Key takeaways from June and July include:

  • Data transfers to the U.S.: Business may want to revisit their cross-border data transfer arrangements following the new adequacy decision for the EU-U.S. Data Privacy Framework, assess whether they are eligible to self-certify and, if they are, whether it makes sense to.
  • Interplay between data protection and competition law: Businesses with high market shares may want to consider whether user consent to processing personal data was, in fact, freely given in light of their market dominance, following the CJEU’s decision in the Meta Platforms case, and how they may be able to demonstrate that it was.
  • AI governance: Business developing and deploying generative AI may want to consider the Irish DPC’s actions in respect of Google Bard and recent ICO guidance to ensure they meet the latest regulatory expectations.
  • Web analytics: Businesses using U.S. centric web analytics may want to re-assess their use of supplementary measures after the Swedish DPA audited four businesses and fined two in connection with their use of Google Analytics.
  • DSAR fine: As an area of continued scrutiny, businesses may consider reviewing their procedures for handling data subject access requests (“DSARs”) and consider whether the information provided is sufficiently intelligible to its client base, following Spotify’s €5 million fine.
  • Italian fines: Businesses in Italy ought to note the increased fines imposed by the Italian data protection authority in recent months, especially with regards to employee monitoring.
  • Sensitive email encryption: Entities may consider reviewing their encryption settings when sending sensitive data over email after the Swedish DPA issued a reprimand for a breach resulting from the use of enforced TLS-encryption instead of end-to-end encryption.
  • Cookies: Website operators may wish to review their cookies consent flows in light of the CNIL’s €150.000 fine against KG COM as cookies remain a key area of enforcement.
  • Harmonising GDPR enforcement: Businesses may want to be aware of two recent developments aimed at harmonising GDPR-related enforcement: (i) the EDPB’s guidelines on calculating GDPR administrative fines, which has harmonised certain aspects of DPA penalty calculations; and (ii) a proposed new regulation harmonising cross-border data processing complaint management.

These developments, and more, covered below.

 

Take Three: New European adequacy decision gives green light to EU-U.S. data protection framework

What happened: On July 10, 2023, the European Commission adopted with immediate effect an adequacy decision for the EU-U.S. Data Privacy Framework (the “DPF”). As outlined in our blog post, the decision allows businesses in Europe to transfer personal data to DPF-certified U.S. businesses without needing additional data protection safeguards such as the Standard Contractual Clauses.

A U.S. business is eligible for self-certification (through the Department of Commerce) if it is subject to the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation, providing certain requirements are satisfied such as committing to various “privacy principles” and updating their privacy policy. Once certified, compliance with the principles can be enforced under U.S. law. A list of certified businesses, as well as FAQs, is maintained on the DPF website.

What to do: For businesses in the U.S., the decision whether to certify or to continue to use alternative transfer mechanisms such as the SCCs will turn on whether the business is eligible to certify – as well as potential client and other third-party expectations. For businesses in Europe, no immediate action is needed. However, businesses should expect counterparties to begin moving away from SCCs where they are certified under DPF, and records of processing activities may need to be updated to reflect the new basis for future data transfers.

EU national competition authorities can assess in cooperation with data protection authorities GDPR infringements in abuse of dominance cases

What happened: The CJEU (case C-252/21) confirmed that a national competition authority (“NCA”) is permitted to determine GDPR-related violations in competition law investigations concerning the abuse of a dominant position, notwithstanding that the NCA is not a data protection authority.

In 2019, the German Federal Cartel Office prohibited Meta from abusing its dominant position in the German social networking market by combining Facebook user data with personal data from other Meta services on the basis that combining such data violates the GDPR’s consent requirements. On appeal, the Düsseldorf Higher Regional Court referred to the CJEU the question of whether an NCA may, in competition proceedings, assess the GDPR compliance.

The CJEU answered affirmatively, noting that it may be necessary for an NCA also to examine compliance with rules other than those relating to competition law, such as the GDPR. However, to ensure consistent application of the GDPR, the NCAs are required to consult and cooperate with relevant data protection authorities. The CJEU also clarified that individuals can still give valid GDPR consent to a business that holds a dominant market position, albeit such businesses have a higher standard to prove that the consent was, in fact, freely provided given their market dominance.

What to do: Businesses should be mindful that EEA NCAs have the ability to investigate businesses’ behaviour in the digital sector, including making GDPR-compliance determinations, in cooperation with data protection authorities. Businesses with high market shares may also want to reconsider whether any users’ consent regarding the processing of their personal data is, in fact, freely given their dominant market position for the service in question, and how they may be able to demonstrate that it was.  

