Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of November
This November was not without significant and potentially far reaching developments in the data protection as the European Parliament paved way for a new directive regulating consumer class-action law suits for EU law violations and the Council initiated passed a draft resolution that could limit end-to-end encryption data sharing. Furthermore, the data protection authority of Italy hit Vodafone with a 12 million Euro fine for multiple infringements, and the ad tech industry chose Google for its next legal battle against market dominance.
European Parliament endorses a directive that would enable consumer groups to file collective action
European Parliament has put forward a new directive that would provide consumers across the EU a right to commence collective action against companies, particularly, huge players with disproportionate advantage over the market. The purpose of this directive is to improve the internal market by curbing the unlawful practices and ensuring consumer ability to seek justice, redress and declaratory orders where the respective EU law has been violated.
The Representative Action Directive, forming a part of the New Deal for Consumers – a legislative plan striving to strengthen the consumer protection in the EU, was originally put forward in April 2018. However, an agreement by negotiators of the Parliament and EU ministers was reached this June following a number of scandals relating to mass consumer rights violations.
The right to join forces in a collective lawsuit against companies as a response to mass harm is not a new concept in EU. However, Parliament’s directive would harmonise this approach and enable the individuals to commence lawsuits through which injunction and redress in every member state of EU would be obtainable.
The directive not only would strive to balance out the disproportionate power of companies, but also to prevent consumers from filing abusive lawsuits by implementing different preventative measures, such as provisions ensuring the losing party covers the proceedings costs. Furthermore, qualification criteria for the representatives or qualified entities would be introduced and made dependent on whether the case is of cross-border or domestic nature. It is envisaged that in case of cross-border cases, the representation may be undertaken by non-profit organisations who can demonstrate their involvement for 12 months in consumer protection activity, as well as independence from third parties having interests not in line with the consumer interests.
While the directive is originally aimed at improving the single market and consumer protection, the initiative is intertwined with other segments of the EU law and, thus, targets any infringements of EU law whereby trader and consumer relations are concerned. This includes data protection as it is not uncommon that the violations and harm consumers suffer in the market are directly related to the unlawful processing of personal data, including profiling and telemarketing.
European Union takes steps to limit the ‘’end-to-end’’ encryption
In November Austrian broadcasting network “Österreichischer Rundfunk” published a leaked drafts of joint declaration of the Council of the European Union that were initially intended for internal purposes. The drafts caused an uproar from privacy activist, as this draft declaration signals the intent of EU to restrict the ‘’end-to-end’’ encryption that is widely used by such messenger applications such as Signal and Whatsapp, among others, to ensure that the content exchanged between two or more parties is available only to those parties that possess the encryption key.
Whilst, the concerned activist feared that this intent might lead to elimination of secure communication methods in terms of privacy, as well as cause arbitrary surveillance by the intelligence services and surge of hacker attacks, EU Council itself admits being in dilemma between the principle of security through encryption and public security.
The draft declaration, while maintaining a position of full support of encryption as a crucial measure to ensure privacy, envisages that the encrypted material should be made accessible to competent authorities. The reasoning of such position is the necessity to eliminate technological obstacles for the competent authorities to access the encrypted information in order to prevent online child abuse, terrorism and dissemination of terrorist propaganda, organised crime, among other lawful purposes.
The resolution on the matter was adopted by the EU Council on 14 December 2020. However, the evolution and practical implementation of these intents of the Council remains to be seen.
Digital Marketing coalition challenges Google’s ‘’Privacy Sandbox’’ in a competition complaint
In October, players in the ad and publishing industry had filed a claim in France against Apple for its privacy controls of mobile operating software that prevents ad trackers from placing identifiers on user devices. However, in November the same fate was experienced by Google in United Kingdom.
In this case, the objections were voiced against Google’s ‘’Privacy Sandbox’’, intended to be launched in early 2021. The ‘’Privacy Sandbox’’ strives to eliminate third party cookies, thus, limiting the digital marketer abilities to track users across the web. While, Google, not unlike Apple, introduced its initiative as privacy enhancing, the ad industry fears that the approach would strengthen Google’s dominant position in the market.
For this reason the coalition has requested the regulator to block and delay the implementation of the ‘’Privacy Sandbox’’ to allow time for the regulator to investigate the potentiality of market distortion. Meanwhile, the ad industry has teamed up and is urgently drawing up a cookie replacement proposal under the name of “UnifiedOpen ID 2.0” to counter the potential consequences of the recent big tech moves.
Italian Data Protection Authority hits Vodafone Italia S.P.A. with a fine of more than 12 Million Euros
The Italian Data protection Authority Garante after its probe based on hundreds of complaints by customers and targeted persons of Vodafone regarding unsolicited phone calls promoting telephone services and internet found the data processing practices of the company to be in breach on multiple counts and issued fine of 12,251,601 Euros. Garante concluded that Vodafone had major structural issues, including in relation consent requirements, as well as GDPR principles of data protection by design and accountability.
Among the breaches found, the most prominent was Vodafone practice of use of fictitious phone numbers and use of numbers not registered with the National Consolidated Registry of Communication Operators and, thus, not permitted to be used for marketing communications. The latter practice was potentially linked to unauthorized call centres that were known to have GDPR non-compliant practices themselves.
It was also found that contact lists used by Vodafone to reach out to potential customers were bought and acquired from third parties, however, without obtaining an adequate consent of the data subjects concerned. This violation had affected more than 4.5 million individuals.
Lastly, one of the counts of violation was related to inadequate security measures in respect to client management system, which resulted in customers being requested to send identity documentation through Whatsapp messenger by employees of Vodafone. It is speculated that these requests were linked to intended prohibited activities, such as spamming and phishing.
Apart from the hefty fine, Garante prohibited the company further processing of data obtained from third parties for commercial purposes if such data were acquired without collecting a GDPR compliant consent to disclosure. Additionally, the authority has also ordered Vodafone to revise its internal telemarketing controls and security measures to eliminate the possibility of unauthorised access to customer databases and introduce systems that demonstrate the fulfillment of consent requirements, as to prove that the numbers used for marketing are registered accordingly before being used for marketing calls.