> DPAs/Enforcement

Investigations, sanctions
CNIL publicly served a formal notice to WhatsApp, claiming the lack of legal basis for the company transferring data to Facebook after its acquisition.
CNIL is the latest DPA that went after connected toys (“My friend Cayla” and “I-que”). It served a “formal notice to cease serious breach of privacy due to lack of security measures”. The Irish DPC also published a brief guidance document on connected toys and data protection.
The Spanish DPA issued a 300.000 euros fine against Google for collecting data from open Wi-Fi networks with its Google Street View cars, without informing the Wi-Fi users and without obtaining their consent. This is the result of an investigation started in 2010 that had to be suspended after Court proceedings were initiated in the same case.
The Article 29 Working Party sent out a set of letters to different organizations, but no enforcement actions were actually announced (see the letters to WhatsApp, CIA-app, Sync.me, Truecaller and BEUC – all links will directly download a .pdf).
The Global Privacy Enforcement Network (GPEN) announced the results of its 2017 Sweep, which aimed to examine privacy notices of websites and mobile apps. 24 DPAs participated to this action. For instance, they found that “51% of websites/apps failed to specify with whom data would be shared, while 25% did not address whether personal information would be disclosed to third parties at all”. The action resulted only in issuing recommendations.
The Dutch DPA replied to a request of a Dutch web registry which administers the .amsterdam and .frl domains regarding the compulsory publication of domain name registrants (WHOIS-data), following ICANN requirements. The DPA found that such unlimited publication “is a violation of current Dutch privacy law”, given that the publication online of all WHOIS-data is not necessary. The DPA also underlined that “access to personal data of domain name registrants should be granted when such access is necessary for technical reasons, or for law enforcement”, in a layered way.
The Dutch Data Protection Authority found last week that “Microsoft breaches data protection law with Windows 10”, referring mainly to lack of sufficient information and transparency to ensure that the consent obtained is valid. Microsoft replied that they are working on improving  some of the aspects that raised concerns, but also challenged part of the findings. Here is an overview by Ars Technica.

The Irish DPC published two statements – one welcoming the publishing of FAQs by WhatsApp as a consequence of the ongoing dialogue the DPC is having with Facebook Ireland, and the other one requesting the Irish Department of Social Protection to publish answers to FAQs submitted by the DPC with regard to the Public Services Card. The two statements highlight how important transparency is for data protection compliance. 

The Belgian Data Protection Commission is investigating the organiser of the Tomorrowland music festival, after receiving several complaints regarding the refusal to grant access to 38 festival goers on security reasons. The organiser asked the federal police to screen all those who have acquired tickets against a national police database and refused access to 38 persons. The federal police confirmed they screened 400.000 people for the Tomorrowland organisers.    
Data protection at work – CNIL fined a small French company with 1000 EUR after a two years investigation into their practices for video surveillance at work. One of the reasons for issuing the fine was that the processing of data was excessive, considering that it was possible to always have real time access to the images captured by the surveillance system. The possibility to stop the recording of those images does not suffice to consider the collection limited to what is necessary.

ICO published their full Annual Report for 2016/2017. Some key numbers:

– 23 monetary penalties were issued in the framework of the ePrivacy implementing law, totalling 1.923.000 pounds;

– 18.300 cases on data protection received; significant increase in the number of data protection concerns brought by individuals, about 2.000 more than last year;

– 16 civil monetary penalties were issued in the framework of the Data Protection Act, totalling 1.624.500 pounds; the largest was a 400.000 pounds penalty issued to Talk Talk;

– 50% increase in criminal cases resulting in a conviction – in total, ICO secured 21 criminal convictions, of which 11 for unlawfully obtaining data.

CNIL sanctioned Hertz with a 40.000 EUR fine for not taking appropriate technical and organisational measures to ensure data security. An error made by one of the data processors when moving data between servers created a security breach on the company’s website, making the data of 35.537 customers easily available to third parties. According to a press release, the fine is the first one for this kind of breach under the new French data protection law (in effect since November 2016). Under the previous law, a warning would have been enough for this kind of breach. 

