GDPR one year on: how are EU regulators flexing their muscles and what should you be thinking about now?
Published on 10th May 2019
Our clients regularly ask us questions such as "what do EU Data Protection Authorities really care about?", "where is the enforcement activity likely to be?" and "what should we be thinking about now in terms of our GDPR compliance?".
So far, the evidence of any significant enforcement activity is slim; European Data Protection Authorities (DPAs) continue to wade through very high work volumes, not least in dealing with over 50,000 data breach notifications since the GDPR came into force on 25 May 2018. But, we are starting to see examples of the type of conduct that is likely to jump the data enforcement queue (as well as grab media attention), and the tools that DPAs are ready and willing to use.
In this Insight, we look at:
- data breaches;
- the recurring themes of transparency and consent;
- the exercise of data subjects' rights; and
- what fines we have seen so far; and
- just a few of the things to consider in terms of your GDPR compliance (now and on an on-going basis).
Where is the heat?
Data breaches and post-breach orders and litigation
Not surprisingly, DPAs have seen a huge increase in the number of data breaches being reported to them since "mandatory" breach notification was considerably extended at the end of May 2018. For example in the UK, which is in third place behind the Netherlands and Germany in the data breach league table, the Information Commissioner, Elizabeth Denham, gave a speech to the International Privacy Forum on 4 December 2018 in which she said that the Information Commissioner's Office (the ICO) had received over 8,000 notifications of data breaches since the end of May 2018. That is compared with just 3,311 notifications between 1 April 2017 and 31 March 2018, and 2,565 between 1 April 2016 and 31 March 2017.
Despite this sharp increase in notifications, there has been little overt enforcement activity to date. Which is not to say that investigations are not taking place behind the scenes; they are, and it won't be long before we hear again about some of the headline-grabbing breaches that we have seen in recent months.
In Germany, one of the most publicly debated fines under the GDPR regime has been issued as a consequence of a reported data breach: The DPA of Baden-Wurttemberg issued a fine of EUR 20,000 against the social network Knuddels for a violation of Art. 32 GDPR by storing passwords unencrypted, after the company reported that hackers had leaked over 800,000 email addresses and more than 1.8 million user credentials. Most remarkably, the DPA’s justification for the relatively low amount of the fine was the fact that Knuddels fully co-operated with the DPA and committed to intensive improvements in its data handling practices. In another case, the Baden-Wurttemberg DPA fined a business EUR 80,000 (to date the highest fine in Germany) for a lack of internal controls regarding health data in the internet. These investigations take time and the DPAs have also been busy clearing the backlog of pre-GDPR investigations.
The Netherlands leads the top of the table with nearly 20,881 data breach notifications in 2018, compared to 10,009 in 2017. The Netherlands was one of the first countries to introduce a GDPR-style data breach notification requirement back in 2016. The high number of data breach notifications in the Netherlands shows Dutch companies are more aware of the data breach notification requirements, compared to other EU jurisdictions.
A potentially concerning development for business is the increase in class action-style litigation and so-called "data protection ambulance chasers". Whilst a representative action was struck out against Google in relation to the well-publicised "safari workaround" case of Lloyd v Google, that has not deterred groups of claimant law firms (often specialising in personal injury) trying to build books of business off the back of large data breaches.
Ashley Hurst, a Partner in Osborne Clarke's London office notes that "here in the UK, claimant law firms are lining up to advertise post-breach data protection claims on "no win no fee" agreements, even where the data compromised appears to give rise to little risk of damage". These firms are going to find it even harder to get these claims off the ground when the recovery of success fees is abolished for privacy claims in April this year.
The recurring themes of transparency and consent
Transparency and consent continue to be a regular feature of complaints to DPAs. For example:
- In September 2018, Brave (an internet browser) filed a complaint with DPAs in Ireland and the UK requesting an EU-wide investigation into the behavioural advertising industry's practices. One of the main complaints was a lack of transparency information provided to website users about how data collected about their use of a website is used to build a profile about them and subsequently show advertisements which are deemed to be most relevant.
- In November 2018, Privacy International filed complaints under the GDPR with DPAs in the UK, France and Ireland against two data brokers, two credit reference agencies and three advertising technology companies, alleging that those businesses had not provided the required transparency information and did not have a valid legal basis for processing.
- Transparency and consent (or the alleged lack of them) were also key factors in the CNIL's fine against Google – that fine was based on two complaints by NGOs 'noyb' and 'La Quadrature du Net' (see more on this below).
One of the key themes arising from these complaints is the level of detail that is expected to be included in the transparency information provided to data subjects. For example, in its statement on the Google fine, the CNIL said that Google's "purposes of processing are described in a too generic and vague manner", and "that the information about the retention period is not provided for some data".
Gianluigi Marino, Partner in Osborne Clarke's Milan office comments that "it is likely that a number of businesses are similarly vague in their privacy policies (if not more so); businesses should be looking again at their privacy policies in light of the CNIL's decision to see if there is any scope for making them more specific".
Requests from data subjects (lots of them…)
The exercise of data subject rights is becoming a serious business issue. The GDPR granted individuals more extensive rights in relation to their personal data, including the right to data portability. But it also gave lots of publicity to the existing rights of erasure and access. Litigators and employment lawyers in particular were paying attention and have been making repeated subject access requests, often with little more motive than to cause annoyance and build pressure.
Immediately post-25 May 2018, we noticed a big uptick in erasure requests as data subjects sought to clean up their online privacy and security. This seems to have slowed down in recent months, but the increased wave of data subject access requests (DSAR) continues unabated.
