Across the EU, enforcement has significantly ramped up in recent months. Substantial fines have been imposed relating to a broad spectrum of infringements. In this article we examine some of the emerging trends in General Data Protection Regulation (the “GDPR”) enforcement.

Unlawful Data Retention

In 2019 a German real estate company was fined €14.5 million for a failure to comply with the GDPR’s “privacy by design” requirements. The company’s archiving system did not facilitate removal of data that was no longer required. This resulted in records containing sensitive personal data of tenants being retained without any legal basis. This fine highlights that GDPR compliance must be prioritised by organisations across all sectors and not just those organisations whose operations centre on processing large amounts of personal data.

Lack of Data Security

A key principle of the GDPR is the security of personal data and this is an area that data protection authorities have had a particular focus on. The Information Commissioner’s Office in the UK (the “ICO”) imposed a fine of £275,000 on a pharmacy for failing to implement appropriate data security measures. The pharmacy left approximately 500,000 documents containing special categories of personal data in unlocked containers at the back of its premises. This decision serves as a reminder to ensure that adequate protocols are in place for securing personal data and in particular for having adequate document filing systems.

There have been approximately 200,000 data breaches reported to data protection authorities across the EU since May 2018. In July 2019 the ICO announced its intention to impose substantial fines of £99 million on Marriott International, Inc. and £183 million on British Airways in relation to cyber data breaches. The ICO has recently stated that it will consider the impact of coronavirus on the organisations it deals with in relation to the amount of the fines levelled. Pursuant to the “one-stop-shop” regime under the GDPR, the ICO is liaising with other regulators in relation to these fines, the ICO recently announced that the fines will be finalised later this summer.

In June 2020 a German health insurer was fined €1.24 million for failing to have appropriate technical and organisational measures in place as required under Article 32 GDPR to ensure the security of data processing. The fine was imposed after 500 individuals’ contact details were used for marketing purposes without their consent.

Lack of appropriate legal basis for processing

In January 2019 the French Data Protection Authority, CNIL, fined Google LLC €50 million for lack of transparency, providing inadequate information to data subjects and a lack of valid consent in relation to its personalised ads. Google appealed this decision to France’s highest administrative court, the Council of State, arguing that as its main establishment in the EU is Google Ireland Limited, the DPC is Google LLC’s “lead supervisory authority” under the GDPR’s one stop shop mechanism and therefore CNIL had no jurisdiction to monitor Google LLC’s data processing activities in the EU.

The French Court upheld the regulator’s decision. In relation to jurisdiction the Court found that CNIL could regulate Google LLC as Google LLC had no clearly established EU headquarters when CNIL began its investigations in 2018 and this meant Google LLC could not avail of the one stop shop mechanism.  The Court noted that at that time Google LLC had sole decision making power and exercised control over the processing of personal data of EU android users.

Following this decision, non-EU controllers that wish to avail of the one stop shop mechanism should ensure their internal organisation and data governance allow the designation of a main establishment in the EU.

In determining the fine was proportionate, the Court placed emphasis on ensuring data subjects are provided with adequate information in order to ensure that data processing is sufficiently transparent and that consent is obtained through clear affirmative action, holding that pre-checked boxes did not suffice.

Honouring data subject rights

The Swedish data protection authority fined Google LLC €7 million for failing to adequately comply with its obligations in respect of the right to request delisting. The authority noted that the GDPR strengthened the rights of individuals and that an important element of those rights was the possibility of having data delisted.

The sanction stemmed from an audit conducted by the Swedish supervisory authority to review how Google handled requests by individuals exercising their rights under the GDPR and is an example of a data protection authority taking measures of its own volition to enforce GDPR compliance.

Lack of consent

The Dutch supervisory authority fined an organisation €725,000 in April 2020 for requiring its staff to have their fingerprints scanned to record attendance. The decision stated that the organisation could not rely on exceptions to the processing of this special category of personal data and the company could not evidence that employees had given their consent to this processing.

In another Dutch case the supervisory authority imposed a fine of €525,000 on the Royal Dutch Tennis Association for selling the personal data of more than 350,000 of its members without their consent to sponsors who then contacted some of the members by mail and telephone for direct marketing purposes.

The data protection authority in Italy also imposed a significant fine of €11.5 million in January 2020 against Eni Gas e Luce, an energy company, for processing personal data without consent in the context of promotional activities. In a similar case a German health insurer was fined €1.24 million in June 2020

Organisations should critically assess any processing of personal data based on consent to validate how consent is obtained and to confirm that it is obtained properly.

Data Protection Officers

Article 38(6) requires that a data protection officer (“DPO”) does not have a conflict of interests. A recent decision of the Belgian data protection authority, the APD, emphasises this requirement and that the DPO be should be able to perform his or her role independently.

The DPO held multiple positions within Proximus, Belgium’s largest telecommunications operator. The APD found that the company did not have a system preventing a conflict of interest between the DPO’s data protection role and its various other roles, including as director of audit and compliance. The APD concluded that as a result the DPO was not able to work independently. A fine of €50,000 was imposed.

In another case involving a telecommunications operator, the German organisation Rapidata GmbH was fined €10,000 for failing to appoint a DPO as required under Article 37 GDPR.

Irish developments

As of the end of 2019 the Irish Data Protection Commission (“IDPC”) was engaged in as many as 70 ongoing statutory inquiries. The outcome of these will shape the GDPR enforcement regime in Ireland.

The IDPC has also initiated its own statutory investigations. The IDPC’s Annual Report 2019 states the issues being examined by such inquiries concern governance and oversight, surveillance, organisational and technical measures and examining the position of the DPO.

In May of this year the IDPC imposed a fine of €75,000 under the GDPR on TUSLA – the Child and Family Agency for multiple data breaches involving sensitive personal data of children. The Irish regulator’s decision is noteworthy as it is the first fine the IDPC has imposed under the GDPR.

Conclusion

The best strategy for organisations to adopt against the risk of fines is compliance. Organisations should prioritise periodic reviews of their data processing activities and should ensure that data protection is an essential part of their operations, rather than a secondary consideration.

Documenting and demonstrating compliance with the GDPR is also essential. Effective implementation of adequate protocols and evidence of such will put organisations in a strong position to defend against the increasingly robust approach of data protection authorities to GDPR enforcement.

 

The authors wish to thank Sonam Gaitonde for her contribution to this briefing.