After what appears to be a period of relative leniency in 2018/19, enforcement actions for violations of the EU General Data Protection Regulation (“GDPR”) have since intensified. In 2020, according to publically available information, supervisory authorities across the EU and the UK Information Commissioner’s Office (“ICO”) have issued over EUR 170 million worth of fines combined[1], with six of the top ten individual fines imposed being issued in 2020[2].
While supervisory authorities continue to find their footing and test the boundaries of their powers under the GDPR, certain enforcement trends have emerged. This serves as a warning to data controllers as to the likely pitfalls, the GDPR obligations (and violations) that attract the most regulatory scrutiny, and the high level of fines that could be imposed. It is clear that personal data breaches are not the only incidents that give rise to material liability under the GDPR.
- Data processing must be made pursuant to a legal basis
Under the GDPR, in order for the processing of personal data to be lawful, it must meet the requirements of one of the six legal bases set out in Article 6(1). Regulators have taken a tough stance against data controllers who are unable to demonstrate a lawful basis to process personal data, including, where consent is relied upon as the legal basis, being unable to evidence that consent was validly obtained pursuant to the standard for consent prescribed by the GDPR.
- As part of its EUR 50 million fine against Google (the highest GDPR fine to date), the French regulator, CNIL, found that Google did not have any legal basis for processing its users’ data in order to provide personalised adverts. Although Google had provided a consent capture mechanism to users, the consent was not found by the CNIL to be ‘specific’, ‘informed’ or ‘unambiguous’ (due to the consent purporting to cover various processing purposes, a lack of information about the nature of the services being provided to the user, and reliance on pre-ticked boxes in connection with the acceptance of ads personalisation). Accordingly, valid consent was not obtained and Google was unable to demonstrate an alternative legal basis for the processing.
- The second highest fine to date, at EUR 35 million, was imposed on H&M by the regional data protection authority in Hamburg in October 2020, for unlawfully collecting employees’ sensitive personal information without establishing a legal basis (information was often gathered through informal conversations, recorded without notice and made accessible to management to inform employment decisions).
- In January 2020, the Italian data protection authority imposed a EUR 27.8 million fine on Telecom Italia for unlawful data processing in connection with its marketing strategy (which involved the making of unsolicited marketing calls to millions of data subjects). The data protection authority did not find that valid consent had been obtained for various reasons, including: (i) provision of consent to marketing communications was a condition for customers to receive discounts and participate in sweepstakes; and (ii) similar to the CNIL’s findings against Google, consent to various processing purposes were bundled together.
Data controllers should be mindful to establish and document a clear and defensible legal basis for processing activities. It will be important to be able to demonstrate that at least one legal basis is applicable and that any consents have been obtained through an unambiguous action on the part of the data subject, for clearly identified and specific purposes. It is crucial in this respect that data controllers exercise robust data protection governance, maintain accurate records of processing, and publish comprehensive privacy information to data subjects that clearly sets out the lawful basis for each processing activity. The GDPR sets a high standard for consent. Requesting consent to a general, open-ended set of processing activities must be avoided, as well as using pre-ticked boxes or other passive consent collection mechanisms.
- Sufficient technical and organisational measures must be in place to ensure information security
Security of personal data continues to be an area of regulatory focus and enforcement. In October 2020, the UK ICO issued fines against British Airways and Marriott International Inc. of GBP 20 million and GBP 18.4 million, respectively, in connection with personal data breaches suffered by the companies following cyber-security incidents. These are the largest fines to be imposed by the ICO to date. Further details can be found here.
