GDPR enforcement: how are EU regulators flexing their muscles?
Published on 28th Feb 2019
We have regularly been asked in recent months questions such as "what do EU Data Protection Authorities really care about?" and "where is the enforcement activity likely to be?".
So far, the evidence is slim; European Data Protection Authorities (DPAs) continue to wade through very high work volumes, not least in dealing over 50,000 data breach notifications across Europe since the GDPR came into force on 25 May 2018. But, we are starting to see evidence of the type of conduct that is likely to jump the data enforcement queue (as well as grab media attention), and the tools that DPAs are ready and willing to use.
In this Insight, we look at:
- data breaches;
- the recurring themes of transparency and consent;
- the exercise of data subjects' rights; and
- the increasingly important role that audits and dawn raids are likely to play, as DPAs emerge from behind their computer screens.
Where is the heat?
Not surprisingly, DPAs have seen a huge increase in the number of data breaches being reported to them since the "mandatory" breach notification was considerably extended at the end of May 2018. For example in the UK, which is in third place behind the Netherlands and Germany in the data breach league table, the Information Commissioner, Elizabeth Denham, gave a speech to the International Privacy Forum on 4 December 2018 in which she said that the Information Commissioner's Office (the ICO) had received over 8,000 notifications of data breaches since the end of May 2018. That is compared with just 3,311 notifications between 1 April 2017 and 31 March 2018, and 2,565 between 1 April 2016 and 31 March 2017.
Despite this sharp increase in notifications, there has been little overt enforcement activity to date. Which is not to say that investigations are not taking place behind the scenes; they are, and it won't be long before we hear again about some of the headline grabbing-breaches that we have seen in recent months.
In Germany, one of the most publicly debated fines under the GDPR regime has been issued as a consequence of a reported data breach: The DPA of Baden-Wurttemberg issued a fine of EUR 20,000 against the social network Knuddels for a violation of Art. 32 GDPR by storing passwords unencrypted, after the company reported that hackers had leaked over 800,000 email addresses and more than 1.8 million user credentials. Most remarkably, the DPA’s justification for the relatively low amount of the fine was the fact that Knuddels fully co-operated with the DPA and committed to intensive improvements in its data handling practices. In another case, the Baden-Wurttemberg DPA fined a business EUR 80,000 (to date the highest fine in Germany) for a lack of internal controls regarding health data on the internet. These investigations take time and the DPAs have also been busy clearing the backlog of pre-GDPR investigations.
The Netherlands leads the top of the table with nearly 20,881 data breach notifications in 2018, compared to 10,009 in 2017. The Netherlands was one of the first countries to introduce a GDPR-style data breach notification requirement back in 2016. The high number of data breach notifications in the Netherlands shows Dutch companies are more aware of the data breach notification requirements, compared to other EU jurisdictions.
A potentially concerning development for business is the increase in class action-style litigation and so-called "data protection ambulance chasers". Whilst a representative action was struck out against Google in relation to the well-publicised "safari workaround" case of Lloyd v Google, that has not deterred groups of claimant law firms (often specialising in personal injury) trying to build books of business off the back of large data breaches.
Ashley Hurst, a Partner in Osborne Clarke's London office notes that "here in the UK, claimant law firms are lining up to advertise post-breach data protection claims on "no win no fee" agreements, even where the data compromised appears to give rise to little risk of damage". These firms are going to find it even harder to get these claims off the ground when the recovery of success fees is abolished for privacy claims in April this year.
Transparency and consent continue to be a regular feature of complaints to DPAs. For example:
- In September 2018, Brave (an internet browser) filed a complaint with DPAs in Ireland and the UK requesting an EU-wide investigation into the behavioural advertising industry's practices. One of the main complaints was a lack of transparency information provided to website users about how data collected about their use of a website is used to build a profile about them and subsequently show advertisements which are deemed to be most relevant.
- In November 2018, Privacy International filed complaints under the GDPR with DPAs in the UK, France and Ireland against two data brokers, two credit reference agencies and three advertising technology companies, alleging that those businesses had not provided the required transparency information and did not have a valid legal basis for processing.
- Transparency and consent (or the alleged lack of them) were also key factors in the CNIL's fine against Google – that fine was based on two complaints by NGOs 'noyb' and 'La Quadrature du Net' (see more on this below).
One of the key themes arising from these complaints is the level of detail that is expected to be included in the transparency information provided to data subjects. For example, in its statement on the Google fine, the CNIL said that Google's "purposes of processing are described in a too generic and vague manner", and that "the information about the retention period is not provided for some data".
Gianluigi Marino, Partner in Osborne Clarke's Milan office comments that "it is likely that a number of businesses are similarly vague in their privacy policies (if not more so); businesses should be looking again at their privacy policies in light of the CNIL's decision to see if there is any scope for making them more specific".
The exercise of data subject rights is becoming a serious business issue. The GDPR granted individuals more extensive rights in relation to their personal data, including the right to data portability. But it also gave lots of publicity to the existing rights of erasure and access. Litigators and employment lawyers in particular were paying attention and have been making repeated subject access requests, often with little more motive than to cause annoyance and build pressure.
Immediately post-25 May 2018, we noticed a big uptick in erasure requests as data subjects sought to clean up their online privacy and security. This seems to have slowed down in recent months, but the increased wave of data subject access requests (DSAR) continues unabated.
There are two types of DSAR that are particularly problematic. The first is the one that asks lots of complicated questions about data processing, some which fall within scope of Article 15 of the GDPR and others which don't. These requests are manageable but often require experienced data protection lawyers to avoid pitfalls, especially when the requestor is an employee of Privacy International. The second category is requests by employees and former employees for data contained in emails going back many years. These are time-consuming and expensive exercises that businesses find a chore and which can often lead to litigation if not handled well.
