GDPR ENFORCEMENT A CHANGED LANDSCAPE - Skadden, Arps ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
GDPR ENFORCEMENT
A CHANGED LANDSCAPE
Bruce Macaulay, Eve-Christie Vermynck, Oscar Tang, Daniel Millard, Aymeric
Boëlle and Angus Goalen of Skadden, Arps, Slate, Meagher & Flom review
the latest trends in enforcement of the General Data Protection Regulation
(2016/679/EU).
Central to the expansive rights and obligations This article looks at the latest trends in GDPR their pages. In 1994, Lou Montulli helped
provided for under the EU General Data enforcement, in particular: the internet to remember this information
Protection Regulation (2016/679/EU) (EU by placing small text files on the devices of
GDPR) and the UK GDPR, the version retained • The increasing attention being paid website users, allowing websites to track
in UK law through operation of the European to cookies and the accompanying users’ browsing history and the amount of
Union (Withdrawal) Act 2018 (collectively, enforcement of cookies-related violations. time spent on a certain webpage, and save
the GDPR), are the corresponding powers website preferences, such as currency and
of enforcement that are granted to data • An assessment of the “one-stop shop” location. Mr Montulli had invented the cookie.
protection authorities (DPAs). mechanism through which the GDPR is
enforced and the emerging strain that The use of cookies has shaped the way
Almost three years on from the GDPR coming increased enforcement of the GDPR is that the internet works, allowing website
into force, enforcement is starting to pick up placing on this mechanism. operators to perform analytics to measure
pace and the teeth of the GDPR are beginning the success of website content, and, perhaps
to show. From multi-million pound fines • The broader steps being taken by DPAs most significantly, to personalise content
imposed on British Airways and Marriott that are emblematic of the growing depending on users’ browsing history. This
Hotels by the UK Information Commissioner’s trend towards enforcement. has spawned industries from data analytics
Office (ICO), to the 128 fines issued by the to adtech, with global adtech revenue
Spanish DPA in 2020, there has been a clear COOKIES ENFORCEMENT totalling around $325 billion in 2019. These
amplification in the activity of the European developments have been made possible
and UK DPAs (see Exclusively online article In the early days of the internet, every visit to a through the widespread use of cookies. If
“ICO fine for BA: iron enforcement with a velvet website was like the first visit. Websites had no personal data are the modern-day oil, cookies
glove”, www.practicallaw.com/w-027-9929). way of remembering who had already visited are the oil rigs.
© 2021 Thomson Reuters (Professional) UK Limited. This article first appeared in the May 2021 issue of PLC Magazine,
published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers. 1Regulation of cookies
As the use of cookies has proliferated, so too CNIL enforcement actions
has the body of law and regulatory guidance
regulating their use. Two legal regimes are The French data protection authority, Commission nationale de l’informatique et des
of principle importance to cookies regulation libertés (CNIL), has taken a number of recent enforcement actions for the breach of
within the EEA and the UK: the GDPR and regulations relating to cookies.
the Privacy and Electronic Communications
Directive (2002/58/EC) (e-Privacy Directive). Lack of information
The provisions of the e-Privacy Directive, as On 7 December 2020, the CNIL fined Amazon and Google for placing advertising
implemented in the domestic law of each cookies on users’ devices without providing adequate information as required by
EU member state, take precedence over Article 82 of the French Data Protection Act. In relation to Amazon, the CNIL found
the more general terms of the GDPR, on that the cookie banner on the French website (www.amazon.fr) did not clearly explain
the basis of the doctrine that, if two laws that cookies placed on users’ computers were mainly used to display personalised
apply, the law governing a specific issue advertisements. The CNIL also noted a lack of information for users who visited the
applies as against the law governing the French Amazon website after they had clicked on an advertisement published on
issue more generally. another website. The same cookies were placed but no information was provided to
the users. As regards Google, the CNIL found that the cookie banner on the French
Central to the e-Privacy Directive regime website (www.google.fr) did not provide users with any information regarding the
is the principle that a user’s consent must cookies that had already been placed on their computers when arriving or landing on
be sought and obtained before first-party the website.
and third-party non-essential cookies are
placed on the user’s devices. The request Lack of consent
for consent must be accompanied by clear The CNIL observed that when a user visited the French Amazon website, cookies
information, in intelligible language, about were automatically placed on the user’s device. Several of these cookies were used
the purpose for which any cookies are used for advertising purposes. These cookies are non-essential and can be placed only
and for how long these cookies are going after the user has given consent. The same rationale applied to the French Google
to be in place. website. In addition, when a Google user deactivated advertisement personalisation,
one of the advertising cookies was still stored on their device.