There are two types of DSAR that are particularly problematic. The first is the one that asks lots of complicated questions about data processing, some which fall within scope of Article 15 of the GDPR and others which don't. These requests are manageable but often require experienced data protection lawyers to avoid pitfalls, especially when the requestor is an employee of Privacy International. The second category is requests by employees and former employees for data contained in emails going back many years. These are time-consuming and expensive exercises that businesses find a chore and which can often lead to litigation if not handled well.
The good news for companies is that regulators have higher priorities than acting as judge in deciding which personal data should and shouldn't be disclosed or redacted. The Article 15 regime is designed to provide transparency about data processing, not to provide a new regime for pre-action disclosure, although plenty of claimant law firms try to use it for litigation purposes.
Companies therefore need to be smart about how they expend their efforts and carry out proportionate searches. Those companies that have developed an organised and efficient system are more likely to persuade regulators to expend their energies elsewhere. We are seeing some interesting examples of this, demonstrating that it is a false economy to simply adopt the cheapest option with a provider that doesn't fully understand data protection law.
One particularly noteworthy complaint is that filed by noyb – Max Schrems' NGO – with the Austrian DPA in January 2019 against eight technology companies. The complaint claims that those companies' automated systems for responding to access requests do not comply with the requirements of the GDPR. This will be one to watch for all businesses processing personal data.
What fines have we seen so far?
The headline GDPR fine so far has been the €50 million fine by the French DPA (CNIL) against Google for lack of transparency, inadequate information and lack of valid consent in relation to its use of personal data for the purposes of personalising advertisements. That fine is significantly higher than any of the other fines imposed by any EU DPA for breaches of the GDPR so far. The CNIL justified the amount and the publicity of the fine on the basis that:
- Google would (continue to) infringe essential principles of the GDPR: transparency and consent;
- the infringements were not a one-off, nor were they time-limited; they are still on-going;
- the scale of the infringement would be significant (thousands of French people are affected); and
- Google's economic model would partly be based on the personalisation of advertisements, and therefore it is of utmost importance that Google complies with its obligations in that respect.
Beatrice Delmas-Linel, Managing Partner of Osborne Clarke's Paris office observes that "in fining Google €50 million, the CNIL has silenced anyone wondering whether DPAs would be willing to walk the walk, as well as talk the talk."
At the moment, though, the Google fine is an outlier. High fines under the GDPR have been few and far between. Where there have been other fines (in Germany and Portugal), the amount of those fines has been considerably lower. According to a report by the Handelsblatt published on 18 January 2019, German DPAs had until then issued 41 fines under the GDPR. Stefan Brink, state data protection commissioner for Baden-Wurttemberg, commented on its EUR 20,000 fine against Knuddels: "The LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users." It remains to be seen whether other DPAs take a similar approach.
Flemming Moos, Partner in Osborne Clarke's Hamburg office says that "DPAs are likely still clearing the massive backlog of investigations and complaints; these proceedings take time. In Bavaria alone, there are currently 85 fine proceedings for violations of the GDPR pending. We will undoubtedly see more fines (and higher fines) in the near future as DPAs finalise their proceedings. For businesses, in order to avoid high fines once being subject to investigations, it will be important to devise the right strategy based on a thorough analysis of the criteria for determining the fine under Art. 83 (2) GDPR."
Outside of fines, there is also some interesting activity bubbling away behind the scenes, which gives an indication of those areas which appear ripe for enforcement and likely to be highest risk for businesses.
Where does this leave us and what should you be thinking about now?
It is safe to say that 2018 was a busy year in the world of data protection and privacy, but it shows no signs of slowing down into 2019 and beyond. DPA enforcement has not quickly produced prohibitive fines (as had been widely expected). Enforcement activities have slowly unfolded, and take some time. We expect to see much more, and more high-profile, results of these activities in the near future.
To avoid falling foul of the GDPR, and with almost 12 months of new guidance, learning, evolving common and best practices and early enforcement action to go on, it's a good time to carry out an audit of your current compliance. Where are you in your compliance plan and what more can be done?
Here are just five things to be considering (both now, and on an on-going basis):
1. Policies and procedures
Check whether your existing policies and procedures need updating as a result of new guidance or business expansion and changes; in particular, guidance on transparency and consent from the Article 29 Working Party (now the European Data Protection Board).
If your compliance activity last year was relatively limited, consider whether your current suite of policies and procedures needs extending to ensure an on-going culture of data protection responsibility. For example, do you have a process for handling requests from data subjects? Remember that good compliance requires more than just good documentation: the documentation needs to be disseminated to the business, implemented and enforced.
2. Customer / supplier relationships
Review your contracts with your customers and your suppliers. Do they comply with the requirements of the GDPR, including the rules on transferring personal data outside the EU? If not, how will you go about amending them? Would you benefit from standard GDPR-compliant terms that you can use with your customers and / or suppliers?
3. Privacy Impact Assessments
Do you understand the circumstances in which you are required to undertake a Privacy Impact Assessment? If so, do you have a robust framework for carrying them out? Privacy Impact Assessments are a key part of the GDPR's philosophy of privacy-by-design.
4. GDPR training
Consider rolling out annual GDPR refresher training, with more advanced training for staff that regularly handle personal data (such as the sales and marketing, HR and IT teams). DPAs take training seriously and it is usually one of the first questions they ask when things go wrong.
5. Security breaches
Consider whether your staff know what to do in the worst-case scenario – if there is a security breach or if a DPA commences any enforcement action. Preparing for a crisis will help you to swiftly take defensive steps to mitigate the serious reputational and financial consequences that can follow when things go wrong. Consider a Data Breach Policy, guidance on managing regular interactions and training, including through crisis simulation or "war-gaming" exercises.