Key takeaways from March include:
- CNIL data security practice guide: The French DPA published an update of its data security practice guide for data protection officers, chief information security officers, computer scientists and legal experts.
- DPA powers to order deletion: Per a recent CJEU decision, DPAs can inquire whether personal data has been unlawfully processed and order the deletion without receiving a complaint.
- Data broker consent: The CNIL fined a promotion company €310,000 for consent failings with respect to data purchased from data brokers.
- Collecting biometric data: Following Portuguese and Spanish orders against Worldcoin, businesses operating in the EU that collect or otherwise process biometric information may wish to review their processes to ensure that: (i) biometric data is not collected from minors without parental authorisation; (ii) data subjects receive sufficient information about how their data will be used; (iii) any biometric data can be erased; and (iv) data subjects can revoke their consent.
- UK ICO releases draft guidance on “consent or pay” models: Businesses in the UK utilising, or considering, “consent or pay” business models may want to assess their practices against the UK ICO’s preliminary guidance and ensure that their model facilitates the provision of valid user consent.
- The UK NCSC publishes cyber incident response guidance for CEOs: The UK National Cyber Security Centre’s incident response guidance contains management advice and practical tips that UK-based businesses may wish to review and make changes to their cybersecurity incident response plans, as appropriate.
- Garante enforcement actions: In a series of fines issued following a data breach at an international banking group, the Italian DPA, Garante, has provided useful guidance on: (i) the circumstances in which a data breach will present a high risk to the rights and freedoms of individuals; (ii) the organizational and technical measures expected when processing sensitive personal data; (iii) the meaning of “without undue delay” for purposes of processor to controller data breach notifications; and (iv) the authorizations required for a data processor to outsource the processing of personal data controlled by another entity.
- German guidance on collecting date of birth data: Businesses operating an online shop in Germany should check: (i) whether their websites require potential customers to provide their date of birth; and (ii) the legal basis for processing this information. Where the only legal basis is consent, the website should clearly indicate that providing such personal data is voluntary and provide the potential customer with the requisite information following the new guidance from the DPA of Lower Saxony.
- Icelandic DPA fines Subway for unlawful employee monitoring: Joining other European DPAs in increasing scrutiny on workplace monitoring, the Icelandic DPA fined Subway in a decision that highlights the requirements for GDPR compliance for businesses engaging in employee monitoring.
These developments, and more, are covered below.
CNIL publishes updated GDPR data security guide
What happened: The French data protection authority (“DPA”), the CNIL, published a new version of its GDPR data security practice guide. It covers user security protocols (such as access management and user authentication), physical and cyber security measures, control measures for third-party data transfers and cyber incident preparation. New is the addition of factsheets setting out guidance on securing data in relation to artificial intelligence, mobile applications, cloud computing and application programming interfaces.
What to do: As the guide also serves the regulator when assessing the security of personal data processing, businesses may wish to review their existing policies and practices in the light of this updated guidance. The new factsheet on artificial intelligence may be useful for businesses that are developing or deploying AI systems in France that involve personal data, in addition to already issued guidance, as previously covered.
CJEU rules DPAs can order deletion of personal data in the absence of complaints
What happened: The CJEU ruled that DPAs can order a data controller to erase unlawfully processed personal data without a data subject request or complaint. The case concerned the collection of personal data by a municipal authority in Hungary from two other governmental entities to implement a support scheme during the COVID-19 pandemic.
The Hungarian DPA opened an investigation of its own accord and found that the municipal authority and the governmental entities had breached the GDPR by failing to provide the requisite information to data subjects in relation to the collection of their personal data. Consequently, it ordered the municipal authority to erase the data of individuals who had not applied for the support scheme. The CJEU held that DPAs can order deletions on their own initiative to stop unlawful processing without awaiting a data subject request.
What to do: The decision underscores the autonomous role of the DPAs in enforcing the GDPR. Businesses should take note that DPAs in the EU can investigate whether personal data has been (un)lawfully processed and order the deletion of such data even if data subjects have not complained or may not even be aware of any processing. The decision further highlights the importance of implementing robust data protection by design, to minimise the risk of early missteps causing issues down the line.