As the e-Privacy Directive is silent on the
concept of consent, it is judged against the Separately, the CNIL’s sanctions committee imposed a financial penalty against
GDPR standard. As such, wherever non- the French retailer Carrefour France and Carrefour Banque for, among other
essential cookies are placed on a user’s breaches, lack of consent, because when a user connected to the www.carrefour.fr or
device, the user’s consent must be specific, www.carrefour-banque.fr websites, several cookies were automatically placed on
informed, unambiguous and given freely. their terminal, before the user took any action. Considering that some of these cookies
Once valid consent has been given, it must were used for advertising purposes, consent should have been sought before storing
be as easy to withdraw as it was to give. the cookies on the device.
DPAs and regulating cookies
To assist organisations with their navigation of publie-des-lignes-directrices-modificatives- The ICO guidance and the CNIL guidance,
the e-Privacy Directive and the GDPR, various et-sa-recommandation). The CNIL’s guidance along with guidance from other DPAs that
DPAs have issued regulatory guidance. For will be enforceable from April 2021. After broadly align with the position of the ICO
example, in July 2019, the ICO issued guidance the grace period, organisations can expect and the CNIL, add to the increasing body
clarifying the inter-relationship between the increased scrutiny from the CNIL over areas of law and regulatory guidance to which
GDPR and the UK’s Privacy and Electronic modified by its revised guidance, namely: organisations must pay heed when assessing
Communications (EC Directive) Regulations the legality of their own use of cookies.
2003 (SI 2003/2426) (see News brief “ICO’s • The provision of two clear buttons of
cookie recipe: consent is the missing ingredient”, equal prominence labelled “accept all” DPA actions
www.practicallaw.com/w-021-3574). The ICO and “refuse all”. Since 2019, the CNIL has made targeted
strongly encouraged website owners to carry advertising, including cookies, an
out cookie audits to assess the compliance • That organisations should retain the fact enforcement priority, positioning itself as
of their cookie practice with applicable law that a particular user has opted out for a leader in the cookie enforcement sphere.
and regulatory guidance. a certain period of time, with six months Cookies raise clear data protection issues
suggested as best practice. because of their potentially intrusive nature
More recently in October 2020, the French and ubiquity, and the CNIL has observed
data protection authority, Commission • Where a cookie allows the user to be strong public awareness of online tracking,
nationale de l’informatique et des libertés tracked on other websites, the CNIL especially since the implementation of the
(CNIL), also issued revised regulatory recommends that consent is obtained GDPR.
guidance on cookies including practical on each of the relevant websites to
steps and guidance for organisations (www. ensure that the user is fully aware of the The CNIL has also received a high volume
cnil.fr/fr/cookies-et-autres-traceurs-la-cnil- consequences of providing consent. of complaints focusing on targeted
© 2021 Thomson Reuters (Professional) UK Limited. This article first appeared in the May 2021 issue of PLC Magazine,
2 published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.advertising. With that in mind, the CNIL has
recently reiterated in its 2021 enforcement Data class actions and cookies
priorities that it is actively focusing on cookie
enforcement (www.cnil.fr/fr/cybersecurite- Organisations should be aware of another upcoming threat: data-led class action
donnees-de-sante-cookies-les-thematiques- law suits (see feature article “Data class actions: the outlook after Morrison”, www.
prioritaires-de-controle-en-2021). The CNIL practicallaw.com/w-026-2617). The possibility of class action style claims arising out
reiterated its position in a set of frequently of violations of the EU General Data Protection Regulation (2016/679/EU) (GDPR)
asked questions issued on 18 March 2021, in has been a hot topic for some time and given the widespread use of cookies, cookies-
which the CNIL also confirmed that cookie related violations present a growth area for litigants. This is evident in recent parallel
audits will begin in April 2021 (https://cnil. suits brought against software companies Oracle and Salesforce in the Netherlands,
fr/fr/questions-reponses-lignes-directrices- as a class action, and in the UK, as a representative action.
