Data Protection update - June 2020
Welcome to our data protection bulletin, covering the key developments in data protection law from June 2020.
- Track and Trace apps across the EU continue to face issues in the early stages of roll-out
- Derogations can be used to allow international Covid-19 transfers
- ICO provides updated data protection advice for coronavirus recovery phase and security checklists for working from home
- EDPB warns against EU governments using a state of emergency to justify unlimited suspension of data protection rights
- Businesses instructed to record customer information in next phase of lockdown raises privacy concerns
- Privacy International urges European Commission to block Fitbit acquisition
- High Court clarifies that including information in a letter amounts to processing data
- DIFC adopts new data protection law
- EDPB concerned about UK’s data sharing agreement with the US as could impact adequacy decision
- France's highest administrative Court upholds EUR 50 million fine against Google
- Swedish regulator argues against Google's appeal of the USD 8 million fine
- Irish DPC provides updates on compliance matters
- German Federal Court refers case against Facebook to CJEU
- Finnish Data Protection Ombudsman issued first four GDPR fines
- Lithuanian and Dutch data protection agencies warn on biometric data processing
- Twitter fined EUR 30,000 for online-cookie breach
- Belgian Data Protection Authority issued fines for GDPR breaches
- Class action lawsuit filed against Google in the USA
- Stay on proceedings in First Tier Tribunal (Information Rights) expires
After weeks of unexplained delays, the UK government announced on 18 June 2020 that it was scrapping its original plan to develop a centralised app and would instead adopt a decentralised approach designed by Apple and Google, which has been adopted by several countries including Germany, Italy and Denmark. This announcement comes following reports of a complaint from the Open Rights Group, a UK-based digital campaigning organisation, to the ICO alleging that the original design of the app breached the GDPR, in particular that the 20 year data retention period is excessive and that the privacy notice is "flawed". The new decentralised app will store the data on an individual’s phone giving users more control over the information than the centralised approach. You can read more about the two different approaches in our May update.
So why the sudden U-turn? Officials working on the app admitted that the NHSX app was only recognising 4% of Apple phones and 75% of Google Android devices during the testing phase on the Isle of Wight. This was due to the design of Apple’s iPhone operating system which puts apps into “sleep mode” when they are not being used and cannot be activated by Bluetooth (which is the technology used to determine proximity). Despite repeated affirmations from the government over the past few months that the centralised app would be ready at the end of May and was going to be one of the vital components in the fight against Covid-19, it was announced this month that the new app will unlikely be ready until the autumn and that the Apple-Google alternative was being considered from as early as 6 May 2020. Privacy advocates scrutinised the centralised approach for its heightened risk of privacy invasion so it will be interesting to see the reaction to the Apple and Google design, as well as how the privacy and security standards compare to those of the centralised model.
The UK is not the only country facing issues with its contact tracing app. Norway reported a suspension of the use of the app after the country’s data protection agency said it was too invasive of privacy, especially taking into account the small number of people using it, which meant the invasion of privacy was disproportionate. Likewise, Germany launched its tracing app this month, which was met with immediate criticism from the country’s Federal Data Protection Commissioner who said that the requirement for users to call a hotline to confirm a positive Covid-19 test or to request help with using the app compromised anonymity. Meanwhile, the launch of the “StopCovid” app in France has come under investigation by the French data protection authority wanting to check that the app is compliant with the GDPR in areas such as the procedures for obtaining consent, security of information systems and respect for peoples’ rights of access or opposition. It also reported underwhelming figures, with less than 3% of the population downloading the app. The report issued by the International Digital Accountability Council, which reviewed 108 Covid-19 mobile apps across 41 countries found that several apps posed considerable risks to users explaining that app developers will need to put privacy concerns at “the forefront of their development efforts and embed privacy by design principles where possible”.
As well as the privacy concerns facing contact tracing apps around the world, there continue to be fears around the interoperability of the apps. As the world begins to open up international travel for the summer period, how will each app work with other country’s apps? This month, Member States have agreed on a set of technical specifications (building on the interoperability guidelines published by the eHealth Network, which we reported on in our May update) to ensure a safe exchange of information between national contact tracing apps based on the decentralised model. This technical solution could enable national apps to work seamlessly when users travel to another EU country, if it also follows the decentralised approach. It seems countries are making conscious efforts to ensure interoperability, with Germany planning to pilot the interoperability of its “Corona-Warn” app with Ireland, Poland and the Netherlands in the next few weeks to check compatibility. This still leaves those countries who have adopted a centralised approach facing a major problem. Countries such as France and Hungary who have centralised systems will not be included in the technical specifications and the European Commission has admitted that more work needs to be done in this area.
It goes without saying that contact tracing apps could be key in the fight against coronavirus but as the world begins to return to normality, the pressure and urgency for fully-working, secure and privacy compliant apps is mounting.