CNIL fines Foriou €310,000 for using data supplied by brokers without ensuring valid consent
What happened: The CNIL fined Foriou, a French company specialising in promoting loyalty programs, €310,000 for using data purchased from data brokers without ensuring that individuals had provided valid consent for their data to be collected. The CNIL considered that Foriou: (i) could not rely on its own legitimate interest as a legal basis because the data broker, when soliciting consent, did not mention Foriou systematically as a partner that may approach the data subject with commercial offers; and (ii) could not rely on consent because the data collection forms used by data brokers did not allow free and unambiguous consent, as their presentation (including the size, colour, title and location of consent buttons) strongly encouraged users to agree to the transmission of their data to partners. As previously noted, the CNIL fined a data broker in January 2024 for collecting prospect data without valid consent, also based on the presentation of the consent form.
What to do: Investigating loyalty programs is one of the CNIL’s top priorities for 2024, so data brokers and companies operating in this sector will be on the authority’s radar this year. Businesses should verify that their consent forms are aligned with the CNIL’s expectations, including by ensuring that refusing transmission of personal data to partners is as easy as accepting it.
Portuguese DPA suspends a cryptocurrency’s collection of biometric data
What happened: Portugal’s DPA suspended the collection of biometric data, such as iris, eye and face scans by Worldcoin. The DPA noted that Worldcoin requires individuals to provide biometric data to receive tokens of its cryptocurrency and had already collected this data from over 300,000 individuals in Portugal, including minors. The Portuguese DPA’s decision cited complaints that: (i) biometric data of minors was being collected without parental authorisation; (ii) information provided to data subjects was deficient; (iii) some of the collected data could not be erased; and (iv) data subjects could not revoke their consent.
Similarly, the Spanish DPA ordered Worldcoin to cease collecting and processing biometric data. Following these decisions, Worldcoin continues to operate in the EU only in Germany, where it is already scrutinized by the Bavarian DPA, which is its Lead Supervisory Authority.
What to do: The Portuguese DPA’s decision indicates the increased scrutiny placed on biometric data collection by businesses, particularly where minors are involved. Businesses operating in the EU that collect or process biometric information may wish to review their policies to ensure that adequate safeguards are in place.
ICO releases a preliminary guidance on “consent or pay” models and launches a related consultation
What happened: The UK ICO clarified that UK data protection law does not prohibit “consent or pay” business models (where individuals must either consent to the use of their personal data or otherwise pay for the service in question), provided that consent is freely given, fully informed and capable of being withdrawn without detriment.
Businesses in the UK considering the use of “consent or pay” models are expected to take into account a range of factors when assessing whether valid consent is given, including: (i) whether there is a clear power imbalance between the service provider and its users; (ii) whether the ad-funded service and paid-for service are “basically the same”; (iii) whether any fees imposed are appropriate; and (iv) whether the choices are presented to users “fairly and equally.” The UK ICO also called for views from businesses on the topic, to be reflected in its upcoming guidance update on cookies and similar technologies.
What to do: Businesses in the UK using or considering the use of “consent or pay” models should assess any proposed or underlying practices to ensure they can demonstrate that consent is valid. Businesses should also keep abreast of developments as further guidance in the topic is expected from both the UK ICO and the EDPB.
NCSC publishes cyber incident response guide for CEOs
What happened: The UK National Cyber Security Centre (“NCSC”) published guidance to help CEOs of public and private sector organisations respond to cyber incidents. The guidance recommends putting in place a proportionate and effective governance framework to respond to the business continuity, communications, financial and legal issues a cyber incident can present. The guidance also discusses public messaging, ransomware payments and the benefits of using external experts in the incident response decision-making process (the guidance refers to a list of cyber incident response companies “assured” by the NCSC). The guidance also highlights the importance of team resilience and welfare in the context of a cyber incident, which can easily be an overlooked aspect of an organisation’s response. The NCSC encourages CEOs to consider the knock-on effects of a data breach and the immediate actions that should be taken to protect business, customer and staff data. Finally, the guidance emphasises that CEOs should hold a debrief with the team involved in the cyber incident response and review lessons learned.
What to do: Businesses should review and consider implementing the management advice and practical tips set out in the guidance. While non-binding, the guidance mirrors a broader trend under, inter alia, the EU Digital Operational Resilience Act and second Network and Information Security Directive calling for greater board oversight of cyber-related issues.
Italian Garante fines UniCredit €2.8 million for GDPR violations associated with a data breach
What happened: The Italian DPA, Garante, fined UniCredit €2.8 million for failing to ensure an appropriate level security when processing personal data. In October 2018, UniCredit notified the Italian DPA of a cyberattack, which affected more than 700,000 UniCredit customers’ names, tax information and their internal banking ID code, and (for approximately 7,000 individuals) their banking PIN. The DPA determined that the breach was likely to present a high risk to the rights and freedoms of all of the affected customers, not just those individuals whose banking PIN was involved.