modificatives-et-recommandation-cookies-
traceurs). The technology giants have been accused of breaching the GDPR through their
use of cookies to offer real-time bidding of advertising space to advertisers. The
The CNIL has taken various enforcement claimants assert that dynamic advertisement pricing services, by their very nature,
actions targeting the use of cookies, including fall short of the requirement of informed consent. With the outcome of the Dutch
in late 2020 when it issued several high- proceedings a long way off and the UK proceedings on pause until the Supreme
profile fines for cookie non-compliance (see Court’s decision in the appeal of Lloyd v Google LLC later in 2021, it may take some
box “CNIL cookie enforcement actions”). The time before the scope of class action style claims for cookies-related violations is
CNIL’s enforcement actions consider three gauged ([2019] EWCA Civ 1599; see News brief “Data protection claims: a green light
main criteria: for representative actions”, www.practicallaw.com/w-022-5323).
• The scope of the alleged breach; for
example, the use of cookies, the user’s the outset the consequences of giving their of the business across the EU, whether as
information and consent. consent. controller or processor, with the DPA in the
country of the business’s main establishment.
• The scale of the impact; for example, It is also vital that organisations consider The term “main establishment” typically
the reach of the websites and the large- class action-style litigation claims in tandem denotes an organisation’s central
scale impact on French users. with the increased appetite of DPAs to issue administration, meaning that the DPA in
further cookie-related enforcement actions that jurisdiction will serve as the lead DPA
• The financial benefits of the alleged (see box “Data class actions and cookies”). for any interaction with other DPAs, the
breach; for example, when the company This two-pronged risk defines the context in European Data Protection Board (EDPB),
derives profits as a result of the alleged which organisations should approach their which is the body responsible for advising
breach. cookies compliance. the European Commission on data protection
issues and issuing binding guidelines on the
Court rulings on cookies GDPR ENFORCEMENT MECHANISM interpretation of the GDPR, and affected
In conjunction with applicable law, regulatory individuals. This lead DPA is entrusted with
guidance and enforcement action by DPAs, The enforcement mechanism under the GDPR primary responsibility for regulatory oversight
attention must also be paid to decisions of aims to be both practical and collaborative, and enforcement action.
national courts and the European Court of prioritising the voice of one lead DPA while
Justice (ECJ), which continue to shape the ensuring that each affected DPA has a Consistency and co-operation
law regulating cookies. A key decision in this means to contribute to the interpretation The one-stop shop principle and the lead DPA
regard is Planet49 GmbH v Bundesverband and enforcement of the GDPR. are supported by the following provisions of
der Verbraucherzentralen und Verbraucher the GDPR:
verbänder - Verbraucherzentrale Bundesver The one-stop shop
band eV, where the ECJ confirmed that Member states have their own data protection • Article 60 on co-operation between
consent obtained through pre-ticked cookies laws and regulations, and each member DPAs (Article 60).
consent boxes is not valid consent under state has its own DPA. Businesses with
the GDPR (C-673/17; www.practicallaw. operations in multiple EU countries are • Article 61 in relation to mutual assistance
com/w-022-5053). subject to the national laws and regulations between DPAs (Article 61).
of each member state. However, the reality
For the purposes of the GDPR, only active is that dealing with each DPA in the country • Article 62 on joint operations between
behaviour with a view to giving consent will in which a business may have operations is and among DPAs (Article 62).
suffice. In Planet49, the ECJ also clarified that burdensome and impractical.
users must be informed about the duration for For example, the lead DPA may request
which a cookie will be stored on their device The “one-stop shop” principle, set out in assistance from any concerned DPAs under
and which third parties may have access Article 56 of the GDPR, aims to address this Article 61, and DPAs in member states where
to those cookies. These requirements go problem and the realities of cross-border a significant number of data subjects are
to one of the GDPR’s core principles: that business by placing responsibility for likely to be affected have a right to participate
an individual must be able to determine at enforcement action arising out of activities in joint investigations and enforcement
© 2021 Thomson Reuters (Professional) UK Limited. This article first appeared in the May 2021 issue of PLC Magazine,
3
published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.Twitter Ireland and the EDPB
In January 2019, Twitter Ireland disclosed calculation of the fine met the threshold procedures for documenting personal data
to the Irish regulatory authority, the Data put forward by Article 4(24) of the GDPR breaches should have been implemented.
