2019 – the year of the first real GDPR cases
Before the GDPR came into effect, much attention was given to the strengthened competence and powers of the supervisory authorities (incl. powers to issue fines up to 4% of yearly revenue). 2019 marked the year of the first real GDPR cases, providing an indication on how the authorities will use their new powers and sanctions.
With a few exceptions, the supervisory authorities have to a little extent carried out their own inspections and controls. It seems as though many supervisory authorities across Europe had more than enough on their plate trying to adjust to the new GDPR requirements and aligning their practices to the new regime. The authorities’ heavy workload also stem from handling a vast number of personal data breach notifications and a great number of complaints from data subjects. The situation of the Norwegian Data Protection Authority has been no different.
In Norway, the two most prominent cases have been the fines imposed on the two Norwegian municipalities Oslo and Bergen. Both fines were related to insufficient information security. In Europe, the cases have dealt with a number of issues under the GDPR. While quite a few centered on information security, others carved out the requirements of consent, information and joint controllership.
Bergen and Oslo municipality
18 March 2019, the Norwegian Data Protection Authority fined Bergen municipality NOK 1.6 m for allowing files containing usernames and passwords to an online login platform (eFeide) to be available for all users of the information systems in Bergen municipality. Around a month later, 29 April 2019, the Norwegian Data Protection Authority gave Oslo municipality notice of its intention to fine the municipality NOK 2 m due to a security gap in a mobile application called “Skolemelding” (in English: “School message”).
Post-fines, the Norwegian Data Protection Authority expressed concern regarding the handling of personal data and information security in municipalities and schools across Norway. Aggravating circumstances in both cases were the fact that special categories of personal data regarding children were accessed and that the media was predominant in informing the authority regarding the breaches – not the municipalities. In our view, the fines would likely be higher if they were related to commercial actors instead of a municipality. Read our previous commentary regarding these two cases here and here.
The CNIL fines Google EUR 50 m for lacking transparency and invalid consent
A noteworthy case from European regulators is the CNIL-Google-case. Complaints from several interests groups led the French supervisory authority to impose a fine of EUR 50 m due to lack of information and invalid consent when registering a Google account on Android-mobile devices. CNIL stated that information and settings for personalized ads was not easily accessible and also concluded that pre-ticked boxes for personalized ads and a general consent to the Privacy Policy did not fulfil the GDPR-requirements for unambiguous and specific consent. The case showcases that it is of outmost significance to fulfil requirements relating to inter alia information, unambiguity and affirmative action when choosing consent as a legal basis, as well as making the consent specific for the different purposes of processing personal data. Read more here.
ICO’s intention to fine British Airway 1,5 % of annual revenue
In July the ICO notified British Airways of an intention to fine the airline £ 183 m in relation to a cyber-incident on the company’s webpage. According to the ICO, personal information such as names, addresses and financial information about approximately 500.000 customers may have been compromised. Read more here.
CJEU Fashion ID case: Joint controllership for Facebook like buttons
The Court of Justice of the European Union (CJEU) concluded on 20 July 2019 that website operators can be deemed joint controllers under the GDPR together with social media providers for using plug ins, such as Facebook Like buttons. This judgment, read in conjunction with similar cases in recent years, indicates that a joint controller situation may be inevitable in some cases where the activities of businesses are closely linked. Read more about the case here, and our article on shifting roles of controllers and processors here.
Planet49, ePrivacy and the Norwegian requirements regarding cookies
October brought new life to the cookie-debate with the Planet49-case. The CJEU started the month by giving an interpretation of the requirements of the ePrivacy Directive for using cookies for personalized ads. The court shed light on the requirements regarding active action (a pre-ticked box is not sufficient), specific consent (clicking a general button for participation in a lottery does not fulfill the requirement) and information (must include information about who has access to cookies and the retention period for cookies).
The Planet49-case led the Norwegian Communication Authority (NCA) to update its cookie guidance. The NCA states that it is in dialogue with the ministry regarding the need to amend the eCom Act. However, the updated NCA guidance confirms what is clearly set out in the preparatory works for the eCom Act; consent for cookies can still be obtained through cookie-settings. However, the updated guidance also states that if the cookies involve processing of personal data, the GDPR applies for the processing of such data. Unfortunately, the NCA fails to clarify whether they are referring to further processing of personal data collected through cookies, or whether all cookies involving personal data should comply with the general data protection rules.
It is no secret that the Norwegian interpretation of the cookie rules are not aligned with the majority of EU countries and the Planet 49-case. It is therefore expected that revisions will come in the future. Ideally, the legislator should wait for the much anticipated ePrivacy Regulation. As the draft ePrivacy Regulation was recently rejected, the legislator may however amend the law before EU manages to decide on a new Regulation.
What is next for 2020?
In addition to cases triggered by security incidents and complaints, we believe that 2020 will bring more inspections and controls initiated by the supervisory authorities. The GDPR has been in force for almost two years. Going forward both private and public entities will have little possibility to blame a lack of compliance on the element of surprise. Supervisory authorities, including the Norwegian Data Protection Authority, are expected to assess the entities internal guidelines and routines, transfer mechanisms and other compliance measures in the year to come. With this in mind, it is important that entities not only draft the necessary documentation required by the GDPR – they must also implement their routines and guidelines throughout their business. This includes training personnel, as well as follow up of data processors’ and business partners’ compliance.
We also experience that data privacy and compliance is receiving heightened focus in M&A processes. Buyers are looking for apparent target risks, especially when it comes to the legality of the business model and the level of potential fines from supervisory authorities. Uncovering non-compliance with the GDPR through a due diligence may result in a price-decrease, or an unwillingness to buy the target company. This may be an incentive for entities to invest in data privacy through human and capital resources in 2020.
2020 will also bring clarifications with regard to the transfer mechanisms available under the GDPR. In July 2019, the CJEU in Luxembourg assessed whether the EU-U.S. Privacy Shield and the EU Standard Contractual Clauses for transfer of personal data provides sufficient protection for transfers of personal data outside the European Economic Area (EEA). The Advocate General’s Opinion of 19 December 2019 deemed valid the Standard Contractual Clauses.
Although not legally binding, the opinion of the Advocate General is highly influential. The court is likely to issue its decision by the first half of 2020. An overruling of these transfer mechanisms might have a great impact on many undertakings that transfer personal data to business partners and vendors outside the EEA. Undertakings that transfer personal data should pay close attention to these developments, as well as consider whether it is possible to establish transfer mechanisms that will limit the consequences of an overruling of the Privacy Shield and the EU Standard Contractual Clauses.
This article is part of a series of articles where the different practice groups in SVW will summarize the most important regulatory happenings in Norway in 2019.