Key takeaways from June and July include:
- Data transfers to the U.S.: Business may want to revisit their cross-border data transfer arrangements following the new adequacy decision for the EU-U.S. Data Privacy Framework, assess whether they are eligible to self-certify and, if they are, whether it makes sense to.
- Interplay between data protection and competition law: Businesses with high market shares may want to consider whether user consent to processing personal data was, in fact, freely given in light of their market dominance, following the CJEU’s decision in the Meta Platforms case, and how they may be able to demonstrate that it was.
- AI governance: Business developing and deploying generative AI may want to consider the Irish DPC’s actions in respect of Google Bard and recent ICO guidance to ensure they meet the latest regulatory expectations.
- Web analytics: Businesses using U.S. centric web analytics may want to re-assess their use of supplementary measures after the Swedish DPA audited four businesses and fined two in connection with their use of Google Analytics.
- DSAR fine: As an area of continued scrutiny, businesses may consider reviewing their procedures for handling data subject access requests (“DSARs”) and consider whether the information provided is sufficiently intelligible to its client base, following Spotify’s €5 million fine.
- Italian fines: Businesses in Italy ought to note the increased fines imposed by the Italian data protection authority in recent months, especially with regards to employee monitoring.
- Sensitive email encryption: Entities may consider reviewing their encryption settings when sending sensitive data over email after the Swedish DPA issued a reprimand for a breach resulting from the use of enforced TLS-encryption instead of end-to-end encryption.
- Cookies: Website operators may wish to review their cookies consent flows in light of the CNIL’s €150.000 fine against KG COM as cookies remain a key area of enforcement.
- Harmonising GDPR enforcement: Businesses may want to be aware of two recent developments aimed at harmonising GDPR-related enforcement: (i) the EDPB’s guidelines on calculating GDPR administrative fines, which has harmonised certain aspects of DPA penalty calculations; and (ii) a proposed new regulation harmonising cross-border data processing complaint management.
These developments, and more, covered below.
Take Three: New European adequacy decision gives green light to EU-U.S. data protection framework
What happened: On July 10, 2023, the European Commission adopted with immediate effect an adequacy decision for the EU-U.S. Data Privacy Framework (the “DPF”). As outlined in our blog post, the decision allows businesses in Europe to transfer personal data to DPF-certified U.S. businesses without needing additional data protection safeguards such as the Standard Contractual Clauses.
What to do: For businesses in the U.S., the decision whether to certify or to continue to use alternative transfer mechanisms such as the SCCs will turn on whether the business is eligible to certify – as well as potential client and other third-party expectations. For businesses in Europe, no immediate action is needed. However, businesses should expect counterparties to begin moving away from SCCs where they are certified under DPF, and records of processing activities may need to be updated to reflect the new basis for future data transfers.
EU national competition authorities can assess in cooperation with data protection authorities GDPR infringements in abuse of dominance cases
What happened: The CJEU (case C-252/21) confirmed that a national competition authority (“NCA”) is permitted to determine GDPR-related violations in competition law investigations concerning the abuse of a dominant position, notwithstanding that the NCA is not a data protection authority.
In 2019, the German Federal Cartel Office prohibited Meta from abusing its dominant position in the German social networking market by combining Facebook user data with personal data from other Meta services on the basis that combining such data violates the GDPR’s consent requirements. On appeal, the Düsseldorf Higher Regional Court referred to the CJEU the question of whether an NCA may, in competition proceedings, assess the GDPR compliance.
The CJEU answered affirmatively, noting that it may be necessary for an NCA also to examine compliance with rules other than those relating to competition law, such as the GDPR. However, to ensure consistent application of the GDPR, the NCAs are required to consult and cooperate with relevant data protection authorities. The CJEU also clarified that individuals can still give valid GDPR consent to a business that holds a dominant market position, albeit such businesses have a higher standard to prove that the consent was, in fact, freely provided given their market dominance.
