May 2020 marks the second year since the GDPR came into force. The impact of the new regime has been gradual – there is still room for improvement as obligations are being put into practice and in understanding how courts and regulators will enforce it.
The good news is that there seems to be increased clarity. Not only have the Data Protection Authorities issued additional guidance, enforcement has risen and the number of court decisions (to help businesses ensure their GDPR compliance strategies are still sufficient) have also increased.
In this article, we explore current GDPR topics with a focus on key developments and regulatory clarifications since implementation, such as:
- The new mantra of “joint control”;
- Transparency and consent;
- An analysis of DPA decisions ordering fines for GDPR violations.
Previously, US businesses doing business with European companies had to consider the concept of a “data processor”: an entity that only processes personal data under the instructions of another entity and thus does not bear its own responsibility regarding the lawfulness of the processing activities. Today, the landscape has become even more complex.
Tip: Joint control is the new mantra.
It is important for US businesses that are subject to GDPR requirements to bear in mind the CJEU’s rulings in instances where the company is cooperating with another entity in the processing of personal data, or even when just exchanging personal data with another entity. It is important to have a correct classification of the roles of the affected parties to prevent unnecessary fines.
Background: Since implementation, the CJEU delivered three landmark judgments in which it considered the protagonists to be “joint controllers” in terms of Art. 26 GDPR. As a consequence, the concept of joint control has gained a significant importance, which was not clear from the mere wording of the GDPR:
- 5 June 2018: the CJEU ruled that the operator of a social media fan page must be considered a joint controller (together with the platform) regarding the data processing activities associated with the analysis feature page insights;
- 10 June 2018: the CJEU ruled that the Jehovah’s Witnesses Community jointly with their respective preaching members act as (joint) controllers when taking notes during their door-to-door proclamations;
- 29 July 2019: the operator of a German website (Fashion ID) was held to be joint controller together with a social media platform for the collection and transmission of personal data through the integration of a 'Like' Button” into its website.
In all three judgments, the CJEU has applied a very broad interpretation of the concept of joint control. For example, the CJEU points out that an entity could be classified as joint controller even though that entity does not even has access to the personal data concerned.
In a joint control scenario, a specific contractual arrangement (joint control agreement) is required under Art. 26 GDPR. A lack of an appropriate agreement constitutes an administrative offence which may be punishable by a fine of up to EUR 10 million (or 2% of the business's annual worldwide revenue.).
Tip: Consent should be explicit.
Transparency and consent continue to be a regular feature of complaints to DPAs. US businesses operating websites that are subject to EU laws should check whether their current cookie transparency and consent practices comply with the requirements as defined by the CJEU in its Planet 49 judgment. In particular, soft opt-in designs now come with a higher risk. US businesses should consider 'upgrading' to an active and more explicit form of consent.
Background: A landmark CJEU decision has been published recently, the key theme of which is the kind of user activity that is required for a valid “active” consent. The legal background for the decision was Art. 5 para. 3 of the ePrivacy Directive (2002/58/EC), according to which consent is generally required for placing cookies on the user's device. In its latest judgment of (1 October 2019: Planet49, C-673/17), the CJEU took some interesting and – in some cases – unexpected viewpoints:
- First, the Court held that for the consent requirement to apply, it is not even necessary for the information stored in the cookie to be considered personal data. Thus, there is no point arguing that a cookie ID might not be qualified as an identifier. This is simply not necessary according to Art. 5 para. 3 e Privacy Directive. Yet, this does not mean that the GDPR would apply to non-personal data.
- Furthermore, it the judgment states that an opt-out solution will no longer be considered a proper consent, because it is not “active”. The requirements for a consent to be valid (also for cookie consents under the ePrivacy Directive) are now enshrined in the GDPR. Consent under the GDPR, however, requires an active action; boxes that have been pre-ticked, for example, do not constitute consent according to the CJEU. The debate remains whether soft opt-in solutions are still permissible, such as consents declared tacitly, for example, by continuing to browse the website.
A year ago, most analysts did not expect significant fines (over EUR 100 million) for GDPR to be sought by regulators. This analysis has changed. With the two intended fines by the UK Information Commissioner's Office against British Airways (EUR 204 million) and Marriott (EUR 110 million) in the lead, DPAs in France, Italy, Austria, Germany and Bulgaria have issued fines in their respective regions of several million each against companies in breach of the GDPR. GDPR enforcement through issuing of fines is now a common practice across the EU.
Tip: Plan ahead.
In order to avoid severe fines, it is important for US businesses to devise the right strategy based on a thorough analysis of the criteria for determining the fine under Art. 83 (2) GDPR. The bad news is that there are likely many more investigations and major fines to come: DPAs are likely still clearing the backlog of investigations and complaints; and these proceedings take time. This means we will likely see more of those high fines in the future as DPAs finalize their proceedings.
Background: To date, there have been several hundred case in which European DPAs have investigated and issued fines. Some learnings from those cases include the following:
- While the majority of fines has been ordered against companies residing in the EU, businesses from outside of the EU have also been hit by severe fines – either direct (as was the case for Marriott International Inc.) or through their local affiliates (as was the case for Delivery Hero).
- In roughly a third of all cases, a breach of the data security obligation according to Art. 32 GDPR has triggered the fine. This is an interesting shift in the supervisory practice of the DPAs. Prior to the GDPR, these types of infringements played a less important role. Since it is often difficult to define which technical and organizational measures are “adequate”, there is an inherent risk that a DPA does not consider the adopted measures to be sufficient. Hence, it is important that businesses reassess their current data security strategy.
- DPAs in some EU countries such as the Netherlands and Germany have published official guidelines including the measurement of fines. We have seen that the other DPAs use these guidelines as a basis to determine the appropriate amount. It is therefore advisable for accompany that is subject to an enforcement proceeding to consult the guidance of the competent DPA and take all necessary steps in order to avoid a fine.
The importance of preparing and ensuring compliance with the new law cannot be overstated. Compliance with the GDPR is also a way to build and strengthen trust with customers and employees, enhance business reputation, grow the value of data assets and enhance risk mitigation.
- For more guidance on GDPR, check our Insights page here.
If you have any specific questions on anything covered in this article, please get in touch with one of our experts.