GDPR – the year in review

Regulatory Guidance

• Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (25.05.2018) – The first set of EDPB Guidelines ever published focused on the derogations from the restrictions affecting international data transfers. The EDPB confirmed that the derogations must be interpreted restrictively and only relied on as a last resort, when the provision of adequate protection or appropriate safeguards for the personal data transferred is not possible.
• Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (25.11.2018) – The EDPB confirmed the existing approach to the ‘establishment criterion’ for the application of the GDPR and introduced a ‘targeting criterion’, where the processing is related to the offering of goods or services to individuals in the EU or the monitoring of their behaviour. The EDPB took a pragmatic approach by applying the GDPR where the conduct of the controller or processor demonstrates an intention to offer goods and services to individuals in the EU or where a controller has a purpose in mind for the collection and reuse of the relevant data about an individual’s behaviour within the EU. More details in this blog post.
• Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation (23.1.2019) – The EDPB took the view that consent provided in accordance with GDPR standards may not be relied on as a basis for the collection and processing of patients’ personal data in many clinical trial scenarios, on the basis of a clear imbalance of powers between the patient and the investigator which implies that consent is not “freely given”. More details in this blog post and this blog post.
• Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (12.2.2019) –The EDPB adopted a very narrow interpretation of contractual necessity, which is to be assessed objectively, going so far as to say that if there are realistic and less intrusive alternatives to the type of processing envisaged, it is not “necessary”. More details in this blog post.
• The Dutch DPA issued guidance (7.3.2019) stating that cookie walls are not compliant with the GDPR as the consent required to access content protected by a cookie wall. The reason for this is that withholding consent has negative consequences for the user in that they cannot access the website. More details in this blog post.
• Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, particularly regarding the competence, tasks, and powers of data protection authorities (12.3.2019) – The EDPB confirmed that where the ePD provides for a more specific rule than the GDPR, the specific rule will prevail. For example, where cookies are used to collect information which constitutes personal data, while Article 6 GDPR provides several different lawful grounds for processing, Article 5(3) ePD requires consent to be obtained from individuals before cookies are placed on their devices. In this situation, the ePD rule applies and data controllers cannot avail themselves of a legal basis for processing other than consent. The same rule applies to the enforcement of each piece of legislation.  More details in this blog post.
• The ICO’s main guidance on GDPR is found in its Guide to the GDPR.

Enforcement Actions

• The ICO issued an Enforcement Notice against AggregateIQ (24.10.2018) – AggregateIQ was an organisation which used personal data to target individuals with political advertising messages on social media, pursuant to contracts with various political organisations. This personal data was still being held by late May 2018 and had been subject to unauthorised use by a third party. The Information Commissioner concluded that AggregateIQ had failed to comply with Articles 5(1)(a)-(c) and Article 6 of the GDPR and issued an Enforcement Notice requiring them to erase any personal data of individuals in the UK retained by them.
• The CNIL fined Google €50,000,000 (21.1.2019) – The CNIL received two complaints concerning Google’s processing of personal data. Having concluded that Google had no lead supervisory authority within the European Union, the CNIL carried out an investigation into a particular scenario (creating a Google account on the first use of an Android device). The CNIL decided that the “general information architecture” chosen by the company did not fulfil Google’s transparency and information obligations, as there was a lack of clarity and intelligibility. Google also relied on consent as its legal basis for processing personal data for targeted advertising purposes, and the CNIL found that this consent had not been validly obtained.
• The Austrian Data Protection Authority decided that the Austrian Post had violated the GDPR by processing special categories of personal data (12.2.2019) – The Austrian Post did this by attributing preferences for certain political parties to data subjects using statistical calculation methods in the absence of explicit consent or any other legal basis. The DPA announced an immediate ban on this kind of processing and ordered the erasure of the data and the carrying out of a new DPIA.
• The Polish Personal Data Protection Office fined a data company PLN 943,000 (approximately €220,000) (26.3.2019) – The company had failed to meet its information obligations under Article 14 of the GDPR in relation to over 6 million people, and many individuals were having their data processed without being aware of it. The data had been obtained from publicly available sources and was being processed for commercial purposes. It justified its non-compliance on the basis of high operational costs, but this was not accepted. More details in this blog post.
• Italy’s Garante issued its first fine (4.4.2019) for the lack of implementation of privacy security measures following a data breach on the Rousseau internet platform. The Garante noted a number of security issues, the most pressing of which was the storage of log files regarding the activities performed by the IT support personnel of the platform. The Garante issued a €50,000 fine, not against the data controller (the 5 Star Movement) but against the processor, the internet platform.
• The ICO issued a preliminary Enforcement Notice against HMRC (4.4.2019) – The ICO had been investigating HMRC’s Voice ID following a complaint from Big Brother Watch, and found that HMRC had failed to give customers sufficient information about how their biometric data would be processed or to give them the chance to give or withhold consent. This was a breach of the GDPR, and the enforcement notice compelled the government department to delete all biometric data held under the Voice ID system for which it does not have explicit consent within 28 days from the final notice.
• The Swedish Data Protection Ombudsman ordered a financial credit company to correct its data processing practices (24.4.2019) – The Ombudsman pointed out that the company’s online credit decision service should be considered automatic decision-making as regulated under Article 22 of the GDPR and ordered the company to provide the individual who had complained with information on the logic employed in automatic decision-making, its role in making the credit decision and the consequences for the credit applicant.

