More than a year has passed since the well-anticipated GDPR has been implemented fully across the European Union. Throughout these thirteen months, the momentum this regulation has generated has persisted substantially, with new commentaries, guidelines, judgements, interpretations and complaints surfacing on the regular.
The GDPR is currently in its early stage of implementation, but is soon expected to move on to the enforcement stage for the benefit of the framework. It may already be observed that companies are attempting to use the GDPR in their favour, whether with positive or negative intents. Statistics also show an increase in general data protection awareness, leading to more individuals exercising the rights afforded by the GDPR. Over 100,000 individuals have attempted to exercise these in the past year. However, as witnessed in our local tribunals, the frequency of complaints has not yet met the expected target, with the minimal percentile of 0.5% of European Union citizens having approached this legal remedy since the GDPR’s implementation date. Moreover, the European Data Protection Board (EDPB)’s report addressed to the Civil Liberties Committee (LIBE) within the European Parliament, shows that regardless of efforts made since the GDPR, most DPAs require a substantial increase in financial and human resources for the proper functioning of their office. The Swedish Annual Privacy Report, published late in May, has also argued that whilst the GDPR has led to an increase in public awareness of the privacy legal framework, the trust in controllers has not been successfully improved since the implementation date.
Last month, the Norwegian Consumer Council published a report analysing the observed tendencies of software providers to use default settings and dark patterns in order to encourage users to select data-intrusive options. This is a new trend of software providers aiming at manipulating user data choices. Such practices include designs which inhibit the full functionality of an online service in absence of the desired data settings.
Apart from this, there seems to be an apparent fragmentation and shortcoming created by derogations, exceptions and restrictions envisaged by the GDPR, and those enabled by domestic discretion. In the Swedish report, there was the acknowledgement of the issue of domestic press laws which created exemptions to the GDPR. As noted in the report, this has limited the ability of contestation of data subjects, leading to most data protection complaints made since the GDPR in Sweden being futile. Some of the implementation discretions are even deemed by the continent’s privacy professionals as being contrary to the GDPR. For instance, the Spanish version of the GDPR’s implementation act contained provisions which modified the application of the GDPR and the exercise of enclosed rights by creating a derogation applicable in the scenario of political profiling. This derogation was contested in a recent case brought before the Spanish Ombudsman by three major Spanish NGOs, leading to a Constitutional Judgement in June. The landmark judgement disqualified the derogations applicable to the profiling and collection of personal data for political purpose. Pursuant to this, last month the EDPB also published a statement which explored the exploitation of such derogations by political parties. This statement discussed the risk to popular trust in the democratic system created by the behavioural profiling and processing of sensitive personal data of individuals without consent.
June also witnessed a number of judgements across the European Union, which further interpret and exemplify the workings of the European Union data protection framework. Such cases include the LaLiga judgement, which resulted in the filing of a notification to fine amounting to 250,000 Euros by the Agencia Española de Protección de Datos (AEPD). This case centres on a breach of the Legal Basis, Principles and Rights of Data Subjects established by the GDPR. LaLiga, the Spanish Soccer Premier League, have been found liable to the fine for alleged privacy breaches arising from the functionalities of their official mobile application. The application was originally advertised as one designed to produce minute-by-minute commentary of football matches. However, the app’s secondary function allowed LaLiga to activate the app remotely and to access the device’s microphone and GPS in an attempt to monitor and intercept pirated signals of their content. Whilst notice of this functionality was available to users, no explicit mention of this was made in the application’s description, using a co-option system to gain consent for the use of the GPS and microphone. In fact, the clause included in the app was deemed too discreet to meet the GDPR’s transparency principle. The acknowledgement of the monitoring aspect of the application went unnoticed by most users until the scandal was made public in June of 2018.
LaLiga’s design requested consent for the use of the microphone and GPS twice, however this did not explicitly refer to the use of their devices and locations as informants of illegal streaming. The AEPD claimed that such a functionality could only be deemed legal, fair and transparent if the application requested consent regularly, and notified the individual every time the remote connection was activated, giving users the opportunity to withdraw consent. In fact, as stipulated by the AEPD, LaLiga also violated Article 7 of the GDPR, which establishes the criteria of definite consent which may be revoked at the express choice of the data subject, this being effectively impossible due to the lack of information given to the users with regards to the dual functionality of the application.
LaLiga’s reaction to the notification to fine issued by the AEPD shows rejection of liability, which is why appeal is to be expected in the coming days. LaLiga has argued that the relevant data’s status as personal data is questionable. This is because their system was designed to exclude identification through use of a hashing system, through which data may not be de-anonymized. Moreover, the audio is filtered to only intercept the sound of the streamed game, hence excluding the recording, storing or listening of private conversations. The reasonable claims and arguments of LaLiga are expected to prompt a very interesting appeal which will reflect on the interpretation of what constitutes personal data and the adequate treatments of such data.
Some of June’s other striking fines include the 400,000 Euro fine issued by the Commission Nationale de l’Informatique et des Libertés (CNIL) to Sergic, being a French property development company. The breach occurred when the company overlooked a security failure through which open access to data subjects’ personal data, such as tax notices, accounting statements and ID Cards, was made possible through the modification of the website’s URL. The extent of the fine was influenced by the company’s lack of action, regardless of being aware of the weakness for 6 months. In fact, the CNIL referred to the security feature of user authentication system as to avoid unauthorized disclosure of a data subject’s personal profile, an option not undertaken by Sergic. Another case with similar facts also surfaced in June. Here, NHS Highlands’s human errors led to unauthorized disclosure of personal information. In an attempt to invite local HIV positive individuals to a support group, NHS disclosed the identity of 37 HIV positive individuals due to lack of anonymity in sending the collective email. NHS has personally contacted the individuals to apologize for the disclosure and initiated procedures for formal internal review to analyse the source of the breach. The Highland Health Board notified the ICO of the breach which exposed sensitive data of the victims within the limited timeframe and investigations are now underway.
Other notable development occurring in June within the data protection sphere were the numerous advancements in the Max Schrems-Facebook saga. After the five year delay since institution of the case, the Austrian Supreme Court has dismissed Facebook’s objections to the institution of the lawsuit on fundamental privacy rights, tilting the balance considerably in favour of Schrems, the Austrian legal activist and owner of noyb. Facebook’s arguments which caused the delay did not regard substance, but rather doubts of the jurisdictional capacity of the Austrian Supreme Court to hear a data protection complaint, ordinarily heard by the Data Protection Authority or Commissioner. At first instance, this reasoning was upheld. This was however reversed by the Appellate Court and the Austrian Supreme Court, which confirmed the horizontal direct effect of regulations, allowing the direct contestation of breach of a right created by a deficiency in meeting obligations imposed by the treaty. This is a monumental decision which anticipates a landmark judgement expected to impact the framework of tech giants. Schrems even anticipates the prospective case as one which will have a domino effect across the European Union, with member states potentially decreasing provisions favouring particular industries, such as data brokers. Apart from this, he envisages that a successful judgement will lead to drastic changes to the business model of the defendant. This lawsuit, based on Schrems’ allegation of inappropriate policies, invalid consent, unlawful processing and unauthorized disclosure of data, will inquire into the general GDPR compliance of Facebook. As anticipated by the Irish Data Protection Commissioner – Helen Dixon, conclusive judgements are to be formalized in the coming months.
As discussed throughout this article, the GDPR has come a long way from its implementation date, to the effect that rather than observing the general implementation, we are now seeing judgements and discussions on validity of provisions, interpretation and other particular aspects of the framework.
For more information on the GDPR
Get in touch with us