Protection Commission (DPC), a bug that in so far as they related to the compliance
resulted in the private tweets of 88,726 users with the GDPR of the envisaged action in Further, the EDPB noted that a dissuasive
based in the EU and EEA being accessible to relation to the controller or processor, and penalty is one that has a genuine deterrent
the wider public, without users’ knowledge, also set out the risks posed as regards the effect, citing the opinion of Advocate
between 5 September 2017 and 11 January fundamental rights and freedoms of data General Geelhoed in Commission v France,
2019. It also disclosed that the bug was subjects. Nonetheless, the DPC maintained which stated that “effective” should
traceable to a code change made on 4 that the level of fine was appropriate. As mean that there is a high risk that non-
November 2014, but that no breach had been the DPC considered all other objections fell compliance will be detected and sanctions
detected before 5 September 2017. below the threshold of being relevant and would be imposed that would remove any
reasoned, it refused to follow any of the benefit of the non-compliance, so that
GDPR breach objections raised by the eight DPAs. non-compliance is rendered economically
Under Article 33 of the EU General Data unattractive (C-304/02).
Protection Regulation (2016/679/EU) In response, seven DPAs maintained their
(GDPR) (Article 33), a data controller is objections in full or partially. Consequently, The EDPB found that the DPC’s proposed fine
required to notify the relevant supervisory in August 2020, the matter was referred to of €135,000 to €275,000 was not sufficiently
authority not later than 72 hours after the European Data Protection Board (EDPB) effective, as the DPC did not sufficiently
becoming aware of a personal data breach under Article 65 of the GDPR (Article 65). substantiate how the fine addressed the
likely to result in a risk to the rights and requirements that it be dissuasive and
freedoms of affected data subjects. The EDPB decision proportionate. It noted that the cap for the
DPC decided that, having failed to notify In November 2020, in its first exercise under fine of 2% of Twitter Inc’s global annual
the DPC within 72 hours, Twitter was in Article 65, the EDPB issued its binding turnover meant that the maximum amount of
breach of Article 33. decision on the dispute. The EDPB rejected the fine was $60 million, and that there was
the majority of the objections made against no clear motivation for the DPC’s choice of
DPC investigation the DPC’s decision. It agreed with the DPC’s the proposed fine of between €135,000 and
As Twitter Ireland’s lead data protection determination of the relationship between €275,000 only, as the DPC did not explain
authority (DPA), the DPC reached a Twitter Inc and Twitter Ireland as a controller- the particular considerations that led to its
preliminary draft decision with respect to the processor relationship and that no additional decision.
breach in May 2020. Under Article 60(4) of articles of the GDPR had been breached.
the GDPR, the data protection authorities in These objections were either unsubstantiated The EDPB therefore concluded that the
eight EU member states (Austria, Denmark, on available factual elements or failed to fine did not meet its purpose of being
France, Germany, Hungary, Italy, the meet the threshold of being relevant and an appropriate corrective measure and
Netherlands and Spain) raised objections reasoned. In particular, the objectors failed remitted the decision to the DPC for it to
to the decision. The objections concerned: to demonstrate how the decision of the lead decide on a fine that would meet the Article
DPA would pose significant risks for the rights 83(1) of the GDPR requirements of being
• The competence of the DPC as lead and freedoms of data subjects or the free flow effective, dissuasive and proportionate.
DPA. of data, or both.
DPC revised fine
• The qualification of the roles of Twitter However, the EDPB did accept the objections The DPC, having regard to the EDPB’s
Ireland and Twitter, Inc, as processor of the Austrian, German and Italian DPAs concerns, maintained that the infringements
and controller respectively. that the DPC’s original proposed fine range of the GDPR could be deemed moderately
of €135,000 to €275,000 did not meet the serious, as they pertained only to a failure to
• The infringements of the GDPR requirements of being effective, dissuasive notify the breach on time, and adequately
identified. and proportionate with respect to the document the breach, in the final decision
infringing acts. While the EDPB agreed it issued on 9 December 2020. It decided
• The existence of possible additional, or with the DPC that the character of the to pay “particular regard to the nature,
alternative, infringements of the GDPR. breach was negligent and not intentional, gravity and duration of the infringements
and that there were no systemic issues at concerned, taking account of the nature,
• The lack of a reprimand. Twitter, it agreed that the DPC had not scope and purpose of the processing and
given adequate weight to the fact that the the number of data subjects affected”. The
• The calculation of the proposed fine. affected data subjects had deliberately DPC settled on an administrative fine of
chosen to make their Tweets private and €450,000, stating that the amount would
The DPC replied to the objections in that, for a company such as Twitter for be effective, proportionate and dissuasive,
July 2020. The DPC reasoned that only which the processing of personal data taking into account all of the circumstances
the objections raised in relation to the is at the core of its business, adequate of the case.
