Finally, the day arrived and the General Data Protection Regulation is now in place. In the first month of operation, some curious GDPR related practices evolved and serious consequences of the new privacy legislation started coming into surface.
People vs. Google, Amazon, Facebook, Apple, LinkedIn, et.al.
Immediately, on the first day of GDPR, Google and Facebook were confronted with four claims relating to their ‘take it or leave it’ approach about the consent to use personal data of their users.
Max Schrems and the None of Your Business organisation filed complaints against Facebook in Belgium, Germany, Austria, and against Google in France. Schrems claimed a rough total of 7 billion Euro on behalf of unnamed users of Facebook, Instagram, Whatsapp and Android.
Schrems and Nyob argue that making users to agree to the privacy settings without providing the real choice as to how their personal data is being used by these applications represents ‘forced consent’ and is in clear violation of the new European personal data protection legislation.
Some days later, a French activist group La Quadrature du Net filed complaints against a broader circle of companies on behalf 12.000 individuals to CNIL (French data protection authority). Naturally, Google’s Gmail, Youtube and Search, as well as Facebook became subject to proceedings in France. The group also targeted Apple (iOS), Amazon and LinkedIn. The basis for the filed complaints is also ‘forced consent’. It was disclosed that the group plans to launch procedures against Whatsapp, Instagram, Android, Outlook and Skype in the future.
A recent study of the Norwegian Consumer Council titled ‘Deceived by Design’ looked closely at the practices of Google, Facebook and Microsoft regarding private information of their users. Google and Facebook specifically and, to a lesser extent, Microsoft offer privacy-unfriendly settings by default. And in the meantime, they make it difficult to access privacy-friendly settings by requiring users to actively look for these options through several layers of the privacy dedicated websites.
NCC concludes that neither Google, nor Facebook or Microsoft try to comply with GDPR because nudging tactics employed by these companies (and many others too) go against the ‘privacy by default’ and ‘privacy by design’ principles.
European authorities issue their first GDPR based decisions
Meanwhile, first cases interpreting the GDPR provisions started to appear. The highest number of cases, currently three, comes from Germany. Several provisions were tested in these recent weeks. Below are summaries of these decisions with links to the full texts of these rulings.
* data minimisation
The Regional Court in Bonn was the first to issue the official GDPR interpretation. ICANN sued German-based accredited ICANN Registrar company, EPAG for its refusal to collect administrative and technical contact information upon new domain name registrations. Such data can usually be found in the WHOIS directory.
For a long time, WHOIS and ICANN were criticised for risk connected to exposure of personal data stored in the database to various malicious attacks. Identity theft is one frequent example of such risk. EPAG argued that based on ‘data minimisation’ principle embodied in the GDPR, it can only collect the domain name registrant’s data.
The court supported the view of EPAG, ruling that ICANN could not credibly show the necessity to collect admin and technical contact information. The domain registrant’s personal data is sufficient for ICANN’s purposes, especially in relation to criminal offences, security breaches or other infringements. ICANN filed an appeal to the higher court.
* data controllers
The Court of Justice of European Union concluded that an administrator of a Facebook page shares responsibility with Facebook to protect personal data of the Facebook page visitors.
The CJEU case originated from the claim of the Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany. It ordered a German education company (Wirtschaftsakademie Schleswig-Holstein GmbH), to deactivate its Facebook page because it, without explicit user consent, accessed and stored cookies from visitors’ hard drives to collect personal data.
The education service provider argued that ‘Facebook alone decided on the purpose and means of collecting and processing personal data used for the Facebook Insights function, Wirtschaftsakademie receiving only anonymised statistical information.’
The court did not agree. Creation of a Facebook page requires page administrators to define parameters of the page depending on target audience, objectives and promotion of the page.
The Facebook page admins can actively set filters that request processing of demographic data, trends relating to age, sex, relationship and occupation, information on the lifestyles, online purchasing habits, other data.
Although Facebook eventually transmits only anonymous data to page admins, still, since the Facebook page operators set these filters, they must be categorised as data controllers ‘responsible for that processing within the European Union, jointly with Facebook Ireland.’
Although this case origins predate GDPR, the decision of CJEU is dictated by the provisions of the new legislation. It distinguishes between data processors and controllers, drawing specific attention to responsibility of both.