Court Proceedings

• The Stuttgart Landesarbeitsgericht decided that an employer which had received a data subject access request from an employee whose contract they were terminating had to provide the employee with records containing performance and behavioural data and information about internal investigations (20.12.2018) – The employer had argued that they were withholding this data on the grounds of whistleblower confidentiality, attempting to rely on the exemption pursuant to Article 15(4) of the GDPR. The court held that such exemptions should be considered on a case-by-case basis and there was no general rule that protection of whistleblower confidentiality overrides the employee’s access right.
• The Higher Regional Court of Berlin confirmed a judgment that found seven clauses in Apple’s old privacy policy unenforceable and in breach of GDPR (3.2019) – The court held that the privacy policy was a contractual document since users were prompted to “accept” it. In this case the way the privacy policy was implemented in the purchase flow did not constitute valid consent and two other clauses were incompatible with fundamental principles of the GDPR.
• The Court of Justice of the European Union (CJEU) AG’s Opinion in Planet49 (C-673/17) concerns the interplay between GDPR and the ePrivacy Directive in the context of online advertising involving cookies (21.3.2019) – Planet49 had organised a lottery and prospective participants had to submit their names and addresses before being presented with two checkboxes. The AG was of the Opinion that consent was neither “active” nor “separate” when prospective lottery participants gave consent to the use of cookies for advertising purposes. More details in this blog post.

Reports and Other Materials

• European Commission Report on the second annual review of the EU-US Privacy Shield (19.12.2018) – The second annual review covered both the commercial and governmental aspects of the administration, oversight and enforcement of the framework, and recent developments in US law. The Commission concluded that the US continues to provide an adequate level of protection for personal data transferred under the Privacy Shield from the EU to US organisations. Steps taken to implement the Commission’s recommendations following the first annual review had improved several aspects of the practical functioning of the framework. However, the report also set out a number of further steps to be taken to ensure that an adequate level of protection continues to be provided, most notably the appointment of a permanent Privacy Shield Ombudsperson before 28 February 2019.
• EU-Japan Adequacy Decision (23.1.2019) – This created the largest area of safe data transfers and marked the end of a negotiation process which began in January 2017. It set an important precedent as the first adequacy decision adopted with the GDPR in force. To secure the decision, Japan had to adopt a set of rules supplementary to its own data protection law, providing safeguards for personal data of EU citizens transferred to Japan. More details in this blog post.
• The Irish DPC Annual Report covering 25 May-31 December 2018 (3.2019) noted the rise in the number of complaints and queries to data protection authorities across the EU since 25 May 2018. It listed the statutory enquiries which are underway, which concern Facebook, Twitter, WhatsApp, Instagram and Apple. These are expected to conclude during the summer of 2019.
• The Dutch DPA issued GDPR Fine Structure guidelines (14.3.2019) –The guidelines divide breaches of GDPR into four categories, from simple ones such as insufficient records up to major incidents such as unlawful profiling or processing of special categories of data. Surprisingly, the top of the range for the most serious breaches is €1m, just 5% of the maximum fine allowed under GDPR itself.
  More details in this blog post.
• The CNIL 2018 Annual Report (15.4.2019) showed a record number of complaints, up 33% since 2017. A survey conducted on the CNIL’s behalf showed that 70% of French citizens consider themselves more aware of data protection issues in 2018 than in 2017. It reported that it had carried out 310 investigations in 2018 and issued 49 notices, with a particular focus on the insurance and targeted advertising sectors. As a result of these, it levied 11 sanctions.