InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Irish DPC fines global social media company €265 million over data scraping claims
On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU, was commenced in April 2021 following media reports that personal data for which the company was responsible was available on the internet. According to the DPC, the inquiry focused on questions related to the company’s compliance with the GDPR’s obligation for “Data Protection by Design and Default.” Specifically, the DPC “examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept).” The decision, adopted on November 25, and agreed upon by all the other EU supervisory authorities, found that the company violated Articles 25(1) and 25(2) of the GDPR. The decision imposes a reprimand and requires the company to bring its processing into compliance by implementing several specific remedial actions within a particular timeframe. In addition, the company must pay an administrative fine of €265 million.
ECJ invalidates AML directive granting public access to beneficial ownership information
On November 22, the European Court of Justice (ECJ) announced a ruling invalidating a provision of the 2018 amended EU anti-money laundering directive that guaranteed public access to the beneficial ownership information of legal entities incorporated within member states. The case was referred to the ECJ by a Luxembourg court following two actions that disputed the compatibility of this directive with the beneficial owners’ fundamental right to privacy. The ECJ was asked to issue a preliminary ruling on a series of questions concerning the interpretation of “exceptional circumstances” and “disproportionate risk,” as well as the directive’s compatibility with the Charter of Fundamental Rights of the European Union (Charter) and the GDPR. Under the directive, member states are required to enter and maintain beneficial ownership information in registers that are accessible to the general public. The directive is intended to prevent the financial system from being exploited for the purposes of money laundering or terrorist financing, and requires, with limited exemptions, that member states provide information on “the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests.”
In its announcement, the ECJ said that public access to beneficial ownership information “constitutes a serious interference with the fundamental rights to respect for private life and the protection of personal data” provided in Articles 7 and 8 of the Charter. “[T]he potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated,” the ECJ wrote in the judgment, adding that “in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.”
While the ECJ found that, by the measure at issue, the EU legislature is pursuing “an objective of general interest capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective,” the “interference entailed by that measure is neither limited to what is strictly necessary nor proportionate to the objective pursued.” Additionally, the ECJ held that the amended “directive amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter” without being offset by any benefits that may result from the amended directive as compared to the previous version in terms of combating money laundering and terrorist financing. However, the ECJ did recognize that civil society and the press have a legitimate interest in accessing such information, given their role in the fight against money laundering.
EU Court of Justice says controllers of personal data must take reasonable steps to inform third parties when consumer consent is withdrawn
On October 27, the European Court of Justice (ECJ) held that controllers of personal data must take reasonable steps to inform other controllers when a data subject withdraws consent. The decision stems from a request made by a subscriber to a Belgian telecommunications provider to not have his information included in the public telephone directories and directory inquiry services published by the company and other third parties. The controller pulled the subscriber’s information from the public record, but re-added the information to the directories after it received an update to the subscriber’s data that was not noted as being confidential. The subscriber submitted multiple requests for his data to be removed and submitted a complaint with the Belgian Data Protection Authority. The Data Protection Authority ordered the company to take remedial action and fined it €20,000 for infringing several provisions of the General Data Protection Regulation (GDPR). The controller appealed, “arguing that the consent of the subscriber is not required for the purposes of the publication of his or her personal data in the telephone directories, rather the subscribers must themselves request not to be included in those directories under an ‘opt-out’ system. In the absence of such a request, the subscriber concerned may in fact be included in those directories.” The Data Protection Authority contended, however, that the privacy and electronic communications directive “requires the ‘consent of subscribers’ within the meaning of the GDPR in order for the providers of directories to be able to process and pass on their personal data.”
The Brussels Court of Appeal referred questions to the ECJ for a preliminary ruling after determining that there are no specific rules “concerning the withdrawal by a subscriber of his or her statement of wishes or of that ‘consent.’” The ECJ determined that controllers of personal data must get consumers’ informed consent before publishing their information in a public directory. Further, the ECJ determined that such consent can be extended to any subsequent processing of data by third parties, provided the data is processed for the same purpose to which the consumer consented. However, consumers can withdraw consent at any time, and controllers are required to make reasonable efforts to notify third parties, including search engine providers, that are making use of that subscriber’s information of the withdrawal. Notably, the ECJ concluded that if various controllers rely on the single consent of a data subject, “it is sufficient, in order for that person to withdraw such consent, that he or she contacts any one of the controllers.”
France fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving complaints from individuals about the company’s facial recognition software. CNIL stated in its announcement that it cooperated with its European counterparts to share the results of the investigations, as each authority is permitted to act on its own territory since the company has no establishment in Europe. The investigations identified several violations of the GDPR, including that the company allegedly unlawfully processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). A formal notice was issued to the company last year requiring it to stop collecting and using data belonging to persons on French territory without a legal basis. The company was also ordered to “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” CNIL contended that after the company failed to respond to the formal notice, it referred the matter to a restricted committee for sanctions.
The restricted committee imposed the maximum financial penalty (€20 million) under article 83 of the GDPR, and ordered the company “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months.” Failure to comply within this time frame will result in a €100,000 penalty per day of delay. The restricted committee also cited the company for breaching its obligation to cooperate with CNIL.