ICO: A recruitment manager was prosecuted and fined (573 BP) for illegally disclosing the personal information of job applicants to a third party employment agency (he was found to have sent copies of 26 CVs containing the personal data of applicants seeking employment with his company to an external recruitment firm).  

ICO issued a decision in the “Royal Free – Google DeepMind” case, concluding that the trial failed to comply with data protection law. “The Trust provided personal data of around 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury. But an ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.” No fine was issued. Instead, the ICO required for several measures to be taken to remedy the situation.

The ICO issued a fine of 60.000 pounds to a small video games rental  company for “failing to take basic steps to stop its website being attacked”. The company’s website was subject to a cyber attack in 2014 in which 26.331 customer details could be accessed.

The CNIL issued last week a 10.000 EUR fine for a dental practice for non-cooperation during an investigation of a complaint concerning access to data. This is a reminder that cooperation with a DPA is an independent obligation under Article 31 of the GDPR, and non-compliance with this obligation can be sanctioned in the lower fines tier (up to 10 mill EUR or 2% of annual turnout).

PWC published a Privacy and Security Enforcement Tracker for 2016, with a focus on the activity of the ICO. It also contains summaries of enforcement actions by other European DPAs.

The Italian DPA adopted a decision on the proposal of an insurance company to cross-reference different databases that “provides useful elements to companies looking to rely on legitimate interests”.

Several high profile sanctions were issued in the past week:

ICO fined the Greater Manchester Police with £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes got lost in the post. Another fine of £55,000 was received by an online building products supplier, which failed to implement appropriate technical and organizational measures to prevent a cyber-attack which resulted in accessing unencrypted cardholder details.

A finance brokerage firm responsible for sending thousands of spam text messages has been fined £40,000 by the Information Commissioner’s Office (ICO). Monevo Limited, based in Macclesfield, Cheshire, sent 44,172 unsolicited marketing texts promoting loans in three months.

Charities are not allowed to disregard data protection law. The ICO announced that it fined eleven charities that breached the Data Protection Act by misusing donors’ personal data (with fines from 6.000 to 18.000 pounds). “ICO investigations found many of the charities secretly screened millions of donors so they could target them for additional funds. Some charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.”

ICO fined two companies, Flybe and Honda, (£83,000) for breaking the rules about how people’s personal information should be treated when sending marketing emails. (Read More).

The CNIL updated their guidance on applying data security requirements under the French data protection law (only in FR).
The ICO published a note regarding the “data protection fee” organizations will still need to pay, even though the GDPR does not require controllers anymore to register with their data protection authorities. Currently, organizations pay a fee when they register as controllers with the ICO. The fee will be kept, but under another name.
The Hungarian DPA issued guidance exploring data protection aspects of blockchain technology, according to which each person that adds blocks and personal data to blocks in the system is a data controller for data protection law purposes (the guidance is in Hungarian, the link provided above is to a summary of it in English). 
The “Berlin Group” (International Working Group on Data Protection in Telecommunications – a group that gathers technologists working for DPAs) issued a Working Paper on e-Learning Platforms (the link directly downloads pdf), as a result of their last meeting, which took place in April in Washington DC. The paper outlines the main privacy risks for students associated with e-learning platforms and provides recommendations for educational institutions, e-learning platform providers and data protection authorities.

The Irish DPC issued a statement on DPOs and the appropriate qualifications an employer should be looking for. 

The “Berlin Group” (International Working Group on Data Protection in Telecommunications – a group that gathers technologists working for DPAs) issued a Working Paper on e-Learning Platforms (the link directly downloads pdf), as a result of their last meeting, which took place in April in Washington DC. The paper outlines the main privacy risks for students associated with e-learning platforms and provides recommendations for educational institutions, e-learning platform providers and data protection authorities.

The Federal German Data Protection Commissioner published Guidance for Connected Cars. Among other recommendations, the DPC recommended that it must be clear and apparent what kind of data is processed without the consent of data subjects.

