebook and users. According to the DPC’s Draft Decision, Facebook then processes users’ personal data on the basis that it is necessary for the performance of the Terms of Service contract. The DPC suggested that Facebook did not clearly set out its legal basis for processing personal data in its terms, as users had to look through multiple hyperlinked documents to find this information. In the DPC’s view, combined with other aspects of the sign-up process (such as clicking on an “accept” button to agree to the Terms of Service, and being able to consent to additional data processing measures, such as facial recognition, during the account creation process), this may have led some users to falsely believe that Facebook processed their personal data on the basis of their consent. The DPC’s Draft Decision therefore says that Facebook breached the GDPR’s transparency requirements.
What to do: Monitor developments in the case, which we will report on the blog as they become available. The proposed €36 million fine will now be discussed by other concerned EU DPAs, and if no consensus can be reached, the matter will come before the European Data Protection Board, as happened in the recent WhatsApp case.
English court claim highlights potential pitfalls of sports data monetization
What happened: A group of 850 footballers sent letters of claim to 17 companies, primarily gambling and entertainment firms, alleging misuse of their personal data. The footballers claim that the companies processed their performance-related data without the players’ consent and also that the companies violated the GDPR by failing to: (i) inform them of the processing; and (ii) ensure the data’s accuracy. The footballers are claiming damages and an ongoing fee for future use.
What to do: For now, nothing, but – depending on the outcome of the case – any eventual decision may recalibrate how personal data in football and the sporting world more widely is monetized.
German court entitles individuals to copies of entire documents which contain their personal data
What happened: The Munich Higher Regional Court confirmed that individuals are entitled to access corporate documentation which contains their personal data under the GDPR’s right of access. The claimants – a group of investors – brought a claim after they allegedly made an unsuitable acquisition in reliance on the defendant’s unsound investment advice. Seeking to substantiate their claim, the claimants requested access to copies of personal data held by the defendants, including emails, telephone and meeting notes, and investment documents spanning over 10 years. The Court upheld the decision of the Landgericht München I to grant access, ruling that personal data should be interpreted broadly to cover documents (including corporate documents) that can be linked to a specific person. In short, the court held that emails and letters from the claimant to the defendant were, in principle, considered as personal data in their entirety, and therefore, capable of being requested under the GDPR’s data subject access rights.
What to do: Companies dealing with data subject access requests should carefully consider the scope of their obligations and whether, based on local interpretations and guidance, they may need to provide entire documents and not just extracts including personal data. The exact scope of the right has been considered in a number of decisions recently (see our July Roundup), with some courts reaching seemingly contradictory positions. For example, in April, the German Federal Labour Court held that employees cannot request their employer provide them with copies of their entire email correspondence.
Italian DPA fines Sky Italia over €3.2 million for illegal promotional calls
What happened: The Italian DPA – Garante – fined Sky Italia €3.2 million for making unsolicited marketing calls. Following complaints, the Garante found that calls were made directly by Sky and through third-party call centres without consent, using unverified lists acquired from other companies. The Garante said Sky failed to check blacklists of customers who had asked not to receive marketing calls. In addition to the €3.2m fine, the Garante restricted Sky’s ability to use external marketing companies for its promotional activities.
What to do: If using third party marketing lists and/or service providers, take steps to ensure appropriate consents have been obtained and opt-outs, including through national “do not call” registers or similar schemes are honoured. The fine follows a wave of direct marketing enforcement, including in the UK.
Individuals may be able to complain to a DPA prior to processing of their data
What happened: The Belgian Supreme Court ruled that individuals can validly complain to a DPA about a GDPR violation even if their data has not yet been processed. The case concerned an individual who reported a shop owner to the DPA after being asked to provide electronic ID as a prerequisite to joining a loyalty programme. Although the shop owner had not received the complainant’s personal data, as they refused to provide their ID, the Supreme Court held that the owner breached the data minimisation principle by requiring individuals to have their ID processed in order to access a benefit. The Supreme Court also found that the shop owner would not have had valid consent for processing the ID, if provided, as the consent would not have been freely given.
What to do: In Belgium at least, individuals can ostensibly file complaints about a company’s data protection practices before entering into a relationship with the company. This has the potential to increase the volume of complaints companies might expect to deal with.
The authors would like to thank Gavin Benson for his contribution to this article.