25 May 2020
The 25th of May 2020 marks two years since the General Data Protection Regulation (GDPR) came into force. The GDPR imposes strict obligations on data controllers and processors which are entrusted with the personal data of individuals. Furthermore, it provides several rights to data subjects, through which they are able to hold data controllers accountable and seek redress if necessary.
In light of the second anniversary of the GDPR, we have analysed a few of the most significant decisions adopted and fines imposed over the past two years by data protection authorities across the EU.
This piece gives a high-level overview of the main legal principles which were emphasised by the respective data protection authorities in their decisions, together with some key recommendations to ensure compliance with such principles.
On the 21st January 2019, the French National Data Protection Commission (CNIL) imposed a 50 million euro fine against Google, following a complaint lodged by a French NGO and an Austrian organisation. The CNIL found that Google was processing the personal data of its users for its own ad personalisation services, without a valid legal basis. The CNIL also noted a lack of transparency and information in this respect.
The CNIL noted that the legal basis used for ad personalisation purposes, i.e. consent, was not validly obtained. This was because the data subjects were not appropriately informed of certain key information, including the extent of the purpose for which consent was required. Furthermore, the CNIL held that the consent obtained by Google was neither specific nor unambiguous.
The CNIL further noted that Google was in breach of Articles 13 and 14 of the GDPR, which explain what information should be provided to data subjects in relation to the processing of their personal data. The CNIL stressed that the information provided to data subjects with respect to Google’s ad personalisation services was neither clear nor sufficient. Therefore, the principle of transparency and the data subject’s right to be informed were not fulfilled.
Earlier this year, the Italian Data Protection Authority (Garante) issued a 27.8 million euro fine against TIM. In its decision, Garante highlighted that the Italian telecoms titan had engaged in unlawful data processing for marketing purposes. Furthermore, TIM was found to be in breach of the ‘storage limitation’ as well as the ‘privacy by design’ principles.
Garante noted that TIM was carrying out promotional calls to data subjects despite them specifically opting out from receiving such promotional material. Therefore, similar to the above discussed Google Case, TIM did not have a valid legal basis to process such personal data.
The Italian Data Protection Authority found that TIM violated its data retention obligations. This resulted from TIM’s practice of retaining personal data for a period longer than was necessary to fulfil the purposes for which such data was collected.
Through its investigations, Garante also found that the telecom provider’s data breach management system was ineffective. Accordingly, TIM lacked the appropriate security measures to protect its data subject’s personal data and thus fell short of fulfilling the principle of ‘data privacy by design’.
On the 5th November 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a 14.5 million euro fine to this real estate company. Deutsche Wohnen Se was found to be non-compliant with certain general principles of data processing. In fact, similar to the above discussed TIM case, Deutsche Wohnen Se was found to be in breach of the principles of ‘storage limitation’ and ‘privacy by design’.
The Berlin Commissioner found that the company made use of an archiving system for the purposes of storing personal data which did not cater for the eventual deletion of such data. Therefore, the company did not examine whether the retention of such personal data was legitimate or necessary.
Considering the technical shortcoming in the company’s archiving system, the Berlin Commissioner also found the company to be in breach of the ‘data privacy by design’ principle. This principle requires data controllers to have in place a technical infrastructure which respects the general principles of data processing, including the ‘storage limitation’ principle.
It is also worth noting two cases which although not yet final, are potentially the most substantial fines issued to date. These cases relate to cyber-security incidents which occurred to British Airways and Marriot International, both of which are under the jurisdiction of the United Kingdom’s Information Commissioner’s Office.
The fines of €204 million and €110 million respectively, which are currently under appeal, were principally issued due to a breach of Article 32 of the GDPR, meaning that the companies had insufficient technical and organisations measures to ensure an appropriate level of security.
From the above, but also from practice it seems to us that the breach of a few general principles recurringly result in core compliance issues.
It is crucial for data controllers to properly assess their data processing activities and implement the necessary policies and procedures to ensure compliance with these principles.
Article 6 of the GDPR specifies six instances in which processing of personal data is lawful. Data controllers must ensure that all data processing activities are based on at least one of these six legal bases.
It is key to understand and remain aware that a company’s data processing activities develop, evolve and sometimes change in parallel with its business activities. Accordingly, data controllers should endeavour to continuously monitor their data processing activities to ensure that the legal bases which they rely upon remain applicable.
The above-mentioned cases highlight various deficiencies in the use of consent as a legal basis.
Valid consent implies a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Exercising the right to withdraw consent should be as easy as giving consent. In practice, it is crucial for data controllers to have in place appropriate consent mechanisms which fulfil these requirements and demonstrate actual and valid consent.
The transparency requirements set out in the GDPR apply throughout the life cycle of processing and irrespective of the legal basis used. The GDPR specifies certain minimum information which a data controller should provide to its data subjects at different stages of its processing activities. This principle requires that all information be provided in a clear, concise, intelligible and easily accessible manner to data subjects.
In practice, a company must ensure that it has comprehensive privacy policies in place, for both its customers and its employees. The principle of transparency should also be respected when dealing with data subject rights. For example, when fulfilling a right to access, the data controller should be transparent about the reason why certain information was omitted from the reply. This principle should also be adhered to in cases of a data breach, as well as in case of any material changes to the processing activities.
The principle of storage limitation effectively implies that a company should not store personal data for longer than is necessary to fulfil the purposes for which the data was collected. This principle is closely tied to the right to be forgotten, since data subjects have the absolute right to erasure of their personal data which is no longer required for the specified purposes.
In order to ensure that a company does not fall short of fulfilling its storage limitation obligations, it must implement appropriate data retention policies, based on applicable legislation. Data retention policies should be adopted to regulate the storage and deletion of personal data relating to customers, employees as well as third parties which the company does business with.