The Irish DPC issued a short guidance document explaining the difference between facial recognition and facial detection technologies, in reply to concerns received from individuals regarding digital advertisement screens in public spaces. 

The Swedish DPA decided that the right to be forgotten applies globally in specific situations: if there is a specific connection to Sweden and to the data subject, for example is the information on the webpage which is linked to is written in Swedish, addressed to a Swedish audience, contains information about a person that is in Sweden or if the information has been published on the Swedish domain .se.

The Spanish DPA published a Code of Best Practices regarding Big Data and data protection, in cooperation with industry representatives such as Telefonica, Cloud Security Alliance and Orange (available only in Spanish).

The European Data Protection Supervisor published a toolkit for assessing “necessity” when it comes to respecting the fundamental right to the protection of personal data in the EU. “Necessity” of the processing activity is a fundamental condition for lawful data processing. While the toolkit is primarily aimed to lawmakers and policymakers, it is a very useful source to understand the EU data protection law framework. The Toolkit is available HERE and it is based on a background paper published last year.

The ICO announced that it received more than 300 responses to their public consultation on consent under the GDPR. 

The CNIL published an 80-page report on ethics and Artificial Intelligence, available only in French. It is based on a public debate initiated in January this year, that saw several events organized throughout France to discuss the implications of AI on the rights of individuals and the role that ethics can play in this case.
The Wall Street Journal published an extended interview with the Irish Data Protection Commissioner, Helen Dixon, about the GDPR and how supervisory authorities are getting ready for it.
Here you have some insight into the reorganisation of the Belgian DPA and the significant changes brought to its structure by the new law.
Giovanni Buttarelli, the European Data Protection Supervisor, published a blog on the approach of the day the GDPR becomes applicable – “It’s not the end of the world as we know it“. It’s an insightful analysis on why challenges of the digital economy for human rights concern more than data protection. He also details the idea of creating a pan-European Digital Authority, to tackle competition, data protection and consumer protection.
Last week, at the IAPP Data Protection Congress in Brussels, I had the pleasure of hosting a session with Giovanni Buttarelli, the European Data Protection Supervisor, discussing about the future of data protection in Europe and the world. We discussed a lot about the interplay of ethics, data protection and competition law, about enforcement in general and (achievability of) global enforcement in particular, but also about the future of the European Data Protection Board. Two points I will recall here: first, Giovanni expressed his view that the future of the EDPB in the following 7 to 10 years could go in the direction of an “EU Digital Regulator” that could also have some consumer protection and some competition law competences, besides data protection. Second, he mentioned ongoing efforts of the Conference of Privacy Commissioners to come up with concrete collaboration platforms for cross-border enforcement cooperation (GPEN-like platforms).
In an interview for Les Echos, Isabelle Falque-Pierotin (head of the CNIL and of the Article 29 Working Party), talks about the role of the CNIL, 40 years after the authority was created. She underlines that the CNIL is not there only to sanction, forbid or intervene a posteriori, but also to guide and advice companies. Asked which are the greatest challenges of using personal data and IT capabilities, she replied: “Why not talk about opportunities? (…) We are at a fabulous time in terms of data capabilities, of companies having a global market. The role of the CNIL is to make sure that all this is developed while preserving individual freedom. It is data protection that allows freedom of speech and freedom of movement. The threat would be the individuals becoming prisoners of their data” (this is an approximate translation; the interview is in French).
The LIBE committee adopted its version of the new regulation that will replace Regulation No 45/2001 and that defines the role of the EDPS, together with establishing data protection rules the EU institutions and agencies have to comply with. If you want an introduction to this Regulation and its significance, here is a Research Brief published this month by the EP Research Service.
The International Conference of Privacy Commissioners ended last week with the adoption of two resolutions, two of which clearly show that there is an increased interest in global cross-border and cross-sectoral enforcement actions:

The European Data Protection Supervisor and the Bulgarian DPA, who are co-hosting next year’s International Conference in Brussels, announced that the event will focus on Digital Ethics.
The ICO continues their GDPR myth-busting series with a note on why “GDPR is an evolution in data protection, not a burdensome revolution”, highlighting how the GDPR is building on foundations already in place for the last 20 years and how it scales the task of compliance to the risk posed to the rights of individuals.

