Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of March
In March, data protection was found in cross fires of disputes over competences, with France disregarding the rulings of CJEU, and Germany referring to CJEU a case against Facebook that could shed light on the growing trend of competition authorities taking action in data protection matters. Meanwhile, Spanish data protection authority issued a record fine to Vodafone for neglecting its data protection duties.
France opposes the ruling of the Court of Justice of the European Union
The 2006 Data Retention Directive which forced member states to require internet service providers to retain a log of customers’ phone and internet data to enable the police and other authorities to access it, was struck down in 2014 by the Court of Justice of the European Union (CJEU) in the Digital Rights Ireland ruling. Ever since, the ruling has been disputed by France and other Member States.
On the 6th of October 2020, the CJEU maintained the previous findings by ruling that national data retention rules were not aligned with European Union Law, save for the exceptions where serious security risks are involved. In this judgment it was found that electronic communications data should be considered as confidential, therefore, in principle, general and indiscriminate retention of such data is not permitted. The court did, however, put forth an exhaustive set of limited exceptions in specific situations where public defence, national security, and security or crime prevention, investigation, detection and prosecution, are of significance.
However, recently the French government strived to convince the Council of State as the highest administrative court to go against the Digital Rights Ireland ruling in the French government’s case against digital rights NGOs La Quadrature du Net and Privacy International. At the core of the case was the lawfulness of legislation requiring communications service providers to provide government institutions with users’ traffic data and location data or retain the data in a general or indiscriminate manner. The argument of the French government is based on the concept of so-called constitutional identity first put forth in 2006, and subsequently used in jurisprudence by Germany, Hungary and Italy to bypass the EU law by referring to national specifics and state sovereignty. Consequently, the French government has argued that the CJEU ruling was against the constitutional identity of France.
The case shall be heard in the near future by the Council of State.
It has been stated by EU officials and experts that such an action towards disregarding EU law and rulings could possibly leave an unfavourable example for other countries and destabilize the rule of law in the EU. This is of particular significance considering the recent issues the EU has faced surrounding the disobedience of Hungary in respect to its much disputed suspension of data subject rights on the basis of the necessity to ensure public security during the Pandemic, and Poland, passing a new law undermining the independence of judges which is seen as incompatible with the primacy of EU law and foundations of rule of law.
German court refers the Facebook case to European Court of Justice
Lately, we have seen a number of cases in countries in EU and UK, where the data usage practices of tech giants are being disputed and sanctioned not by data protection authorities, but instead the competition authorities. It shows that competition authorities might have been or will be, in some instances, more efficient in limiting the questionable practices than data protection authorities are.
One of the cases in the string of cases of competition authorities regulating data processing practices through its own means and competence, is the case of Germany’s Federal Cartel Office (Bundeskartellamt) against Facebook. In this case, the Federal Cartel Office had imposed in 2019 a restriction on the practice of sharing data between Facebook, WhatsApp, Instagram as a group, as well as other third party app providers. The basis for the restrictions was that collection and sharing of data without consent is considered to be an abuse of dominant power in the market. Namely, it was held by the authority that Facebook’s practice of collecting user data from across the internet, its own platforms and products, as well as third parties is to be viewed in connection with its dominant market position. Such practices did not provide for users’ choice in the market, thus constituting an abuse of its position.
The decision was not initially appreciated by the Higher Regional Court of Düsseldorf, which held an opinion that the practice in question did not constitute abuse of the dominant position. Reaching the Germany’s Supreme Court, the case was decided to be referred to the CJEU to clarify the matter, as in the words of representatives of the Senate, the CJEU is in the position to interpret the EU law, and therefore, the case without such referral cannot be decided.
CJEU is expected to weigh on whether the competition authority’s order to suspend Facebook’s collection of personal data on the notion of abuse of power and GDPR was reasonable.
The final say from CJEU should not be expected any time soon though, as such procedures tend to span lengthy years.
Spanish Agency for Data Protection issues its record fine to Vodafone
In March the British communications operator company Vodafone received a formidable fine of 8.15 million Euros by Spanish Agency for Data Protection (AEPD) for aggressive telemarketing and multiple data protection failures. The total fine consists of four sanctions out of which two sanctions in the amount of 6 million Euros were issued due to failure to comply with GDPR, and the remainder – for the national telecommunications laws.
The company rolled out commercial campaigns from 2018 to 2020 for which it used databases containing personal data. With the data in question it had approached customer with unsolicited phone calls, messages and emails. These communications were received by both those customers who had not expressed their consent, as well as those who expressly refused such communications by requesting to be listed in the opt-out directory. Among Vodafone’s failures was also the approval of international data transfers that were not GDPR compliant. Moreover, due to an extensive outsourcing of functions, the company was unable to verify the origins and legal basis of the processed data, thus, it had lost track of who had opted out of direct marketing. AEPD revealed that the group did not have real and continuous and audited control of the treatment of the data in Spain, and that the company may not present detailed information on guarantees it provides in respect to data protection, as well as being itself lacking of information on the guarantees given by its subcontractors.
From the beginning of these campaigns in 2018, AEPD has received complaints from individuals, totaling 191 complaints during the two year period in which the campaigns took place. AEPD had already taken action by issuing over 50 warnings or fines to Vodafone. However, the company had not addressed accordingly the warnings it received, thus, securing itself the record-breaking fine.