Bard temporarily barred from the EU over growing generative AI data protection concerns in Europe

What happened: The Irish DPC delayed the EU launch of Bard, Google’s generative AI chatbot, until Google clarifies how Bard would protect Europeans’ privacy. The regulator specified that Google had not provided them with a sufficiently detailed briefing or data protection impact assessment to justify the launch.

In a similar move, the UK ICO also expressed concerns over generative AI and emphasised that businesses operating and using generative AI should understand how AI uses personal data and mitigate any risks. The ICO’s risk management recommendations broadly follow the draft EU AI Act, requiring mitigation to occur before generative AI is introduced and to reflect the handled data’s sensitivity. The ICO intends to more thoroughly evaluate businesses operating and using generative AI’s data protection measures and act against those uncompliant with the GDPR.

What to do: Businesses may want to review and consider incorporating into their AI governance processes guidance surrounding the draft EU AI Act and the ICO’s risk management recommendations, including in certain circumstances a data protection impact assessment reflective of the data’s sensitivity.

Swedish DPA audits four businesses, and fines two of them, for their use of Google Analytics

What happened: The Swedish DPA audited four businesses use of Google Analytics to analyse web traffic. All businesses were ordered to stop using the tool, and two were fined approximately £900,000 and £22,000 respectively. This is the first time a DPA has (publicly) fined businesses for using Google Analytics.

Google Analytics has been scrutinised by multiple DPAs since the Schrems II decision. In 2022, the Austrian, Italian, French and Danish data protection authorities published decisions to the effect that the EU’s standard contractual clauses and Google’s technical and organisational measures did not, without more, comply with GDPR, especially given the alleged potential for U.S. intelligence services using exported data.

In this case, the four businesses had attempted to implement additional technical security measures to the data transfers to ensure GDPR compliance, with varying degrees of success. In line with previous regulatory decisions, the DPA held that the SCCs and supplementary measures implemented were not, in themselves, sufficient to comply with the GDPR’s data transfer requirements. However, the DPA elected to not fine two of the businesses in recognition of the “extensive protective measures” they had attempted to implement, though all four businesses were ordered to stop using the tool.

What to do: Businesses that use Google Analytics or similar tools may wish to revisit how they are using the tool given continued scrutiny in the area and potential regulatory risks. The upcoming EU-U.S. Data Protection Framework may, however, solve many of these issues.

Spotify fined €5 million for providing unclear responses to DSARs

What happened: The Swedish DPA fined Spotify €5 million for DSAR-related failings. The DPA audited Sportify after receiving complaints about its approach to DSARs.

Although the DPA found that Spotify provides individuals with a copy of their personal data upon request, Spotify did not provide individuals with all the additional information regarding their personal data, including details of how their data is used. Further, Spotify did not provide the information – which included technical information – in an easily understood manner. The DPA noted that, in certain situations, Spotify may be required to provide information not only in English but in the individual’s own, native language.

What to do: DSARs continue to be an area of DPA scrutiny. Businesses may wish to review their procedures for handling DSARs and consider whether the information provided is sufficiently intelligible to its client base, including identifying situations where the information should be translated or provided in local language.

Garante fines businesses a combined €3.1 million for various GDPR failings

What happened: June and July were busy months for the Italian data protection authority, which fined:

  • Four telemarketing businesses – fined €1.8 million in total for multiple GDPR violations. This stemmed from what the Garante described as “wild telemarketing” of residential energy services, using 10,000s of individuals’ contact details without consent and holding the data without sufficient security measures. During the investigation, the Garante seized paper and computer systems containing the unlawful marketing lists from two of the businesses during dawn raids.
  • Autostrade per l’Italia – fined €1 million for unlawfully processing c.100,000 motorway toll reimbursement app users’ personal data. The app’s privacy policy incorrectly identified the app developer as the data controller rather than Autostrade. Consequently, Autostrade: (i) breached the requirement to process personal data lawfully, fairly and transparently; (ii) had not correctly identified the data controller at the point it collected users’ personal data; and (iii) had not entered into the necessary data processor terms with the app developer.
  • La Rinascente – fined €300,000 for illegally processing millions of customers’ personal data for marketing and profiling through its loyalty cards. GDPR breaches included La Rinascente: (i) not sufficiently informing data subjects of how long their data was stored and for what purposes it was processed; (ii) failing to provide information about data processing activities for targeting purposes; and (iii) failing to conduct a Data Protection Impact Assessment.
  • Centro Medico Camedi – the private medical centre was fined €10,000 for mismatching the data and health information of two patients with the same name, causing several automated text messages to be sent to the wrong patient. This breached the GDPR’s accuracy and confidentiality principles.
  • H&M – fined €50,000 in connection with its employee video surveillance. Garante found that, among other issues: (i) the 24 hour a day monitoring was not limited to what was necessary; and (ii) there was no lawful basis for the monitoring, as such wide-spread monitoring was not “necessary” and therefore could not be justified under the legitimate interests basis. This follows the Hamburg DPA’s €35.5m fine against H&M in October 2020 for storing employees’ private information from interviews and using the data for measures and decisions regarding their ongoing employment.

