Expected and Unexpected Examples of GDPR Enforcement in Action
On 25 May 2018, one of the most highly anticipated laws of our time came into force. The General Data Protection Regulation (GDPR) has celebrated its first birthday. We are now all used to clicking on OK to consent notifications on every website we go to. Although these can be frustrating, following the Cambridge Analytica scandal, which opened people’s eyes to data harvesting by corporations, it feels good to have control over how our personal data is used.
Twelve months on, this article examines how the GDPR has worked, using two examples – one that was expected and another that is a little left-field.
Big tech issued fines for GDPR breaches
The harsh fines which can be levied for GDPR breaches are well-known. Non-compliance risks a fine of up to €20 million or 4 per cent of an organisation’s global turnover.
Technology companies have been the first to be hit with fines. In January 2019, Google was fined €50 million (£44 million) by the French data protection authority CNIL . Two NGOs, None Of Your Business (NOYB) and La Quadrature du Net (LQDN), accused Google of “not having a valid legal basis to process the personal data of users of its services, particularly for ads personalization purposes”. The CNIL stated that Google had failed in its transparency obligations to explain exactly how it uses people’s data. In addition, the CNIL said that the users’ consent with the processing of their data for advertisement personalisation is not obtained validly.
“First, the restricted committee observes that the users’ consent is not sufficiently informed. The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent.”
“Then, the restricted committee observes that the collected consent is neither ‘specific’ nor ‘unambiguous’.”
Also, Google had not made easily accessible guidance on matters such as the reasons for data processing, and the length of time data is stored by the company, as required under the regulations.
In November 2018, A German chat site was fined €20,000 (£17,809) following a major data breach. Knuddels.de suffered a breach that saw 330,000 users’ information, such as email addresses and passwords placed on Mega.nz and Pastebin.com.
LfDI Baden-Württemberg, the regional data protection authority stated: “By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a).”
It is interesting to note that the privacy watchdog commented on the excellent cooperation and full transparency of Knuddels.de during the investigation. It was also noted that post-breach, enhanced security measures had been put in place. This seems to have resulted in a smaller fine than may have been imposed had the company behaved less favourably.
Verdict – Expected
Big tech was always going to be at the forefront of GDPR breaches simply by virtue of the fact that they handle so much data. However, other organisations have also been hit with fines. For example, the Central Hospital of Barreiro Montijo in Portugal was fined €400,000 after staff used fake profiles to illegally access patient data.
Apple, Amazon, Netflix, and Spotify are currently being investigated by the Austrian privacy regulator for non-compliance with Article 15 of the GDPR. So expect more eye-watering fines to be issued in the near future.
Prince Harry wins a privacy battle against Splash News and Pictures on GDPR grounds
The Duke of Sussex (aka Prince Harry) won a substantial claim against photography agency Splash News and Pictures after they used a helicopter to take pictures inside the home rented by him and his wife. Photographs published by various news outlets in both print and online on 11 January 2019 were said to have “very seriously undermined” the couple’s security.
The Duke of Sussex’s legal team argued the media outlet’s actions caused a breach of the couple’s right to privacy according to Art. 7 and 8 of the European Convention on Human Rights (ECHR) as well as a breach of the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).
Article 5 of the GDPR requires all data controllers and processors to handle personal data (such as names, pictures and stories relating to them) fairly and in a transparent manner while also using it for a legitimate purpose.
Verdict – Not expected but hugely welcome to celebrities and royalty
Ever since the tragic death of Princess Diana, celebrities and royalty have fought hard to control their right to privacy. The GDPR appears to have provided them with a powerful weapon to conduct that battle. When obtaining pictures or footage of a person, the data controller needs a reason to use them. This can be in the form of consent (for example, the person in question was attending a pre-arranged movie premiere or charity function where press photographs are permitted). If no consent was given, which is the case with most paparazzi photos and footage, the controller must prove they have a legitimate interest, or it is in the public interest to use the material. In the case above, the way the photos were collected would make it very difficult to successfully argue that the media organisation’s legitimate interest or the interest of the public outweighed the right to a person being able to enjoy a level of privacy in their own property.
Final words
What all these examples show is that regulators across Europe are prepared to act decisively to enforce GDPR principles. This means organisations cannot afford to ignore continuous compliance monitoring. Data maps must be kept current to ensure that if a breach occurs or a Subject Access Request is made, the location of affected data can be swiftly identified. It is also imperative to regularly review whether your organisation’s data processing activities mean a Data Protection Officer should be appointed, as provided for in Article 37. And finally, GDPR training and communication should be rolled out across all teams regularly.
If you have any questions regarding employment law and/or GDPR matters, please do not hesitate to call the BDBF team of employment lawyers on 020 3828 0350.
BDBF is a leading employment law firm in the City of London.