Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of June
Apart from hot summer weather, June also brought a few far reaching changes and interesting turns in data processing world, as Amazon was threatened with the highest fine in GDPR history. Meanwhile, the European Commission issued long awaited new set of Standard Contractual Clauses, and CJEU passed a decision allowing local data protection authorities to make a slight deviation from the One-Stop-Shop mechanism.
Luxembourg threatens Amazon with the highest fine ever to be imposed
The Luxembourg National Data Protection Commission (CNPD) has made a signal that the online retail giant Amazon might be hit with a fine of up to 358 million Euro for its marketing practices, specifically in relation to Amazon’s manner of personal data collection and use.
While the record fine has drawn attention to the case and especially to the non-compliant Amazon practices deserving of such an astronomical fine, the circumstances of the breach remain mysterious as the data protection authority has not disclosed any details on such breach. Meanwhile, the company itself remains silent as well, however, what is known is that the breach is not related to the Amazon Web Services cloud computing service.
The amount of the fine significantly exceeds the one currently holding the record previously imposed on Google which amounted to 50 million Euros for failure to make its data processing statements easily accessible to the users and for failing to collect consent for targeted advertising campaigns.
Irrespective of the fine potentially being the highest one to date, the amount itself proportionally is not very significant when compared to the annual revenue of Amazon currently amounting to amounts to 326,2 billion Euros. The proposed fine is only approximately 0.1% of Amazon’s annual revenue, a percentage falling short drastically from the maximum possible fine of up to 4% of the annual revenue. This has added to the debate on the EU data protection authorities’ practice of being lenient when it comes to sanctioning big tech companies, as the highest fines issued in the past to these companies have been arguably miniscule.
The Luxembourgish authority in this case is the lead supervisory authority as Amazon has established its EU headquarters in the country. As the lead supervisory authority, it had sent for review and consultation to the other 26 EU data protection authorities a draft decision envisaging the hefty fine, which would, if imposed, be the highest fine to date in European Union under the GDPR. The other data protection authorities under article 60 of GDPR are to agree on and approve the fine proposed by Luxembourg, thus, the amount of penalty may change, and could even be reduced. This process, considering past experiences with this procedure, might take an extended period of time until a consensus is reached and may even be referred to the European Data Protection Board to resolve the matter where the regulators are not able to reach an agreement.
European Commission adopts new Standard Contractual Clauses
On the 4th of June 2021 following the Schrems II ruling, the European Commission in order to address concerns identified by the CJEU in the said ruling issued the new standard contractual clauses (SCCs) for the transfer of personal data to third countries, which were first proposed as a draft for consultation in November 2020.
The data importers and exporters may start using clauses from the 27th of June 2021. This does not mean that it is mandatory to start doing so immediately on the day. A lenient transitional period is provided to those in need to introduce the new SCCs and use them. The previous SCCs may still be signed and entered into until the 27th of September 2021, a date after which the stakeholders when entering into a new data export/import arrangement should enter into and use the new clauses. Notwithstanding, until the 27th December 2022 all those using the previous SCCs should have moved onto the new clauses, which means renewing all the SCC they have entered into before.
These long awaited SCCs in comparison to the previous SCCs have implemented a few additions.
The clauses now cover four different scenarios, namely, the already existing scenario of transfers from controller to another controller, or to a processor, as well as the new scenarios of transfers from processor to another processor (sub-processor), or to a controller that requires the processing operations from that processor.
The controller needs not be established in the EU to use the SCCs, as the GDPR pertains also to those established outside of EU if certain conditions are met, such as in case of controller offering goods to persons in EU or monitoring their behavior. Meanwhile, as mentioned, a processor in EU will need to use the SCC where it transfers personal data to controller established elsewhere, even if GDPR does not apply to it, for example, where processor only processes data of foreign individuals. Noteworthy, that clauses are not to be used if the importer, even though located in a third country, is subject to GDPR itself on the extra-territorial basis.
Another difference from the previous SCCs is that it enables different parties to join the SCC both initially, as well as later on by entering into the SCC upon an agreement of all the parties to the SCC arrangement. This may be beneficial in group company settings, to avoid unnecessary duplication of procedures and documentation.
The SCCs, in order to cover the requirements emanating from the Schrems II ruling, have incorporated the obligation imposed on the exporter to ascertain the legislation and practices of the state of establishment of the data importer. This means that it is to be determined if the SCCs will be able to effectively ensure that their purpose is achieved in the foreign legal environment. If it is found that there are impediments to this, the transfers may not be carried out or continued.
CJEU decides a one-stop-shop case
In June, the Court of Justice of the European Union or CJEU published its judgement in the case between Facebook group companies and the Belgian data protection authority. The case began when the data protection authority went after a number of companies in the Facebook group in Belgium in 2015.
At the core of the issue was Facebook’s practice of placing cookies on user devices without obtaining consent and excessively collecting personal data during browsing sessions in the Facebook.com domain and websites of third parties. This affected not only Facebook users but also unrelated persons.
In this case the data protection authority requested a court order that would force Facebook companies, including the Belgian subsidiary and group companies in Ireland and elsewhere, to cease the said practice. The Court of Appeal of Brussels decided that the regulator has no jurisdictional power over Facebook Inc. and Facebook Ireland Ltd., thus limiting the case only to proceedings against the Belgian company.
Facebook later claimed that along with GDPR becoming applicable in May 2018, the Belgian data protection authority’s right to continue proceedings regarding the companies outside Belgium and their cross border processing activities ceased. In its view, only in the court of the member state of Facebook’s establishment, namely, Ireland, the data protection regulator of which is known for lengthy investigations, could any judicial proceedings be initiated against it.
To clarify whether proceedings against the tech giant’s foreign companies can be initiated locally, Brussels’ court referred the matter to CJEU.
The CJEU examined whether the data protection authority not being the lead supervisory authority in terms of GDPR’s One-Stop-Shop mechanism may initiate legal proceedings locally against companies for violations in cross-border processing. To remind the reader, the mechanism envisages that businesses operating across the EU may rely on enforcement and other matters being carried out by just one lead supervisory authority, rather than many authorities in different member states in parallel.
It was found that while generally supervisory authority shall remain the competent institution that may adopt decisions in respect to cross-border processing violations, the Belgian scenario is possible in certain circumstances. One of these is that the member state supervisor which is not the lead supervisory authority could do this if GDPR confers on its competence to adopt decisions establishing that the processing is in violation of GDPR. Furthermore, when initiating such cases, cooperation and consistency procedures in GDPR must be adhered to, as well as respect for lead supervisory authority’s competence must be respected.
The court found that the establishment of controller must not necessarily be that of the supervisory authority which is not the lead supervisory authority, however, it has to be established in European Union. Furthermore, it was found that the proceedings may be brought in the country where the authority is located which is also the main establishment of the controller, as well as in respect to another establishment elsewhere, if the object of the proceedings is the data processing in the context of the activities of that establishment.
CJEU also found that that in this case Belgium could continue the proceedings under the previous legal framework, namely, the Directive, in terms of jurisdictional rules, and that these proceedings may continue in relation also to circumstances occurring after the GDPR took Directive’s stead, if these pertain to cases in which GDPR allows the supervisory authority which is not the lead supervisory authority to draw a decision. Notwithstanding, the GDPR’s One-Stop-Shop mechanism procedures should be followed. This CJEU decision might mean more similar cases in the future brought against controllers by national supervisory authorities even where they are not considered the lead supervisory authorities, thus ensuring more scrutiny of the processing activities of internationally present companies.