What to do: Businesses should be mindful that EEA NCAs have the ability to investigate businesses’ behaviour in the digital sector, including making GDPR-compliance determinations, in cooperation with data protection authorities. Businesses with high market shares may also want to reconsider whether any users’ consent regarding the processing of their personal data is, in fact, freely given their dominant market position for the service in question, and how they may be able to demonstrate that it was.
Bard temporarily barred from the EU over growing generative AI data protection concerns in Europe
What happened: The Irish DPC delayed the EU launch of Bard, Google’s generative AI chatbot, until Google clarifies how Bard would protect Europeans’ privacy. The regulator specified that Google had not provided them with a sufficiently detailed briefing or data protection impact assessment to justify the launch.
In a similar move, the UK ICO also expressed concerns over generative AI and emphasised that businesses operating and using generative AI should understand how AI uses personal data and mitigate any risks. The ICO’s risk management recommendations broadly follow the draft EU AI Act, requiring mitigation to occur before generative AI is introduced and to reflect the handled data’s sensitivity. The ICO intends to more thoroughly evaluate businesses operating and using generative AI’s data protection measures and act against those uncompliant with the GDPR.
What to do: Businesses may want to review and consider incorporating into their AI governance processes guidance surrounding the draft EU AI Act and the ICO’s risk management recommendations, including in certain circumstances a data protection impact assessment reflective of the data’s sensitivity.
Swedish DPA audits four businesses, and fines two of them, for their use of Google Analytics
What happened: The Swedish DPA audited four businesses use of Google Analytics to analyse web traffic. All businesses were ordered to stop using the tool, and two were fined approximately £900,000 and £22,000 respectively. This is the first time a DPA has (publicly) fined businesses for using Google Analytics.
Google Analytics has been scrutinised by multiple DPAs since the Schrems II decision. In 2022, the Austrian, Italian, French and Danish data protection authorities published decisions to the effect that the EU’s standard contractual clauses and Google’s technical and organisational measures did not, without more, comply with GDPR, especially given the alleged potential for U.S. intelligence services using exported data.
In this case, the four businesses had attempted to implement additional technical security measures to the data transfers to ensure GDPR compliance, with varying degrees of success. In line with previous regulatory decisions, the DPA held that the SCCs and supplementary measures implemented were not, in themselves, sufficient to comply with the GDPR’s data transfer requirements. However, the DPA elected to not fine two of the businesses in recognition of the “extensive protective measures” they had attempted to implement, though all four businesses were ordered to stop using the tool.
What to do: Businesses that use Google Analytics or similar tools may wish to revisit how they are using the tool given continued scrutiny in the area and potential regulatory risks. The upcoming EU-U.S. Data Protection Framework may, however, solve many of these issues.
Spotify fined €5 million for providing unclear responses to DSARs
What happened: The Swedish DPA fined Spotify €5 million for DSAR-related failings. The DPA audited Sportify after receiving complaints about its approach to DSARs.
Although the DPA found that Spotify provides individuals with a copy of their personal data upon request, Spotify did not provide individuals with all the additional information regarding their personal data, including details of how their data is used. Further, Spotify did not provide the information – which included technical information – in an easily understood manner. The DPA noted that, in certain situations, Spotify may be required to provide information not only in English but in the individual’s own, native language.
What to do: DSARs continue to be an area of DPA scrutiny. Businesses may wish to review their procedures for handling DSARs and consider whether the information provided is sufficiently intelligible to its client base, including identifying situations where the information should be translated or provided in local language.
Garante fines businesses a combined €3.1 million for various GDPR failings
What happened: June and July were busy months for the Italian data protection authority, which fined:
- Four telemarketing businesses – fined €1.8 million in total for multiple GDPR violations. This stemmed from what the Garante described as “wild telemarketing” of residential energy services, using 10,000s of individuals’ contact details without consent and holding the data without sufficient security measures. During the investigation, the Garante seized paper and computer systems containing the unlawful marketing lists from two of the businesses during dawn raids.
- La Rinascente – fined €300,000 for illegally processing millions of customers’ personal data for marketing and profiling through its loyalty cards. GDPR breaches included La Rinascente: (i) not sufficiently informing data subjects of how long their data was stored and for what purposes it was processed; (ii) failing to provide information about data processing activities for targeting purposes; and (iii) failing to conduct a Data Protection Impact Assessment.
