Year in review 2021: Data Protection (GDPR)
Record number of fines in 2021
At European level, a record number of fines have been issued during 2021 for violating the EU General Data Protection Regulation (GDPR). Since the GDPR entered into force in the EU on 25 May 2018, the supervisory authorities have imposed or notified fines in approx. 900 cases with an accumulated amount of approx. EUR 1.3 billion. As many as 500 of these cases are from 2021 with accumulated fines of as much as EUR 1.1 billion, including a notified fine of EUR 746 million to Amazon (Luxembourg) and EUR 225 million to Whatsapp (Ireland). The Norwegian Data Protection Authority also imposed a historically high infringement fee in 2021, with a fine of NOK 65 million issued to the dating app Grindr for lack of consent related to sharing of information with third parties for marketing purposes.
Cyber-attacks and leakage of personal data
Another notable case from last year 2021 is the Data Protection Authority’s notification to Østre Toten Municipality of an infringement fee of as much as NOK 4 million. The case concerned the extensive ransomware virus attack that hit the municipality earlier this year. The fee is of a significant size for a municipality with only 15,000 inhabitants and comes in addition to the large costs faced by the municipality in relation to recover and rebuilding the IT infrastructure. The Norwegian Data Protection Authority justifies the strict sanction on the grounds that it identified fundamental flaws in the municipality’s work with information security.
In 2021, the Norwegian Parliament (Stortinget) was also hit by another cyber-attack, and at the end of the year, the Nordic Choice hotels was exposed to a ransomware virus attack where hackers are threatening to publish personal information. The fact that personal data is used as a means of extra pressure in cyber-attacks seems to be a new and worrying trend. According to the latest trend report from the European Network and Information Security Council (ENISA), threats related to leakage of data in connection with cyber-attacks have increased from 8.7% in 2020 to 81% in 2021 (Q2). The National Security Authority (NSM) has also recently warned Norwegian companies about the increased risk of cyber-attacks during Christmas holidays and calls for increased preparedness. It is important to note that the GDPR requires that all companies carry out risk assessments and ensure that appropriate technical and organizational security measures are in place considering the given risk.
Principal clarification regarding sharing of user experiences online
In December, the Norwegian Supreme Court gave its ruling in the so-called «doctor list case». The Supreme Court upheld the result from the Court of Appeal and concluded that doctors, chiropractors, dentists and other health workers must tolerate the sharing of negative user reviews on www.legelisten.no. The Norwegian Medical Association (NMA), which was the plaintiff in the case, argued that the sharing of critical reviews on the website conflicted with general privacy rights. The NMA pointed out, among other things, that inadequate use of privacy-enhancing technology and use of search engines led to the distribution of personal data on a scale that went beyond what was necessary. The Supreme Court did not agree and stated that the general rights of freedom of expression and the public’s need for information weighs heavily in such cases. The verdict is based on a concrete assessment, but still indicates the threshold for the right to share online user reviews related to professional services.
Updated Schrems II guidelines and new EU standard contractual clauses for the transfer of personal data
In June, the European Data Protection Board (EDPB) issued updated Schrems II guidelines on how companies should make documented assessments when personal data is transferred to recipients in countries outside the EEA («third countries»). The EDPB maintains the 6-step approach to a great extent, but gives companies somewhat more room for manoeuvre to take into account the supplier’s documented experiences related to orders from third country authorities. It is also worth noting that the Data Inspectorate when updating its guidelines in September and November, has set out special requirements, which are not covered by the EDPB’s guidelines, for the processing of personal data in the EEA where the supplier is subject to third country surveillance legislation. In the Data Protection Authority’s guide, section 7, the Authority mentions the situation where the supplier has made a reservation about the disclosure of personal data if it receives legally binding orders from third country authorities. In such cases, the Authority is of the opinion that the customer must assess whether there is a legal basis for disclosing information to the supplier, since the supplier may be considered controller for processing of personal data relating to fulfilling orders from third country authorities. Exceptions apply if there are measures in place that prevent the supplier from exercising meaningful control over the information.
The new EU standard contractual clauses for transfer to third countries adopted by the EU Commission are also noteworthy. The standard clauses consist of four modules to cover different transfer situations and must be used for all agreements entered into after 27 September 2021. Transfer agreements based on the old standard contractual clauses entered into before this date are valid until 27 December 2022. Note that it follows from the new the standard contractual clauses that the parties must document the assessment that there is no reason to believe that the importer is prevented from complying with the clauses, cf. the requirement for assessment in EDPB’s guidance mentioned above.
In addition, the EDPB has recently published for consultation a guideline which clarifies what is meant by a transfer. According to the draft guideline, three conditions must be met for a transfer to take place:
- A data controller or data processor is subject to the GDPR for a specific processing of personal data.
- This company (data exporter) makes available or sends the relevant personal data to another data controller, joint data controller or data processor (data importer).
- The data importer is in a country outside the EEA or is an international organization.
According to the EDPB, it will not be considered a transfer of personal data to third countries when employees in an EEA-based company have remote access to the company’s personal data as part of a business trip outside the EEA. Further, the EDPB considers that the collection of personal data directly from persons in the EEA, on the person’s own initiative, does not constitute a transfer. A practical example is if private individuals in connection with online orders provide their contact information to a company outside the EEA.
What can be expected in 2022?
While many of the international cloud providers are constantly adapting their solutions to ensure that personal data is adequately protected in compliance with the GDPR, it is expected that we will soon see the results of the negotiations that have taken place between European and US authorities since the European Court of Justice invalidated the Privacy Shield in June 2020. There seems to be an obvious need for a political clarification that ensures the protection for personal data transferred to the US. Nevertheless, it remains to be seen whether a new agreement will suffer the same fate as the Privacy Shield and the Safe Harbor before that.
In any case, we consider that the demanding work of assessing and documenting legitimate third country transfers will continue throughout 2022. In particular, the focus should be on ensuring that new EU standard contractual clauses are executed with data importers well before Christmas 2022.