The EDPS published his Opinion on the Proposal for a Regulation establishing a single digital gateway and the “once-only” principle, which is aimed at ensuring that citizens and businesses are requested to supply the same information only once to a public administration, which can then re-use the information they already have.

The ICO started a much welcomed myth-busting campaign regarding the GDPR, acknowledging that there is a lot of misinformation out there about it. The first myth they busted: the biggest threat to organisations from the GDPR is massive fines. Elisabeth Denham, head of the ICO, wrote that “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”. Read all about it here. The second myth they busted: consent is the silver bullet for GDPR compliance. No, it’s not. “The rules around consent only apply if you are relying on consent as your basis to process personal data. (…) There are five other ways of processing data that may be more appropriate than consent”, wrote Denham here 

The CNIL coordinates a country-wide public consultation series on algorithms and Artificial Intelligence (in France). They published a calendar of the many events organised in June and July as part of this series.

The ICO is hosting this week a series of international workshops for data protection authorities mainly focused on enforcement cooperation and case handling, including the first meeting of the Enforcement Practitioners Workshop of GPEN (Global Privacy Enforcement Network). The workshop will involve 70 delegates from 32 worldwide authorities, as well as experts from the consumer protection and telecommunications fields.

The ICO appointed two new Deputy Commissioners – James Dipple-Johnstone (Operations) and Steve Wood (Policy) and launched a Grants program for independent research projects that develop privacy enhancing solutions.  

The first meeting of the “Digital Clearinghouse” took place this Monday in Brussels, at the initiative of the EDPS, supported by the European Commission. The meeting was attended by authorities with regulatory responsibilities for various aspects of the digitised economy – consumer protection authorities, competition authorities and data protection authorities. The idea of a Digital Clearinghouse is to break the silos among relevant authorities acting in the digital arena. Read more about it HERE.

A detailed  interview with Helen Dixon, the Data Protection Commissioner of Ireland, was recently published. The DPC talks about going all the distance to impose maximum fines for non-compliance with the GDPR and about the fact that there will be no amnesty or grace period after the GDPR enters into force. 

Check out the speeches given by Helen Dixon (DPC) and Giovanni Buttarelli (EDPS) at the Tech Lab Open House (on April 18), an annual event hosted by FPF during the IAPP Global Privacy Summit week, where policymakers, regulators and thought leaders interact with the latest in privac-impacting gadgets and new technologies.

Annual reports
The Spanish DPA published their annual report for 2016 (available in ES). Among key numbers: 14.190.173 EUR in fines last year; 10.523 complaints and other claims made by citizens; 237.000 queries made by citizens; 78% of the decisions of the DPA that were challenged in Court were fully confirmed by the Court of Appeal (from a total of 74 cases).

The Belgian DPA adopted its Annual Report, providing insight into its activity. Read an English summary here, and the Report in French and Dutch.

ICO released its annual statistics report for 2016/2017, stating that it has dealt with record numbers of data protection incidents, nuisance marketing cases and individual complaints.

EDPS published its 2016 Annual Report, which provides a good overview of where EU policy in data protection law is heading (e.g. see pages 40-44). It also contains some details about setting up the EDPB (p. 43). 

The Irish DPC published their AnnualReport for 2016. Some key points:

CNIL published its 37th Annual Activity Report for 2016 (yes, CNIL has been around for 37 years, since the first French data protection law was adopted). It reveals that the French authority conducted 430 inspections last year, of which 82 resulted in “misdemeanour” findings, and 13 in sanctions (of which only 4 financial; there’s no mention of the amount of the fines). CNIL received 7703 complaints, of which 420 regarding the right to be forgotten. For 2017, CNIL announced it will focus it’s enforcement on processing of health data, national security databases for combating terrorism and Smart TVs. (Press release here, only in FR).

If you want to receive weekly updates on developments in EU data protection law and policy, contact Gabriela Zanfir-Fortuna at [email protected].