- Centro Medico Camedi – the private medical centre was fined €10,000 for mismatching the data and health information of two patients with the same name, causing several automated text messages to be sent to the wrong patient. This breached the GDPR’s accuracy and confidentiality principles.
- H&M – fined €50,000 in connection with its employee video surveillance. Garante found that, among other issues: (i) the 24 hour a day monitoring was not limited to what was necessary; and (ii) there was no lawful basis for the monitoring, as such wide-spread monitoring was not “necessary” and therefore could not be justified under the legitimate interests basis. This follows the Hamburg DPA’s €35.5m fine against H&M in October 2020 for storing employees’ private information from interviews and using the data for measures and decisions regarding their ongoing employment.
What to do: Businesses may want to consider whether any of their own practices would fall foul of the Italian DPA’s expectations, in particular with respect to employee monitoring which continues to attract significant regulatory scrutiny.
CNIL fines two entities a combined €40.1 million for GDPR violations
What happened: June was an active enforcement month for the French DPA, which issued two GDPR fines:
- CRITEO – fined a business specialising in targeted online advertising €40 million for multiple GDPR violations. Specifically, that CRITEO failed to:
- demonstrate consent for the placement of cookies used by its partner businesses;
- provide sufficient information to individuals in response to subject access requests;
- comply with the right of erasure by not allowing users to delete data collected via targeted advertising; and
- enter into the necessary arrangements with its joint data controllers.
- KG COM – the CNIL fined an online fortune-telling business €120,000 for GDPR violations and €30,000 for, inter alia:
- breaching the data minimisation principle by systematically recording all phone calls with customers;
- retaining customers’ banking details without a lawful basis;
- failing to obtain explicit consent for the collection of special category data, including health and sexual orientation data. The CNIL noted that a customer’s active disclosure of sensitive information does not, in itself, constitute explicit consent to process that data;
- failing to notify a data breach to the CNIL; and
What to do: Businesses may want to review their existing policies on data minimisation, collection of special category data, data security and consent when using cookies or other tracking technology. Cookies requirements continue to be an area of enforcement for the CNIL and many other DPAs.
European Commission proposes harmonisation of GDPR enforcement
What happened: The European Commission proposed a new GDPR Enforcement Regulation to streamline the handling of cross-border data protection cases by: (i) harmonising administrative procedures; and (ii) elaborating on cooperation rules between national data protection authorities. The proposed regulation would:
- Standardise information that data subjects must provide to lodge complaints with a cross-border element and the rules for accepting or rejecting such complaints;
- Introduce a complaint resolution mechanism via amicable settlement (although authorities may still conduct an official investigation);
- Standardise the rights of data controllers and data processors during an investigation, including the right to be heard at early and key stages during the investigation;
- Establish new rules on access to administrative files and confidential information protection by parties under investigation.
What to do: For now, nothing. Businesses may want to monitor developments in this area given that the Commission believes the new regulation would result in quicker and more decisive GDPR enforcement.
Norwegian DPA bans certain Meta behavioural advertising
What happened: Norway’s data protection authority, Datatilsynet, banned Meta from tailoring adverts on Facebook and Instagram using information obtained via monitoring and profiling Norwegian users. The ban starts on 4 August and lasts for three months, with a NOK 1 million (c.$ 95,446) daily fine for non-compliance thereafter.
The DPA specifically took issue with in-depth tracking of user activity for marketing purposes drawn from user location, content they show interest in and what they post.
The Norwegian DPA also stated that, although the Irish DPC typically acts as Meta’s Lead Supervisory Authority, the DPA viewed that the urgent circumstances justified it intervening directly.
What to do: Businesses should consider reviewing whether explicit consent to profiling for advertising purposes is obtained, and appropriate limits to tracking are in place. This development also serves as a reminder that notwithstanding the GDPR’s one-stop-shop mechanism, businesses can still face enforcement action from a non-lead supervisory authority.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.