Furthermore, the DPA concluded that UniCredit had failed to: (i) comply with the principles of integrity and confidentiality by failing to properly verify compliance regarding the risks, purposes and context associated with the processing of personal data in its online banking portal; and (ii) adopt appropriate technical measures to limit access to personal data to only the relevant authorised personnel. However, in mitigation, the Italian DPA noted that no affected data subjects had submitted complaints following the incident.
What to do: Businesses who process sensitive personal data (in particular, banks and financial institutions) should consider reviewing their data processing practices, policies and procedures to ensure they meet the principles of integrity and confidentiality, and that they include appropriate technical and organisational measures as required by the GDPR. Businesses in Italy may also wish to consider the DPA’s finding that the affected data elements were sufficient to trigger an individual notification obligation.
Italian Garante fines NTT DATA Italia €800,000 for GDPR violations connected to UniCredit data breach
What happened: Following its €2.8 million fine against UniCredit (see above), the Italian Garante fined IT consultancy, NTT DATA Italia, for violations of Art. 28(2) GDPR and Art. 33(2) GDPR relating to the same personal data breach.
NTT DATA Italia was responsible for carrying out vulnerability assessments and penetration tests for UniCredit throughout October 2018, the same month UniCredit notified the DPA of its cybersecurity incident. The Garante held that, in violation of Art. 28(2) GDPR, NTT Data Italia had outsourced the execution of these vulnerability tests to a third-party entity, without obtaining prior written permission of UniCredit. Moreover, the Garante stated that there had been a three- day delay between NTT DATA Italia being notified of the results of a vulnerability assessment by the third party and NTT DATA Italia passing this information on to UniCredit. The Garante stated that this violated Art. 33(2) GDPR, which requires data processors to notify data controllers “without undue delay” after becoming aware of a personal data breach.
What to do: Businesses that act as data processors under the GDPR should be reminded of their obligation to notify the data controller if they become aware of a personal data breach and should keep this decision in mind when considering the meaning of “without undue delay” under Art. 33(2) GDPR. This may be especially important in the intra-group service provider context. Data processors who further outsource processing may wish to review their contractual arrangements with the relevant data controllers to ensure that the required written authorizations are in place.
Lower Saxony DPA publishes guidance on retailers’ date of birth requirements
What happened: The German DPA for Lower Saxony published new guidance noting that online vendors cannot require customers to provide their date of birth unless that information is necessary for the transaction. The guidance builds on a recent German High Administrative Court decision that an online vendor may breach its GDPR obligations if it requires a customer to provide their date of birth regardless of the product that is being ordered. The DPA’s guidance emphasises the principle of data minimisation, i.e., that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. Accordingly, the DPA concluded that an online vendor would not need the exact date of birth when it could simply ask if the customer is of age to enter into the contract.
What to do: Businesses operating online platforms in Germany should check: (i) whether their websites require potential customers to provide their date of birth; and (ii) the legal basis for processing this information. Where the only legal basis is consent, the website should clearly indicate that providing such personal data is voluntary and provide the potential customer with the requisite information under the GDPR about its use.
Icelandic DPA fines Subway operator for unlawful employee monitoring
What happened: The Icelandic DPA fined the operator of Subway in Iceland kr1.5 million (approximately €10,000) for unlawful employee monitoring. A Subway employee had their work monitored via CCTV by a store manager who took screenshots and noted their actions. In 2021, the Icelandic DPA received a complaint from the employee on two grounds: (i) the business had unlawfully monitored their work; and (ii) the business had failed to notify the employee of the monitoring and of their GDPR rights.
While noting that employee monitoring could be based on a legitimate interest, the DPA determined that the restaurant failed to demonstrate that less intrusive means could not achieve the aim of quality control. Further violations included the failure to inform employees that monitoring was occurring and to keep a register of processing activities.
The Icelandic DPA also ordered the operator to: (i) install signs that monitoring was occurring; (ii) provide information to employees on the monitoring; and (iii) prepare a record of processing activities.
What to do: While local law requirements are key to ensuring lawful employee monitoring, businesses should be mindful of the heightened attention DPAs in Europe are paying to workplace practices. As previously covered, the UK and French DPAs took similar actions in relation to employee monitoring in 2023. Businesses may wish to review their employee monitoring programs in light of this scrutiny focussing, in particular, on transparency and proportionality.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.