* privacy vs. public interest
Higher Regional Court in Cologne has looked at the German Art Copyright Law (Kunsturhebergesetz, or KUG). It tested whether the KUG’s application is affected by the GDPR. The underlying dispute seems to be connected to a TV-program, where an individual has been aired without a consent. The case ended up in the regional court first and then was appealed to the higher court.
Both courts, regional and higher regional, ruled that KUG is applicable as a sector-specific regulation. It contains provisions that determine a so-called ‘media privilege’, meaning that photo- or videographers do not need to obtain an explicit consent at a recorded public event, if it is then disclosed as part of a journalistic assignment or to serve public interest.
In the meantime, it is still not clear, how GDPR would affect commercial image making, outside the sphere of public interest or journalism. After all, KUG regulates only publication of images, but not the collection of data (i.e. images themselves).
* right to access information
Most recent decision was issued by the Austrian data protection authority a few days ago. It ordered Austrian banks to provide historical account information to its users for free.
An individual wanted to access the bank account statements for the period of the last five years. Since it was not possible to download online, he asked the bank to provide it in person. The bank demanded a fee in the amount of 30 Euro for each year of the statements.
The account holder then sent the bank a formal request to access information based on the GDPR Article 15 (right to access). The bank did not respond.
The Austrian data protection authority found that the bank was in violation of GDPR and ordered to provide the information requested within two weeks from the date of the decision and for free.
In November and December 2014,Yahoo! came under a cyber-attack which resulted in exfiltration of approximately 500 million user accounts world wide. The compromised personal data included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, even security questions and answers, both encrypted and unencrypted. The data breach has been publicly announced only two years later, in 2016.
The investigation by the UK Information Commissioner’s Office found Yahoo! UK Services Ltd. responsible as a data controller. ICO confirmed that Yahoo! UK Services failed, for a long period of time, not only to take appropriate measures to protect data and ensure that its processor in the U.S. (Yahoo! Inc.) complied with data protection standards, but also that appropriate monitoring was ensured to protect the credentials of its employees with access to the customer data.
This June, ICO issued Monetary Penalty Notice against Yahoo! UK Services, ordering it to pay a fine of 200.000 UK Pounds.
This is a cautionary example. The Yahoo! cyber-attack happened before GDPR was in place. The maximum penalty to be awarded under the UK legislation of the time was 500.000 UK Pounds. Nowadays the penalty for this type of breach will, be no doubt, much higher.
More claims for GDPR breach are to be expected
Media groups, online and offline retailers, technology companies and banks receive the highest number of GDPR related requests because of the large amounts of information they hold on their users.
Many such companies, receiving the data subjects’ requests, choose to postpone the reply for 30 days based on various reasons. They can do so under GDPR provisions. However, as such requests pile up unaddressed, it is likely that numerous complaints requesting these companies to comply will start flooding the data protection authorities all over EU.
Several law firms based in Germany are reported to be sending targeted warnings to medium and small business about the breaches of GDPR. The letters demand payments for settlement of these claims. The grounds for the claims vary. From a missing SSL certificate on a website to collisions with European competition law. It is difficult to estimate how many warnings were received in general.
More information about the reported occasions may be found here and here. It is clear though that threatening warnings sent to various businesses by professional complainers is an established practice in Germany and are likely to continue.
In the wake of the FIFA Word Cup, the Spanish Football League was discovered to be listening in on environments of the users. Most of the football fans in Spain have the SFL mobile application installed on their phones. The app, upon users’ consent, activates the microphone. This hidden function is reported to detect bars and restaurants that broadcast football games without the appropriate license.
The major question of a potential claim in the case against the SFL could be whether or not scouting the bars broadcasting football without the license is a lawful basis that does not require specific and independent data subject consent. Similar cases involving virtual assistants like Siri and Alexa may follow sooner than expected.
German publishing giant, Axel Springer, continues to use targeted ads without requesting specific user consent by some of its media companies. News website Bild is one such example, where targeted ads are claimed to be based on legitimate business interest.
Although some regulators indicated that fraud prevention and marketing may be considered to be seen as a “legitimate” business interest, the issue is open and the European courts most likely will have a chance to comment on it in the near future.