According to the principle of ‘integrity and confidentiality’ (Article 5(1)(f) of the GDPR) and Article 32 of the GDPR, data controllers and processors must ensure the security of personal data, including by implementing appropriate technical and organisational measures to ensure a level of security for personal data appropriate to the risk involved in the processing. These standards have been highly scrutinised by data protection supervisory authorities, including in connection with the cases mentioned above. In the Marriott case, the breach affected a Marriott subsidiary, Starwood hotels group. Despite having acquired Starwood in 2016, the breach (which can be traced back as early as 2014) went undetected until 2018. While the ICO did not scrutinise the due diligence practices of Marriott at the time of acquisition (which pre-dated the GDPR), the ICO did note that the acquisition of a company is not the only trigger for a due diligence process and that Marriott had an “ongoing duty to ensure that the systems it had acquired from Starwood were GDPR compliant” and that “even if adequate due diligence had been undertaken at the point of acquisition, that would not have removed Marriott’s obligation to ensure, on a continuing basis, that it complied with the GDPR”. In British Airways, the ICO made clear that its fine was being imposed for GDPR violations irrespective of the lack of financial harms or damage to individuals. In determining the severity of the violation of data security standards, the ICO considered certain hypothetical scenarios including in which British Airways had not been alerted to the breach, or where the attacker “used the access for other purposes (such as targeting high-profile individuals, disrupting customer bookings, or perpetrating other forms of fraud)”, in concluding that British Airways’ “failures are especially serious” as the “number of affected data subjects and any financial harm to them could have been even more significant”.
Importantly, in the Marriott case, despite Marriott having engaged an experienced third party to implement, maintain or manage certain security elements of its system, the ICO explicitly noted that engagement of a third party did not reduce Marriott’s responsibility for the breaches.
It is clear that the ICO expects data controllers and processors to undergo “rigorous testing” (e.g. vulnerability scanning, security testing, and internal credential-based penetration testing) in order to identify any issues pre-emptively. It is evident that the ICO would be more critical of breaches which could have been identified and appropriately addressed on a prospective basis, especially if the measures “could have been made relatively quickly and easily” (as was the case in Marriott) and “would not have entailed excessive cost” (as was the case in both BA and Marriott). For accountability, data controllers and processors should have a clear and comprehensive record of such testing, the vulnerabilities identified, and steps taken to address these vulnerabilities.
And it is not just the ICO that has flexed its muscles against data breaches. Many EU supervisory authorities have taken enforcement actions in this area. Notable cases include the fines issued by the CNIL in connection with a ‘credential stuffing’ attack (whereby the attacker acquires login credentials and, via the use of ‘bots’, seeks to use the stolen credentials on other sites, on the assumption that many users will use the same details across multiple services). The CNIL issued two separate fines – EUR 150,000 against the data controller and EUR 75,000 against the data controller’s service provider (the data processor). The CNIL emphasised that the data controller is responsible for determining the security measures that should be implemented (and must give documented instructions to its service provider in this respect). However, the data processor also has its own responsibility to put in place the most appropriate technical and organisational solutions to ensure the security of personal data.
Additionally, in June 2020, the Polish supervisory authority published an enforcement decision against a university for failing to comply with data breach notification requirements under Article 33 and 34 of the GDPR.
- Sufficient information must be provided to data subjects regarding data processing activities
One of the challenges presented by the principle of transparency (Article 5(1)(a) of the GDPR) is finding the correct balance between providing data subjects with sufficiently granular, accurate and complete information regarding the processing of their personal data, and providing information that is accessible, user friendly and not overly complex. We have seen a great deal of enforcement in this area, with supervisory authorities finding issues at both ends of the spectrum.
- Another aspect of the CNIL’s EUR 50 million fine against Google was a finding that Google had failed to provide clear and adequate information to Android users about its data processing practices. In order to access all the relevant information regarding the collection and processing of personal data, data subjects had to complete multiple actions or work through several hyperlinks. The CNIL found that the information was too widely disseminated across various documents and was not sufficiently clear or comprehensive.
- The Irish Data Protection Commission (“Irish DPC”) is currently investigating WhatsApp for failing to properly inform its EU users about how their data may be shared with Facebook. It is reported that the fine could be somewhere in the region of EUR 30 million and 50 million.
- Following a two year investigation into the data broking business, the ICO brought an enforcement action against Experian Limited in October 2020. Among other GDPR violations identified, the ICO found that Experian was responsible for so called ‘invisible’ processing (i.e., processing without the awareness of the data subjects concerned). The ICO did not impose a fine on Experian but has required it to undertake significant compliance efforts to rectify the violations identified. This includes detailed transparency requirements and an obligation to contact each data subject individually (by mail or other ‘acceptable means of communications’) to provide them with the updated privacy notice, compliant with Article 14 of the GDPR.
