Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of August
The end of this summer was marked with a historical event of a dispute resolution procedure envisaged in Article 65 of GDPR being triggered for the first time in the history of GDPR. Meanwhile, Max Schrems continued his fight in August against improper data transfers by exposing companies still relying on Privacy Shield and companies under US surveillance. Lastly, France data protection authority imposed a hefty fine in its first cross-border case as the lead supervisory authority issuing a fine under this role.
For the first time the Article 65 dispute resolution procedure has been triggered due to breach by Twitter
Irish Data Protection Commission (DPC) has been entrusted with supervision of a number of big tech companies due to these tech giants choosing their establishment in Ireland. Such a situation, understandably, has ensured a backlog of a number of high profile cases which all of Europe is waiting for (approximately 23 such big data cases are in the pipeline), and some of which include cases against Instagram, Facebook and Whatsapp. The DPC has been under fire by experts, consumers and other European bodies and commentators in relation to the slow pace of investigations of the said cases.
One such case that is now under member state attention is the case of Twitter regarding the failure of Twitter to notify the authority of a data breach linked to its Android app in 2018 within 72 hours. In this case the DPC planned to pass its decision by November of 2019. However, the draft decision was passed only in May 2020. Even though this might seem a simple and quick case, its significance lies in the fact that this was the first DPC’s decision since the beginning of GDPR against a tech giant, and due to its cross-border nature was available for consultation by all the EU data protection authorities.
However, a number of competent supervisory authorities of other member states had disagreed on the DPC’s draft decision and maintained the disagreement during the consultation procedure, thus, not allowing DPC to pass the decision as soon as planned. For this reason, on 20 August 2020, DPC announced that it has initiated for the first time in history of GDPR, the Article 65 mechanism by referring the case to European Data Protection Board (EDPB), which must under this mechanism reach a consensus among the data protection authorities of the member states and pass a decision. Accordingly, EDPB shall now have to obtain consensus in two-thirds majority of member states within a month or simple majority not later than November, 2020, if it fails to obtain the said results within one month. The passed decision in this historical case remains to be seen at the date of writing.
Max Schrems’ NOYB goes after companies not up-to-date with the ‘’Schrems II’’ judgement
The much discussed second landmark case invalidating the US adequacy decision and the Privacy Shield framework that allowed data transfers between European Union and USA was decided by Court of Justice of European Union (CJEU) recently on 16 July 2020. However, this victory for Max Schrems, the person standing behind the invalidation of Privacy Shield (and Safe Harbor framework in 2015), did not put a stop to his campaign against the inadequate transfers from EU to USA.
NOYB, a non-profit organization led by Max Schrems, within one month after the CJEU ruling had filed complaints on 101 websites with regional operators in 30 European countries that still were allegedly transferring data to USA through Google Analytics and Facebook Connect. The usage of Google Analytics and Facebook Connect was identified by NOYB by doing a simple HTML source code inspection. Considering that these US companies remain to be subject to US surveillance laws and that the CJEU explicitly ruled that Standard Contractual Clauses ( SCCs) may not be relied upon if the US recipient falls under US mass surveillance laws, it was clear that no legal grounds existed for such transfers.
In the case of Facebook, when transferring data to USA, it now relies upon the SCCs, which per se were not invalidated by the said ruling. However, considering the mechanism of its transfers, Facebook, presumably, has not given much respect to CJEU conclusions on the use of SCCs and US surveillance laws as being against the EU fundamental rights principles.
Max Schrems himself stated that the pressure will be put not only on the violating companies, both the controllers and processors, but also directly on national data protection authorities that fail to enforce the ruling of CJEU, such as the Irish Data Protection Commission.
French DPA issues a fine amounting to 250,000 Euros for breaching a set of GDPR requirements
One of the heaviest fines issued in August was a fine in amount of 250,000 Euros issued by the French Data Protection Authority (CNIL) to Spartoo SAS, a company selling footwear online. The breaches of GDPR requirements that earned the fine includes non-compliance with the principle of data minimisation, keeping of data for longer than necessary, as well as failure to inform the data subjects as required by Article 13 of GDPR. In addition, the company failed to provide for adequate measures to ensure the security of data.
As one of the highlights of the case to mention, it was found that the company permanently kept full recordings of all phone conversations with customers, which sometimes included bank details, and that such practice was beyond what was necessary for the purpose of employee training as the stated purpose. Furthermore, the fact that all calls were recorded was found to be even less justifiable as the person conducting the employee training accessed the recordings of only one call per week and employee, thus rendering most of the recordings futile.
CNIL also found that the data collected for fraud prevention, was excessive in case of customers in Italy, as apart from collecting identity card copies, which collection was justifiable for the purpose, the company collected also health card copies, which contained more information than was needed.
A highlight of the case was also the lack of retention periods, namely, there initially were no retention periods set, and the retained data was not regularly deleted or archived. The company strived to justify the practice by stating that a part of data were anonymized after 5 years by stripping away of some of the identificators, however, it was found that data hashing of data by an algorithm and transferring to another table did not provide for full anonymization. Furthermore, the storage of such allegedly anonymized data was not compliant as the stated purpose of such storage was to allow ex-clients to reconnect with their accounts in the future, even though such ex-client data should have been deleted due to lack of legal basis for storage (as these persons no longer were customers).
The investigation started in May 2018, when CNIL carried out inspections of the company’s premises, particularly, with focus on recording of telephone conversations between customer support and customers, the keeping of customer and potential customer data. This case was soon determined by CNIL as being of cross-border nature, as the faulty data processing practice affected data subjects from different European Union countries. For this reason, CNIL notified the relevant data protection authorities in the other European Union countries that it is competent to and, thus, shall take on the role of lead supervisory authority in this case. This was the first instance of CNIL being a lead supervisory authority and issuing a fine under this role.
Matiss Liepins is Compliance Officer at Erremme Business Advisors Ltd and may be contacted on firstname.lastname@example.org