© 2021 Thomson Reuters (Professional) UK Limited. This article first appeared in the May 2021 issue of PLC Magazine,
4 published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.measures under Article 62. In the event that Global revenue for Google and Facebook in gravity of an infringement must be assessed
the eventual decision of the lead DPA is 2019 was approximately $160 billion and in the light of numerous factors, such as the
objected to by DPAs other than the lead DPA, $70 billion respectively, meaning that a 2% circumstances of the case, its context and
those DPAs can intervene through recourse to fine translates into figures ranging from the dissuasive effect of fines, although no
the consistency and co-operation mechanism. $1.4 billion to $3.2 billion. The immediate binding or exhaustive list of the criteria to be
response to the DPC’s eventual, revised fine applied has been drawn up (T-704/14; www.
The co-operation mechanism operates under of €450,000 questioned whether it would, practicallaw.com/w-011-7138).
Article 60(4), which provides that where in practice, discourage other companies,
an infringement of the GDPR affects data in particular Big Tech companies from There is no doubt that further disputes
subjects in multiple jurisdictions, supervisory committing the same types of infringing acts. will be raised under the co-operation
authorities in those jurisdictions are entitled and consistency mechanism. If DPAs are
to make a relevant and reasoned objection to The EDPB’s decision in Twitter Ireland also permitted to continue to impose fines that
the draft decision of a lead DPA. revealed its difficult balancing act. On the are perceived to be lenient, this may lead to
one hand, some authorities, like the German a perception that the one-stop shop principle
The consistency mechanism states that DPA, consider that only a fine that is so high establishes jurisdictional “safe havens” in
DPAs may refer issues that implicate it would render the illegal data processing which organisations may benefit from a less
multiple member states to the EDPB (Article unprofitable would act as a genuine exacting application of the GDPR by the
63, GDPR) (Article 63). Under Article 64 of deterrent. On the other hand, it is clear that relevant DPA, without effective intervention
the GDPR, the EDPB must issue an opinion some authorities, like the DPC, have reasons from the EDPB. This type of forum shopping
should a DPA wish to undertake certain to be more accommodating. The EDPB took could undermine the one-stop shop
actions. To resolve any disputes, including as these competing positions into account in principle and the enforcement of the GDPR,
to which DPA is the lead DPA, the resolution agreeing with certain of the objections raised evolving into a new factor for companies to
process under Article 65 of the GDPR (Article and disagreeing with the DPC on multiple consider when deciding on their European
65) is engaged, under which the EDPB is aspects of its decision. headquarters: whether a jurisdiction is
required to issue a decision on the matter considered to be a regulatory haven.
for consistency. However, on the sensitive issue of the
appropriate amount for the fine, the EDPB The result may be that tension between DPAs
To date, the dispute resolution process of the decided to remit the case back to the DPC will increase rather than reduce through the
GDPR has been engaged just once: following for final determination, allowing the DPC to co-operation and consistency mechanism,
a January 2019 data security incident involving be the final arbiter. The DPC duly increased with the recent war of words between Ulrich
the social networking platform, Twitter (see its initial proposed fine, indicating that it Kelber, Germany’s Federal Commissioner
box “Twitter Ireland and the EDPB”). had taken the EDPB’s decision into account for Data Protection, and Helen Dixon, the
and that the increased fine was around a Data Protection Commissioner for Ireland,
Tensions ahead? 67% increase on the upper level of the range exemplifying the likely direction of travel.
