Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of January
The beginning of the year has paved the way for new developments as the European Data Protection Board and European Data Protection Supervisor provided us with a list of documents for us to familiarize with. Furthermore, this year started with Italy striving to eliminate unlawful marketing practices with series of high amount fines, as well as French Constitutional court enabling government to follow tax avoiders on social networks.
Italian DPA ‘Garante’ issues fines in total amount of 27.8 million Euro to TIM SpA
A bundle of hefty fines in amount of 27.8 million euros in total was imposed on Italian telecommunications company TIM SpA (also known in business as ‘Telecom Italia’). The respective violation came to the knowledge of Garante due to several complaints filed between beginning of year 2017 and 2019 by individuals, both existing clients and non-related persons, regarding unsolicited marketing calls. According to Italian DPA the respective violation affected several million individuals.
A part of the complainants had their phone numbers put on the Public Register do-not-call list, and some had previously opted out of receiving such calls from the company or were not customers of the company. However, the marketing communications continued even after the individuals had been put in the do-not-call list or specifically indicated their refusal to such activity.
The breach involved numerous data protection deficiencies, including, unsolicited phone calls for marketing purposes without obtaining consent or without regard to refusal to be contacted for such purposes. Also, the company provided incorrect and non-transparent information through company’s apps. Furthermore, the way that consent that was obtained was far from valid, namely, it was bundled (one consent for multiple purposes), and consent to marketing communication was made mandatory to enroll in discount and sweepstake program organized by the company.
In this instance, the amount of fine was decided upon by considering the nature and duration of the breaches, the number of persons affected, as well economic conditions of the company.
Italian DPA ‘Garante’ issues fines in amount of 11.5 million Euro to Eni Gas e Luce (EGL)
Another case of high level fines took place in January in Italy. Italian DPA imposed to EGL two fines, one in amount of 8.5 million euros and the other 3 million euros.
The first fine in amount of 8.5 million euros was imposed for telemarketing activities that were not in line with GDPR, a breach not so different from that of Telecom Italia. Namely, inspections and inquiries conducted by the DPA on the grounds of number of complaints revealed that EGL systematically made marketing calls without the consent of the individuals or without regard to straight forward refusal to receive such calls or without taking into account the records public opt-out register. Additionally, the violation implied the lack of technical and organisational measures to consider the indications of users in regards to communication, as well as unlawful data retention periods and obtainment of personal data of potential clients from entities that could not present individuals’ consent for such a disclosure.
The second fine in amount of 3 million euros was imposed for entering into unsolicited contracts for the supply of electricity and gas under free market conditions without prior information to data subjects. In this case, the data subjects were informed on such agreements only after receiving letters of termination contracts with the previous supplier or first bills issued by EGL. In some cases, it was reported that these documents contained inaccurate data and even forged signatures.
French government will be able to view social media profiles of users to combat tax avoidance
The constitutional court of France, after the law being challenged by the data protection authority and has ruled that the customs and tax authorities will be able to inspect social media profiles, posts and pictures to detect signs and gather evidence of tax avoidance and undeclared income. This new investigative tool will be practiced under a three-year trial period, and the practice and results must be monitored.
The law that implies such rights of the authority has its restrictions though, namely, the authorized officials may only view and use as evidence only publicly available information shared by the respective person. Private correspondence would not fall under this legislation.
In practice this allows the authority to assess and use as evidence of the mentioned breaches photos and posts that show the relevant person residing and generating income in the country in case where the person has declared not being a tax resident or having income that goes beyond what is declared.
New EDPB opinions and guidelines
January has been an active month for European Data Protection Board (EDPB) as the 17th plenary session took place on 28th and 29th January of this year.
Among the work done in this plenary session was the adoption of opinions on the Accreditation Requirements for Codes of Conduct Monitoring Bodies submitted to the Board by the Belgian, Spanish and French supervisory authorities to ensure consistency and correct application of criteria among EEA Supervisory authorities.
In addition to these opinions, EDPB provided us with its opinions on the draft accreditation requirements for Certification Bodies submitted to the Board by the UK and Luxembourg supervisory authorities as the first opinions on the topic done by EDPB.
The growing tendency of vehicles being more connected and data processed in relation to drivers and passengers required a clarification on the topic, which is now provided for consultation by EDPB in its draft Guidelines on Connected Vehicles. These draft guidelines strive to shed some light on the issue of processing personal data in relation to the non-professional use of connected vehicles by data subjects. In this draft, the focus is on the data processed and communicated by the vehicle as a connected device.
Furthermore, EDPB after closing the public consultation has adopted the final version of the Guidelines on the processing of Personal Data through Video Devices. These guidelines have provided clarification on the use of video devices, both traditional video devices, such as CCTV used in one’s yard, and smart video devices, e.g., with facial recognition function. EDPB strived to ensure that the application of these devices is consistent with GDPR and lawful across the EU, including in relation to special category data, exemptions for household needs, disclosure of gathered data and more. Feedback on these guidelines is welcome until 20 March 2020.
EDPS’s Preliminary Opinion on Data Protection and Scientific Research
European Data Protection Supervisor (EDPS) on 6 January 2020 released a Preliminary Opinion on Data Protection and Scientific Research. The opinion goes onto define in detail what scientific research means and where it should stand in regards to data protection and what criteria must be met. The document focuses on issues regarding clinical trials, as well as social (behavioral) research, including research done using social media data and other platforms.
A great contribution of this guidance is the discussion on what would constitute scientific research and what should not qualify as such. Namely, it is stressed that data based research that does not allow for testing of hypotheses with the reasoning and conclusion available for scrutiny and criticism would constitute pseudo-science, rather than proper scientific research. EDPS also strived to establish that any scientific research should be in public interest, not for the benefit of separate stakeholders, including, big tech companies.
EDPS goes on to clear the idea that GDPR hinders scientific research, and that corporate reluctance to provide access to research data by genuine researchers, may not be so much fueled by privacy concerns, as rather due to the lack of business incentive to disclose information about the data controlled by companies.