The good news for companies is that regulators have higher priorities than acting as judge in deciding which personal data should and shouldn't be disclosed or redacted. The Article 15 regime is designed to provide transparency about data processing, not to provide a new regime for pre-action disclosure, although plenty of claimant law firms try to use it for litigation purposes.
Companies therefore need to be smart about how they expend their efforts and carry out proportionate searches. Those companies that have developed an organised and efficient system are more likely to persuade regulators to expend their energies elsewhere. We are seeing some interesting examples of this, demonstrating that it is a false economy to simply adopt the cheapest option with a provider that doesn't understand data protection law.
One particularly noteworthy complaint is that filed by noyb – Max Schrems' NGO – with the Austrian DPA in January 2019 against eight technology companies. The complaint claims that those companies' automated systems for responding to access requests do not comply with the requirements of the GDPR. This will be one to watch for all businesses processing personal data.
Which enforcement tools are DPAs willing to use?
The headline GDPR fine so far has been the €50 million fine by the French DPA (CNIL) against Google for lack of transparency, inadequate information and lack of valid consent in relation to its use of personal data for the purposes of personalising advertisements. That fine is significantly higher than any of the other fines imposed by any EU DPA for breaches of the GDPR so far. The CNIL justified the amount and the publicity of the fine on the basis that:
- Google would (continue to) infringe essential principles of the GDPR: transparency and consent;
- the infringements were not a one-off, nor were they time-limited; they are still on-going;
- the scale of the infringement would be significant (thousands of French people are affected); and
- Google's economic model would partly be based on the personalisation of advertisements, and therefore it is of utmost importance that Google complies with its obligations in that respect.
Beatrice Delmas-Linel, Managing Partner of Osborne Clarke's Paris office observes that "in fining Google €50 million, the CNIL has silenced anyone wondering whether DPAs would be willing to walk the walk, as well as talk the talk."
At the moment, though, the Google fine is an outlier. High fines under the GDPR have been few and far between. Where there have been other fines (in Germany and Portugal), the amount of those fines has been considerably lower. According to a report by the Handelsblatt published on 18 January 2019, German DPAs had until then issued 41 fines under the GDPR. Stefan Brink, state data protection commissioner for Baden-Wurttemberg, commented on its EUR 20,000 fine against Knuddels: "The LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users." It remains to be seen whether other DPAs take a similar approach.
Flemming Moos, Partner in Osborne Clarke's Hamburg office says that "DPAs are likely still clearing the massive backlog of investigations and complaints; these proceedings take time. In Bavaria alone, there are currently 85 fine proceedings for violations of the GDPR pending. We will undoubtedly see more fines (and higher fines) in the near future as DPAs finalise their proceedings. For businesses, in order to avoid high fines once being subject to investigations, it will be important to devise the right strategy based on a thorough analysis of the criteria for determining the fine under Art. 83 (2) GDPR."
Outside of fines, there is also some interesting activity bubbling away behind the scenes, which gives an indication of those areas which appear ripe for enforcement and likely to be highest risk for businesses.
Audits are an increasingly important weapon in a DPA's armoury. An audit allows a DPA to assess whether an organisation has effective controls in place alongside fit for purpose policies and procedures to support its data protection obligations. Audits can be consensual (when an organisation requests one) or compulsory.
Kevin van't Klooster, Senior Associate in Osborne Clarke's Amsterdam and San Francisco offices notes that "the Dutch DPA is particularly keen on exercising its power to audit. So far, those audits have focussed on specific industries and requirements, including the requirement to have a Data Protection Officer, a register of processing activities, and compliant data processing agreements".
Even more and broader audits have been carried out by DPAs in Germany: for example, the DPA of Lower Saxony conducted random GDPR audits at 50 companies during summer 2018 and is currently evaluating the feedback. The Bavarian DPA has sent a comprehensive questionnaire to a reported number of 85 companies assessing their overall GDPR compliance.
Under the GDPR and those Member State laws which implement, DPAs are granted the power under certain circumstances to obtain access to any premises of a business processing personal data, whether as a controller or processor (i.e. a dawn raid).
This is not a brand new power, though the scope of the power has been expanded in certain EU Member States. In 2018, the UK's ICO made headlines for its extensive and wide-ranging investigations into the SCL Group and Cambridge Analytica as part of a wider investigation into the use of personal data and analytics by political campaigns, social media companies and others.
Pro-active investigations in companies, market segments or specific technologies
Investigations are predominantly complaints-driven at the moment. Nonetheless, DPAs have, or are starting to, identify key focus areas.
The Bavarian DPA is already particularly active. The watchdog engages in several audits focussing on specific data processing scenarios, currently in relation to data deletion in ERP systems (including SAP) and potential data protection violations by (sub-) processors.
Georgina Graham, Senior Associate in Osborne Clarke's Bristol office points out that "here in the UK, the ICO has identified new technologies as driving the most significant data protection risks. In its Technology Strategy 2018 – 2021, the ICO identified AI, big data and machine learning, as well as web and cross-device tracking as priority areas for investigation. In its view, the potentially intrusive nature of those technologies demand that the ICO puts its focus and resource into better understanding them."
Where does this leave us?
It is safe to say that 2018 was a busy year in the world of data protection and privacy, but it shows no signs of slowing down into 2019 and beyond. DPA enforcement has not quickly produced prohibitive fines (as had been widely expected). Enforcement activities have slowly unfolded, and take some time. We will see much more, and more high-profile, results of these activities in the near future.