What to do: Businesses may want to consider whether any of their own practices would fall foul of the Italian DPA’s expectations, in particular with respect to employee monitoring which continues to attract significant regulatory scrutiny.

CNIL fines two entities a combined €40.1 million for GDPR violations

What happened: June was an active enforcement month for the French DPA, which issued two GDPR fines:

  • CRITEO – fined a business specialising in targeted online advertising €40 million for multiple GDPR violations. Specifically, that CRITEO failed to:
    • demonstrate consent for the placement of cookies used by its partner businesses;
    • include all intended processing purposes in its privacy policy and expressed some purposes in overly vague and broad terms;
    • provide sufficient information to individuals in response to subject access requests;
    • comply with the right of erasure by not allowing users to delete data collected via targeted advertising; and
    • enter into the necessary arrangements with its joint data controllers.
  • KG COM – the CNIL fined an online fortune-telling business €120,000 for GDPR violations and €30,000 for, inter alia:
    • breaching the data minimisation principle by systematically recording all phone calls with customers;
    • retaining customers’ banking details without a lawful basis;
    • failing to obtain explicit consent for the collection of special category data, including health and sexual orientation data. The CNIL noted that a customer’s active disclosure of sensitive information does not, in itself, constitute explicit consent to process that data;
    • failing to notify a data breach to the CNIL; and
    • initially having no cookies consent banner on its website and then an inadequate banner which did not allow users to refuse cookies as easily as they could accept them.

What to do: Businesses may want to review their existing policies on data minimisation, collection of special category data, data security and consent when using cookies or other tracking technology. Cookies requirements continue to be an area of enforcement for the CNIL and many other DPAs.

European Commission proposes harmonisation of GDPR enforcement

What happened: The European Commission proposed a new GDPR Enforcement Regulation to streamline the handling of cross-border data protection cases by: (i) harmonising administrative procedures; and (ii) elaborating on cooperation rules between national data protection authorities. The proposed regulation would:

  • Standardise information that data subjects must provide to lodge complaints with a cross-border element and the rules for accepting or rejecting such complaints;
  • Introduce a complaint resolution mechanism via amicable settlement (although authorities may still conduct an official investigation);
  • Standardise the rights of data controllers and data processors during an investigation, including the right to be heard at early and key stages during the investigation;
  • Establish new rules on access to administrative files and confidential information protection by parties under investigation.

What to do: For now, nothing. Businesses may want to monitor developments in this area given that the Commission believes the new regulation would result in quicker and more decisive GDPR enforcement.

Norwegian DPA bans certain Meta behavioural advertising

What happened: Norway’s data protection authority, Datatilsynet, banned Meta from tailoring adverts on Facebook and Instagram using information obtained via monitoring and profiling Norwegian users. The ban starts on 4 August and lasts for three months, with a NOK 1 million (c.$ 95,446) daily fine for non-compliance thereafter.

The DPA specifically took issue with in-depth tracking of user activity for marketing purposes drawn from user location, content they show interest in and what they post.

The Norwegian DPA also stated that, although the Irish DPC typically acts as Meta’s Lead Supervisory Authority, the DPA viewed that the urgent circumstances justified it intervening directly.

What to do: Businesses should consider reviewing whether explicit consent to profiling for advertising purposes is obtained, and appropriate limits to tracking are in place. This development also serves as a reminder that notwithstanding the GDPR’s one-stop-shop mechanism, businesses can still face enforcement action from a non-lead supervisory authority.

 

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Aisling Cowell is an associate in the Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group. She can be reached at acowell@debevoise.com

Author

Tristan Lockwood is an associate in the firm’s Data Strategy & Security practice. He can be reached at tlockwood@debevoise.com.

Author

Maria Epishkina is a corporate associate and a member of the Mergers & Acquisitions, Capital Markets and Private Equity Groups. She can be reached at mepishkina@debevoise.com

Author

Maria Santos is a trainee associate in the Litigation Department.

Author

Sergej Bräuer is an international counsel in the firm’s Frankfurt office and a member of the Antitrust & Competition Group. He advises clients on the full spectrum of antitrust and competition matters as well as foreign direct investments. He has deep experience in cartel damages cases and complex merger control proceedings, including coordination of worldwide merger control filings and approvals.