UK Information Commissioner fines company £4.4 million for data breach
On October 24, the UK Information Commissioner fined a construction company £4.4 million for a data breach that allegedly allowed hackers to access thousands of employees’ personal data. According to the monetary penalty notice, the company failed to process personal data in a manner that ensured the appropriate security of individuals’ personal data as required by Article 5(1)(f) and Article 32 of the EU’s General Data Protection Regulation. This includes protecting against unauthorized or unlawful processing, against accidental loss, destruction, or damage, and using appropriate technical and organizational measures, the regulator said. As a result of insufficient security measures, the company was exposed to a cyber-attack that affected the personal data of up to 113,000 company employees, including personal information such as phone numbers, email addresses, national insurance numbers, and bank account details, among others. An investigation found that the company allegedly failed to follow-up on a suspicious activity alert, used outdated software systems and protocols, and lacked adequate staff training and insufficient risk assessments. The regulator warned companies that “[t]he biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.” The regulator further stressed that failure to regularly monitor for suspicious activity, act on warnings, update software, or provide training may expose other companies to a similar fine.
Biden issues executive order on EU-U.S. privacy shield replacement
On October 7, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. outlines commitments the U.S. will take under the EU-U.S. Data Privacy Framework, which was announced in March as a replacement for the invalidated EU-U.S. Privacy Shield. As previously covered by InfoBytes, the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR.
Among other things, the E.O. bolsters privacy and civil liberty safeguards for U.S. signals intelligence-gathering activities, and establishes an “independent and binding mechanism” to enable “qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.” Specifically, the E.O. (i) creates further safeguards for how the U.S. signals intelligence community conducts data transfers; (ii) establishes requirements for handling personal information collected through signals intelligence activities and “extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance”; (iii) requires the U.S. signals intelligence community to make sure policies and procedures reflect the E.O.’s new privacy and civil liberty safeguards; (iv) establishes a multi-layer review and redress mechanism, under which the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) is granted the authority to investigate complaints of improper collection and handling of personal data and may issue binding decisions on whether improper conduct occurred and what the appropriate remediation should be; (v) directs the U.S. attorney general to establish a Data Protection Review Court (DPRC) to independently review CLPO decisions, thereby serving as the second level of the E.O.’s redress mechanism (see DOJ announcement here); and (vi) calls on the Privacy and Civil Liberties Oversight Board to review U.S. signals intelligence community policies and procedures to ensure they are consistent with the E.O.
EU Court of Justice rules consumer protection agencies can sue companies for GDPR violations
On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect.” According to the judgment, Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against a global social media company’s Ireland division for allegedly infringing on General Data Protection Regulation (GDPR) rules governing the protection of personal data, the combat of unfair commercial practices, and consumer protection when offering users free games provided by third parties. Germany’s Federal Court of Justice called into question whether a consumer protection association has standing to bring proceedings in the civil courts against infringements of the GDPR without obtaining a mandate from users whose data was misused. Germany’s Federal Court of Justice also observed that the GDPR could be inferred to read that “it is principally for the supervisory authorities to verify the application of the provisions of that regulation.”
In its ruling, CJEU concluded that consumer protection associations in the EU can bring representative actions against the social media company for alleged violations of the GDPR, writing that the GDPR “does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data . . . where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” Permitting associations to bring representative actions is “consistent with the objective pursued by the GDPR . . . in particular, ensuring a high level of protection of personal data,” CJEU stated.
EU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework
On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here.) Under the Framework, the U.S. has committed to implementing reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement follows negotiations that began after the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.
As previously covered by InfoBytes, the CJEU’s ruling (which could not be appealed) concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.”
According to the factsheet released by the White House, the U.S. has made “unprecedented commitments” that build on the safeguards that were in place under the annulled EU-U.S. Privacy Shield with the goal of addressing issues identified in the Schrems II decision. These commitments include (i) strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities through measures that would limit U.S. intelligence authorities’ data collection to what is necessary to advance legitimate national security objectives; (ii) establishing a new, multi-layered redress mechanism with independent and binding authority “consist[ing] of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures, as needed”; and (iii) enhancing the U.S.’s existing rigorous and layered oversight of signals intelligence activities, and requiring U.S. intelligence agencies to “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.” The factsheet further stated that participating companies and organizations will continue to be required to adhere to the EU-U.S. Privacy Shield principles, including the requirement of self-certification through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints against businesses and organizations participating in the Framework, including through alternative dispute resolution and binding arbitration.
The White House stated that President Biden will issue an executive order outlining the aforementioned commitments “that will form the basis of the Commission’s assessment in its future adequacy decision.” According to the announcement, the U.S. and European Commission “will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework.”
Irish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach notifications it received between June 7, 2018 and December 4, 2018, to examine the extent that the company complied with GDPR requirements related to the processing of personal data. Following the inquiry, the DPC found that the company violated GDPR Articles 5(2) and 24(1) by failing “to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” Article 5 outlines principles related to the processing of personal data and requires companies to ensure that EU residents’ personal data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Article 24(1) requires controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR. The DPC noted that because the processing under examination constituted “cross-border” processing, the “decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
Irish DPC releases annual report
On February 24, the Irish Data Protection Commission (DPC) released their 2021 Annual Report. According to the report, the EU’s General Data Protection Regulations (GDPR) enforcement efforts have gained “significant momentum” by, among other things: (i) “resolving thousands of complaints”; (ii) “processing thousands more data breach notifications”; (iii) “imposing fines and corrective measures”; (iv) “auditing the gamut of Irish political parties”; and (v) “settling its enforcement action in relation to certain processing elements of the Public Services Card on terms protective of the data rights of citizens generally.” Among other things, the report discussed new data regulation regimes, such as the Digital Markets Act, the E-Privacy Regulation, and the Artificial Intelligence Act, “which demonstrate that the GDPR was never going to resolve all data issues in one single legislative instrument.” The report also outlined the DPC’s regulatory strategy for the next five years, which it released in December and includes placing a focus on mounting “targeted actions aimed at ensuring children and more vulnerable internet users are protected in personal data terms—without shutting off their access.”