Key takeaways this October include:
- Facial Recognition: Businesses face continued challenges in establishing GDPR-compliant facial recognition technology, including those with no presence in the EEA, after the French CNIL fined Clearview AI €20 million for “intrusive and massive” data processing without consent or a valid legitimate interest, among other failings;
- Digital Services Act: The EU’s adoption of the Digital Services Act sets a compliance deadline of February 2024 for intermediary online services, and for very large online platforms and search engines, potentially much sooner;
- Technical & Organisational Measures: Risk assessments, training and effective management oversight are key areas of (UK) GDPR “technical and organisational” measures based on the UK ICO’s £4.4 million fine against Interserve Group Limited after it suffered a data breach affecting 113,000 employees’ data;
- GDPR Compensation: Individuals may not be entitled under the GDPR to compensation for trivial harm such as “mere upset” if the Court of Justice of the European Union (“CJEU”) follows a recent advocate general opinion;
- Lead Supervisory Authority & One-Stop-Shop Changes: Under draft updates to EDPB Guidance: (i) joint data controllers would not have a single lead supervisory authority; and (ii) businesses subject to the GDPR’s extraterritorial effect may have to notify personal data breaches to supervisory authorities in every member state where there are affected individuals;
- EU-U.S. Cross-border Transfers: President Biden signed a new executive order to provide greater constraints and oversight on U.S. intelligence-gathering, potentially paving the way for a new EU Commission adequacy decision;
- UK/U.S. Law Enforcement: UK and U.S. service providers might see increased cross-border data requests after the U.S./UK CLOUD Act agreement entered into force;
- Data Subject Access Requests: Recent DSAR-related enforcement suggests that at least some supervisory authorities expect businesses to take affirmative steps to resolve ambiguous requests, rather than simply not actioning them;
- Employee Monitoring: Employers may want to consider the UK ICO’s draft guidance on employee monitoring when deploying employee monitoring tools to ensure they are meeting the latest regulatory expectations, including by conducting data protection impact assessments (“DPIAs”) where appropriate and adhering to heightened assessment requirements for evolving AI and biometric technologies;
- Profiling for Marketing Purposes: Profiling for marketing purposes remains a high enforcement priority for regulators following the UK ICO’s £1.48 million penalty against Easylife for failing to secure consent to profiling and subsequent marketing based on inferred special category data;
- Password Policies: Businesses may want to review their password policies in the light of CNIL’s updated guidelines, which emphasize complexity over length and protective measures throughout the password lifecycle; and
- Data Protection Officer Independence Requirements: Companies should be careful not to appoint a Data Protection Officer with managerial duties that pose a potential conflict of interest, in light of the Berlin Supervisory Authority’s recent fine.
These developments, and more, covered below.
CNIL fines Clearview AI €20 million for facial recognition GDPR failings
What happened: The French CNIL fined U.S. company Clearview AI €20 million for:
- not having a legal basis for facial recognition-related data processing given it failed to obtain individuals’ consent and could not establish a relevant “legitimate interest” given the “intrusive and massive” processing;
- failing to comply properly with data subject access and erasure requests; and
- not cooperating with the CNIL.
The CNIL ordered Clearview to: (i) stop collecting and using personal data linked to individuals in France; and (ii) delete the data already collected, showing the potentially onerous impact non-monetary penalties can have.
The penalties follow enforcement in the UK, Italy, Canada, Greece, and Australia, and reinforces that GDPR enforcement risk is a real consideration for those subject to the GDPR’s (increasingly broadly interpreted) extra-territorial reach.
What to do: Based on the CNIL’s views, businesses may want to consider: (i) ensuring all facial recognition technology-related processing undergoes a formal, GDPR-mandated Data Protection Impact Assessment; and (ii) reviewing their data subject access and erasure request policies and procedures given the complexities in complying in the AI, algorithmic decision-making and machines learning contexts.
Digital Services Act to apply from 2024 or four months from designation as a very large online platform or search engine
What happened: On 4 October 2022, the EU adopted the much-anticipated Digital Services Act (“DSA”). The DSA’s substantive provisions will apply from February 2024 or, for very large online platforms (“VLOPs”) and very large online search engines (“VLOSEs”), just four months after such designation.
Back in July, we explained how the DSA is set to transform the regulation of online intermediaries by requiring them to take greater accountability for “illegal” and “harmful” content, to provide greater transparency around their content moderation practices, targeted advertising, and recommender algorithms, and to maintain comprehensive risk management systems for a potentially wide range of systemic risks – from public health crises to political misinformation. The DSA will apply to a wide range of intermediary services, including “mere conduit,” “caching,” and “hosting” services. VLOPs and VLOSEs will be subject to the most stringent requirements and greatest regulatory oversight.