To ensure compliance, local transparency guidance should be consulted where available. The European Data Protection Board (“EDPB”) recommends providing the requisite information in a multi-layered manner, especially if the information is lengthy[3]. Important information should be provided at the first level (e.g. by way of summary), with a ‘drop-down’ mechanism available to provide additional information. This approach may be considered more accessible than hyperlinks to other pages and allows the data subject to easily view the contents of the privacy notice and navigate to the appropriate part. The privacy policy must not be difficult to access; the EDPB recommends that the data subject should only ever be one click away from accessing mandatory information when such information is delivered online.
- Resistance to the ‘one-stop-shop’ mechanism
The GDPR introduced a ‘one-stop-shop’ mechanism whereby a GDPR violation affecting multiple member states could be investigated by the data controller’s or processor’s ‘lead supervisory authority’. Despite the availability of this mechanism, there is a growing trend among EU supervisory authorities to investigate violations locally. Most notably, France and Belgium have recently issued fines against Google despite Google’s main establishment in the EU, Google Ireland Ltd, being located in Ireland and the Irish DPC being the lead supervisory authority with jurisdiction to investigate and enforce against Google under the one-stop-shop mechanism.
- In July 2020, the Belgium Data Protection Authority (“Belgium DPA”) fined Google EUR 600,000 for violation of a Belgium resident’s right to be forgotten (Article 17 of the GDPR). The Belgium DPA declared itself competent on the basis of Article 55(1) of the GDPR (which allows a supervisory authority to exercise its powers on the territory of their own member state), arguing that there was no cross-border processing. Although Google originally disputed this, they later confirmed that the processing activity in question, search engine indexing, was done through Google LLC (in the USA), rather than by Google Ireland Ltd.
- In December 2020, the CNIL announced the imposition of fines of EUR 100 million and EUR 35 million on Google and Amazon, respectively, for breaches of the French Data Protection Act. The fines resulted from two separate investigations carried out by the CNIL in relation to the companies’ use of cookies (without user consent or the provision of appropriate information) on the French websites of Google and Amazon. Whilst both companies challenged the jurisdiction of the CNIL, arguing that the one-stop-shop mechanism should apply, the CNIL made clear that the sanctions were made under the French Data Protection Act (implementing the ePrivacy Directive), not the GDPR, and as such the one-stop-shop mechanism did not apply.
To date, the Irish DPC has issued only a handful of fines under the GDPR (the highest being a EUR 450,000 fine against Twitter in connection with a personal data breach) despite many global technology companies having their headquarters in the jurisdiction. Some have cited inaction on the part of the Irish DPC as leniency towards big tech. However, the above enforcement actions, which sidestep the one-stop-shop mechanism, demonstrate that companies cannot avoid GDPR enforcement.
As regulators test the boundaries of their powers and to give teeth to the GDPR, headline-grabbing fines may continue to be issued. But large administrative fines should not be sole focus of concern when it comes to GDPR compliance. The appetite for data subject compensation is increasing and is being facilitated by incoming collective redress regimes across Europe (in 2020, the European Parliament endorsed a new directive on collective representative actions for consumer interests which will allow qualified entities – consumer rights organisations or public bodies – to bring representative actions for redress where EU law (including the GDPR) has been infringed). In the UK, all eyes are on the Supreme Court in 2021, as they hear the final appeal in the Lloyd v Google case. The UK government has decided not to introduce a new legislative regime for collective redress pending the outcome of Lloyd v Google (a representative action brought under Civil Procedure Rule 19.6), on the basis that if Mr. Lloyd is successful, the existing mechanism under the Civil Procedure Rules will provide an effective mechanism for redress for data subjects under the UK GDPR. If the representative action in Lloyd v Google is successful, this will open the door to representative actions in the UK for damages associated with the “loss of control” of personal data. With high-profile claims developing against British Airways, Marriott, Facebook and YouTube, this might create the perfect storm for “big ticket” GDPR violation litigation in the UK. Costs of GDPR non-compliance would appear to be on the rise.
[1] As not all GDPR fines are publicly reported, and due to currency conversions, this is only an approximate figure, based on data available on enforcementtracker.com.
[2] See, enforcementtracker.com.
[3] See EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (adopted on 13 November 2019)