The first exercise of the Article 65 dispute previously proposed. In response to the Irish Commissioner’s
resolution mechanism in the Twitter Ireland contentions that certain DPAs failed to
case offers an important insight into GDPR As the first fine levied against Big Tech by the understand key concepts with respect to
enforcement and the divergent outlook of DPC, it is too early to draw conclusions on the one-stop shop mechanism, the German
DPAs concerning breaches of the GDPR. what this administrative fine may say about Commissioner responded that the Irish
the DPC’s future approach to enforcement. It Commissioner’s “one-sided” views left the
The response of member state DPAs to the is clear that various DPAs will continue to try Irish DPA isolated from other EU DPAs and
Irish Data Protection Commission (DPC), such to object to any perceived soft touch approach drew attention to the backlog of cases before
as the German DPA’s recommendation of a to enforcement. However, whether the EDPB the Irish DPA.
fine between €7.3 million and €22 million, will adopt similarly tactful decisions remains
demonstrates EU DPAs’ appetite to see to be seen. Far from facilitating co-operation, it seems
meaningful enforcement for breaches of that the one-stop shop mechanism is fast
the GDPR. Their objections send a clear Article 65 provides that the EDPB’s binding becoming a source of tension that will
message that, in the view of other DPAs, decision “shall concern all the matters which dominate discourse around the enforcement
fines should have a genuine deterrent effect are the subject of the relevant and reasoned of the GDPR in the years to come.
that is directly sensitive to the financial means objection”, which must include the appropriate
of the infringing organisation. range for a fine, should it be a matter subject INCREASED ENFORCEMENT EFFORTS
to objection. That the EDPB chose to permit
The Twitter Ireland dispute also provides an the DPC to make its own adjustment to the It is clear that DPAs are gearing up for
insight into the approach of the DPC, which final administrative fine may be an indication increased activity in 2021, particularly in view
plays a central role in the GDPR enforcement of the EDPB’s unwillingness to determine a of the ruling of the ECJ in Data Protection
of the most high-profile organisations as a matter as sensitive as the precise gravity of Commissioner v Facebook Ireland Ltd and
consequence of Ireland being the place of the infringement. Indeed, the EDPB tucked Maximillian Schrems, known as Schrems
European domicile for some of the world’s away in a footnote a reference to Marine II, in relation to which the fallout still
biggest technology companies, including Harvest ASA v Commission, one of many cases remains unclear (C-311/18; see News brief
Google and Facebook. where the EU courts have indicated that the “Schrems II and data transfers: cast adrift
© 2021 Thomson Reuters (Professional) UK Limited. This article first appeared in the May 2021 issue of PLC Magazine,
5
published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.in a sea of uncertainty”, www.practicallaw. at source. The DPC also noted in passing and because sufficient safeguards, both legal
com/w-027-1214). In Schrems II, the ECJ that enforcement efforts would continue, and technical, were put in place in case of a
ruled on two key data transfer mechanisms, with cookies being a key focus of its activities request from US authorities.
invalidating the EU-US privacy shield for data in 2021. This was reflected in a speech by
transfers to the US and imposing enhanced the Irish Data Protection Commissioner, With respect to cyber security, the CNIL’s
due diligence on parties using the EU Helen Dixon, at a conference in late 2020, objective is to verify the security level of French
standard contractual clauses (SCCs). in which she was hesitant to list the DPC’s websites that generate the highest volume of
enforcement priorities as enforcement is often traffic, with a focus on data collection forms,
Under Schrems II, where this type of more reactive than proactive. the https protocol and compliance with the
enhanced due diligence determines, on a CNIL’s recommendation on passwords. The
case-by-case basis, that the laws of the data In the 2020 report, the DPC noted the number CNIL also announced that it will question
importer’s country do not provide essentially of ongoing investigations into multinational organisations on their strategies against
equivalent protection of personal data to that technology companies based in Dublin that cyber attacks, such as ransomware. With
guaranteed under EU law, supplementary are due to be finalised in 2021. The issues respect to health data security, the CNIL
measures must be implemented. If the being examined in the investigations are announced that it will pursue the audits
imposition of supplementary measures diverse. However, a number of investigations that were launched in 2020 in light of the
would still not provide essentially equivalent are focused on ensuring that companies increasing digitisation of the health sector,
protection with respect to the data importer’s have discharged their GDPR obligations by such as access management to electronic
country, the data transfer must be suspended. processing personal data only where they patient files, platforms to book medical
The EDPB has since provided guidance on have a lawful basis to do so and by providing appointments and personal data breaches
assessing the laws of third countries and adequate prior information in their privacy in care facilities.