What to do: Entities should check whether they are subject to the DSA as soon as possible and, if they are, start considering how to implement a compliance program to ensure DSA-readiness by February 2024 or, for VLOPs and VLOSEs, potentially on shorter notice.
UK ICO fines company for inadequate technical and organisational measures
What happened: On 24 October 2022, the UK ICO fined Interserve Group Limited £4.4 million for failing to implement appropriate technical and organisational measures to safeguard 113,000 individuals’ personal data in company HR databases.
What to do: Read our post for detailed guidance on what this fine says about the importance of risk assessments, how training is a regulatory expectation, and the need for effective management oversight.
“Mere upset” may not give rise to compensation under the GDPR
What happened: An Austrian individual claimed €1,000 as compensation for “inner discomfort” after their personal data was used by Österreichische Post AG to extrapolate their political affiliations by reference to socio-demographic data and used the results to target political advertising.
Reviewing the issues, a CJEU advocate general suggested that: (i) GDPR infringements do not automatically entitle individuals to compensation; and (ii) infringements that cause trivial harm such as “mere upset” do not give rise to compensation. National courts will have to determine whether a feeling of displeasure meets the threshold of non-material damage.
What to do: Keep an eye out for the final decision by the court. Advocate General opinions are influential but not binding. The outcome could have a significant impact on businesses’ potential liability for GDPR infringements and the viability of mass claims.
EDPB draft guidance narrows instances of an available lead supervisory authority
What happened: On 10 October 2022, the European Data Protection Board published for public comment two draft revisions to:
- remove in the “Guidelines on identifying a single lead authority for joint data controllers” the concept of a single lead authority for joint data controllers and clarify that joint data controllers will each have their own lead supervisory authority; and
- clarify in the “Guidelines on personal data breach notification under the GDPR” that the presence of an Article 27 representative in a EU Member State does not constitute a “main establishment” for purposes of triggering the one-stop-shop system, meaning a controller subject to the GDPR’s extraterritorial scope may have to notify relevant authorities in each Member State where affected data subjects reside.
The EDPB is accepting comments on the revised joint controller guidelines until 2 December 2022 and on the revised personal data breach notification guidelines until 29 November 2022.
What to do: Where joint controllers have different lead supervisory authorities, reporting obligations will expand, and there will be a greater prospect of parallel investigations into the same matter by multiple lead supervisory authorities. Businesses may need to update notification and other compliance procedures accordingly.
Companies established outside of the EU with an Article 27 representative should prepare for a situation where notifications are required to authorities in numerous Member States (i.e., up to 45 when including the European Economic Area and the 16 German state data protection authorities).
President Biden signs executive order in bid to secure new EU adequacy decision
What happened: On 7 October 2022, U.S. President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities. Our recent post covers the history of the EU-U.S. data sharing agreements, examines the key features of the Order, and outlines the process for an assessment of its adequacy by EU authorities.
What to do: Keep an eye out for the European Commission’s draft adequacy decision later this year or early next, and see our recent post for practical guidance.
U.S.-UK CLOUD Act Agreement enters into force
What happened: On 3 October 2022, the U.S.-UK CLOUD Act Agreement entered into force, paving the way for increased law enforcement requests across the Atlantic.
In 2018, the U.S. Congress passed the CLOUD Act which, in addition to expanding the scope of agency access to electronic communications in the U.S., authorised the U.S. government to conclude agreements with foreign states, whereby a party to a bilateral agreement could directly require service providers based in the respective country to disclose data held by them in the U.S. or the foreign state by complying with their own domestic legal procedures. The scope of covered service providers, and of data potentially subject to a request, is broad.
The U.S. finalised its first CLOUD Act agreement with the UK in October 2019. In July 2022 the governments issued a joint statement confirming that the necessary steps had been completed for the agreement to enter into force.
What to do: UK and U.S. service providers that typically receive a large number of law enforcement requests may want to establish processes for dealing with CLOUD Act requests issued under the new procedures. In particular, entities will need to consider how domestic laws that prohibit the disclosure of certain information interact with CLOUD Act requests and establish procedures to ensure compliance.
Recent trends in data subject access requests highlight obligations on both the controller and the data subject
What happened: Data subject access requests (“DSARs”) enforcement in Italy, Spain, and Sweden shows key aspects of regulators’ expectations.