the form that supplementary measures may notices in light of the GDPR transparency
take, but market practice has yet to emerge principle. UK ICO
(https://edpb.europa.eu/sites/edpb/files/ Although no longer an EU member state,
files/file1/edpb_recommendations_202002_ To help manage the caseload and bring the UK’s DPA, the ICO, will remain the
europeanessentialguaranteessurveillance_ in additional members of staff, and to DPA for any international organisations
en.pdf; https://edpb.europa.eu/sites/edpb/ implement IT infrastructure, the DPC reported with a UK presence. The ICO notes that
files/consultation/edpb_recommendations_ a budget of almost €17 million for 2020, an there has been an increase in incidents and
202001_supplementarymeasures increase of €1.6 million on its 2019 budget. continues to actively enforce the UK GDPR.
transferstools_en.pdf). This grey area leaves In its statistics for 1 July 2020 to 31 October
ample room for enforcement action. French CNIL 2020, the ICO received 2,594 notifications
On the continent, the CNIL’s budget and of data breaches (https://ico.org.uk/action-
Irish DPC headcount has also recently increased. The weve-taken/data-security-incident-trends/).
In this respect, the DPC is naturally positioned budget of the CNIL increased by 8% from The most common breach was phishing,
as one of the most influential DPAs in the 2019 to 2020, reaching more than €20 and the most common cause of the breach
EU. As discussed above, numerous Big million. By way of comparison, the CNIL’s was misdirected email.
Tech companies have set up their European budget remained flat from 2015 to 2019. In
headquarters in Ireland. Activity for the DPC is addition, the French Budget Act for 2019 In view of the ICO’s willingness to fine
consequently high: in its 2020 annual report approved the creation of 15 new full-time British Airways and Marriott Hotels, there
(2020 report), the DPC revealed that it had positions at the CNIL to take on an increased will certainly be increased action in future.
handled a total of 10,151 cases and 6,673 workload due to the GDPR. Accordingly, the It should be noted, however, that the UK
data security breach notifications in the past CNIL headcount increased by 12.5% from Information Commissioner, Elizabeth
year (www.dataprotection.ie/en/news-media/ 2018 to 2020. By way of comparison, only Denham, is stepping down at the end of her
press-releases/data-protection-commission- two new positions were created between term in October 2021. With the ICO’s strategic
publishes-2020-annual-report). The most 2016 and 2018. plan, technology strategy, and international
frequent cases were queries and complaints, strategy all coming to an end in 2021, the new
including access and deletion requests and Beyond cookie enforcement, on 2 March 2021, Commissioner may yet steer the ICO towards
concerns about direct marketing. The 2020 the CNIL announced that it will actively focus new horizons.
report also noted a number of inquiries its control activities on two areas in 2021:
with cross-border implications, including website cyber security and the security of A CHANGED LANDSCAPE
the Twitter case, Ryanair and Groupon (see health data.
“GDPR enforcement mechanism” above). When the GDPR came into force, it was
Regarding health data security, on 12 March understood that a seismic shift in the EU’s
However, the DPC’s enforcement priorities 2021, the Conseil d’Etat, France’s highest data protection landscape would follow. In
were more opaque, with the 2020 report administrative court, held that personal data light of the trends in the enforcement of the
stating in broad terms that, while after-the- used to book COVID-19 vaccinations through GDPR, it must be said that this has come to
event enforcement by the DPC will always the Doctolib platform and hosted by Amazon pass. As is evident from both the efforts being
play a central role in the discharge of its Web Services Luxembourg, were sufficiently directed towards cookies enforcement and the
regulatory functions, the DPC is also mindful protected under the GDPR because the evidence that DPAs in certain member states
of the importance of encouraging compliance hosted data did not include medical data intend to continue to be proactive in their
© 2021 Thomson Reuters (Professional) UK Limited. This article first appeared in the May 2021 issue of PLC Magazine,
6 published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.and the UK, which may find that they are
Related information subject to dual enforcement action under
the EU GDPR and the UK GDPR, respectively.
This article is at practicallaw.com/w-030-5470
The ICO is no longer part of the EU GDPR’s
consistency and co-operation mechanism and
Other links from uk.practicallaw.com/
is, in essence, free to enforce the UK GDPR as
Topics it deems appropriate. Therefore, breaches of
Compliance: data protection topic/1-616-6178 the EU GDPR and the UK GDPR that relate
Cookies topic/5-616-6218 to inter-EEA-UK processing activities risk the
Data protection: general topic/1-616-6550 possibility of “double jeopardy”.
Data protection offences topic/1-607-9647
Data sharing topic/2-616-6187 That said, the ICO’s draft guidance on
Direct marketing: data protection topic/9-616-6179 regulatory action published in October
GDPR and data protection reform topic/7-616-6199 2020 states that it will ensure that any
Information technology topic/5-103-2074 administrative penalties issued will be
Sanctions and remedies: data protection topic/0-616-6193 proportionate (https://ico.org.uk/media/
Technology: data protection topic/8-616-6207 about-the-ico/consultations/2618333/ico-
draft-statutory-guidance.pdf). In addition,
Practice notes even in the absence of an official framework,
Cookies: UK issues and the impact of GDPR and DPA 2018 w-016-7485 there are incentives for co-operation between
Data security under the UK GDPR and DPA 2018 w-013-5138 the ICO and the EU DPAs. The EU-UK trade
Data subject rights (UK) w-024-3178 and co-operation agreement between the
Demonstrating compliance with the GDPR w-005-2644 UK and the EU keeps the door open for a
Ensuring data protection compliance w-012-9916 deepening of the relationship, requiring
Overview of data sharing arrangements (GDPR and DPA 2018) (UK) w-018-8492 collaboration through dialogue, the exchange
Overview of GDPR: UK perspective w-013-3757 of expertise and co-operation on enforcement
Overview of EU General Data Protection Regulation w-007-9580 (see Briefing “UK data protection and the EU-
UK GDPR and DPA 2018: enforcement, sanctions and remedies (UK) w-005-2487 UK trade agreement: where does the UK go from
here?”, www.practicallaw.com/w-029-3484).
Previous articles Although this does not rule out the possibility
Data protection officers: a many-faceted role (2021) w-029-4571 of parallel enforcement action, it should bring
Data class actions: the outlook after Morrison (2020) w-026-2617 some comfort to organisations that conduct
Data protection: privacy by (re)design (2019) w-018-6087 cross-border processing activities in the EEA
E-Privacy Regulation: developing slowly (2019) w-020-8272 and the UK. The real test will come when the
GDPR one year on: taking stock (2019) w-020-0982 theory is put into practice.
General Data Protection Regulation: a game-changer (2016) 2-632-5285
Compliance for UK cookies: the deadline approaches (2012) 3-518-9542 The trends identified should give
organisations plenty of food for thought
For subscription enquiries to Practical Law web materials please call +44 0345 600 9355 when assessing their current and future
compliance with the GDPR. With the threat
of data protection based class action-style
enforcement efforts, there is a clear desire the GDPR and to stay on track with their proceedings on the horizon, there has never
to see meaningful, effective enforcement of GDPR compliance journey. been a more important time to ensure that
the GDPR in the EU and the UK. their data protection and cyber security affairs
Naturally, as the prominence of DPAs has are in order.
This has been paired with a more prophylactic grown, so too have competing views on
approach to GDPR violations, with DPAs and how the GDPR should be implemented and Bruce Macaulay is a partner, Eve-Christie
the EDPB taking on a far more vocal role since enforced. This tension between DPAs looks Vermynck is counsel, Oscar Tang and Daniel
the GDPR came into force. This is reflected certain to shape the future enforcement of Millard are associates, and Angus Goalen is
in the broad range of guidance, FAQs, the GDPR. Further, the post-Brexit potential a trainee solicitor, at Skadden, Arps, Slate,
opinions and statements that DPAs and the for divergence between the DPAs and the Meagher & Flom (UK) LLP. Aymeric Boëlle
EDPB release, with the explicit intention of ICO will be relevant to companies with cross- is an associate at Skadden, Arps, Slate,
helping organisations to avoid violations of border processing activities across the EEA Meagher & Flom LLP in Paris, France.
© 2021 Thomson Reuters (Professional) UK Limited. This article first appeared in the May 2021 issue of PLC Magazine,
7
published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.You can also read