Specifically:
- Controllers are responsible for DSARs that newly acquired business units receive. The Italian Data Protection Authority fined a data controller €20,000 for failing to reply to a DSAR addressed to a business unit that it had recently taken control of.
- Companies may need to proactively request more information. The Spanish DPA held that a company was wrong to refuse a request outright before requesting more information after a mobile network company failed to respond to requests by a family member to delete a deceased data subject’s data, claiming it lacked sufficient information to comply.
- Requesting identification verification information suspends response timeline. The Swedish DPA, acting as lead supervisory authority, held that Klarna Bank AB was not late in responding to a DSAR where it had reasonable grounds to doubt the identity of the requestor and asked for verification. The term set out for responding to requests was paused whilst awaiting further information from the data subject.
What to do: Consider revisiting existing data subject rights requests policies and procedures to ensure they align with the above regulatory expectations.
Draft UK ICO guidance on employee monitoring clarifies GDPR compliance requirements
What happened: On 12 October 2022, the UK ICO published draft guidance for consultation until 11 January 2023 on workplace monitoring.
Aimed at employers, the guidance lays out measures that can be taken to help ensure employee monitoring complies with applicable data protection requirements. Specifically, the guidance:
- emphasises the need for a regularly updated Art. 35 GDPR DPIA where mandatory, and recommends that companies conduct a voluntary DPIA where it nevertheless constitutes “good practice” and informs risk-based decisions;
- provides recommendations on how employers can comply with notice obligations and establish a legal basis for the processing – for example, collecting documentary proof that workers have read notices;
- expands on the types of scenarios where employee monitoring may take place given an increased reliance on biometric and automated processing tools, and remote work arrangements; and
- sets out further legal considerations, including the 2010 UK Equality Act and 1998 Human Rights Act.
What to do: Employers should carefully review all of their workplace monitoring practices in order to comply with data protection obligations and facilitate positive workplace relations. They may also want to conduct a DPIA to re-assess compliance as practices evolve.
UK ICO fines catalogue retailer £1.48 million for unlawful profiling and marketing calls
What happened: The UK ICO fined Easylife, a catalogue retailer, £1.35 million for using customers’ personal data to target individuals for unsolicited marketing calls. The ICO determined that Easylife unlawfully profiled individuals and processed “invisible” special category data without a valid legal basis. When a customer purchased certain health-related products, Easylife inferred information about the customer’s medical condition(s) and the marketed health products based on the inference. Easylife did not inform its customers it was doing this.
What to do: Organisations may want to review current processes to ensure appropriate customer consent mechanisms are in place ahead of engaging in profiling, inference-based data processing, and direct marketing, especially where it involves special category data.
French CNIL updates its guidelines on password settings
What happened: In an effort to assist organisations in guaranteeing minimum security levels in response to significant volumes of password-related breaches, the CNIL updated its 2017 guidelines on password settings.
The new guidelines:
- re-focus attention on “entropy” or level of randomness, rather than minimum length;
- remove password renewal requirement for non-privileged accounts;
- encourage businesses to share a list of complex but well-known passwords to be avoided; and
- provide that creation and renewal rules should ensure consistent protection throughout the password lifecycle (e.g., the use of a password manager and never storing passwords in clear text).
What to do: Businesses—especially those subject to CNIL’s jurisdiction—may want to review their password policies in the light of the updated guidelines and, in some cases, whether passwords are the most appropriate solution at all.
Berlin Supervisory Authority imposes fine for re-appointing a conflicted Data Protection Officer
What happened: A Berlin e-commerce company appointed a Data Protection Officer (“DPO”) that also held managerial functions in affiliates acting as data processors on behalf of the appointing company. As a consequence, the DPO supervised its own management decisions, thus resulting in a conflict of interest. The Berlin Supervisory Authority imposed in September 2022 a fine of €525,000 on the controller for re-appointing the Data Protection Officer following a warning issued already in 2021.
What to do: Ensure that the permissible other tasks and duties of a DPO do not result in a conflict of interests. Supervisory Authorities consider in a case by case analysis whether the DPO also holds a position in the organization that permits him her to determine the purposes and the means of the processing of personal data. Conflicting positions may include senior management positions such as CEO, COO, or CFO or Head of HR or IT. The topic is relevant as the EDPB announced in September 2022 that its second coordinated enforcement action in 2022 will concern the designation and position of the DPO.
To subscribe to the Data Blog, please click here.
The authors would like to thank legal trainees Maria Epishkina, Sophie Michalski, and Clara Montillet for their contributions to this article.