As the Covid-19 crisis continues to spread across the world, scientific research is key in the fight against the virus. The scientific research to develop vaccines and identify treatments has inevitably resulted in a significant increase in personal data being collected and/or processed directly for research. As a general rule, personal data should only be transferred outside the EU on the basis of an adequacy decision or on one of the appropriate safeguards (e.g. binding corporate rules or standard contractual clauses) listed in the GDPR. Additional legal derogations under Article 49 of the GDPR (including reliance on explicit consent) may apply, but only in specific circumstances and they are less commonly relied upon. However, due to the scale and urgency of the pandemic, the EDPB has published guidelines (the “Guidelines”) explaining that private and public entities may rely on the legal derogation for transferring personal data outside the EU, where the transfer is necessary for important reasons of public interest. The Guidelines confirm that “the fight against Covid-19 has been recognised by the EU and most of its Member States as an important public interest, which may require urgent action in the field of scientific research (for example to identify treatments and/or develop vaccines), and may also involve transfers to third countries or international organisations.” The guidelines highlight that this new ability to transfer personal data internationally using this derogation is “mainly a temporary measure due to the urgency of the medical situation globally.”
ICO provides updated data protection advice for coronavirus recovery phase and security checklists for working from home
The ICO continues to update its online coronavirus hub with guidance on how to manage data protection obligations during the pandemic. This month it has published a guidance note on the data protection steps organisations should consider in the next phase of coronavirus as lockdowns ease and businesses reopen. Organisations will inevitably be considering whether and how to monitor the situation as employees return to work and whether this will involve the collection of personal data. The ICO advises the following:
- Only collect and use what’s necessary;
- Keep it to a minimum;
- Be clear, open and honest with staff about their data;
- Treat people fairly;
- Keep information secure; and
- Staff must be able to exercise their information rights.
In addition, the ICO has provided a helpful security checklist for employers whose workforce continue to work from home. The checklists provide suggestions on how to help organisations ensure IT solutions are being used securely. Despite the easing of lockdown and move towards some normality, it looks as though working from home may continue to be the norm for many.
EDPB warns against EU governments using a state of emergency to justify unlimited suspension of data protection rights
The EDPB has issued a statement (the “Statement”) following three complaints issued by non-governmental organisations stating that Hungary has violated citizens’ privacy rights as part of its emergency measures to tackle the pandemic. In early May, Hungary suspended Articles 15 to 22 of the GDPR in order to deal with the pandemic. These articles deal with data subjects’ rights of access, rectification, erasure and portability. Whilst the GDPR allows EU member states to pass legislation to restrict obligations on data controllers and suspend data subjects’ rights in order to deal with a health emergency, the restrictions must be “necessary and proportionate” and must respect “the essence of fundamental rights and freedoms.” The Statement stresses the same message we have seen throughout the pandemic that data protection does not impede the fight against Covid-19 and that the GDPR remains applicable and allows for efficient responses to the pandemic. The Statement also explains that even in exceptional times, the protection of personal data must be upheld. This month, Hungary submitted legislation to parliament that would bring an end to the suspension on June 20 but human-rights groups are concerned that this turn of events will make it easier for governments to implement the same kind of restrictions in the future. The EDPB has said it will issue more comprehensive guidelines on the application of the ability to restrict certain rights in the coming months.
Businesses instructed to record customer information in next phase of lockdown raises privacy concerns
On 23 June 2020, the UK government announced that several businesses including bars, restaurants, hotels, hairdressers and churches could reopen from 4 July 2020 after three months of lockdown. The reopening of pubs and restaurants however appears to be conditional upon the collecting and recording of customers’ contact details in order to assist with any future test and trace efforts. It is not yet clear whether these safeguards extend to other businesses. Privacy campaigners have raised concerns that businesses have been given no guidance on how to gather and store personal data safely in compliance with data protection laws whilst customers are lacking assurances that data would be managed safely and securely. One particular concern was the lack of transparency on who data would ultimately be shared with if a customer reported Covid-19 symptoms. A similar system was adopted in New Zealand which led to privacy law breaches; in one instance a woman left her contact details with a restaurant and fell victim to a number of unwanted messages across her social media platforms from an employee who had misused the data. While there may be less of a concern for businesses who are used to taking online reservations and can therefore process data in line with existing secure systems, there will inevitably be a minefield of data privacy obstacles facing those who are used to operating under a no reservations walk-in system.
In a press release on 17 June 2020, Privacy International called for the European Commission to block Google's proposed acquisition of Fitbit. According to the UK-based privacy campaign group, Google does not have a "clean record" when it comes to handling personal data. Privacy International pointed to the fines previously imposed on Google by several EU competition authorities (see, for example, the summary below on the French CNIL EUR 50 million fine). Additionally, Privacy International considered that the acquisition will result in Google expanding its market dominance in the collection of personal data.
According to Privacy International, "[i]f the EU approves the deal, then it will be giving a green light to our most intimate data being used for the profit of a tech giant which, in 2018 only, generated more than $80 billion in revenue from delivering targeted advertisements to users."
In ST (a Child by her Mother and Litigation Friend RF), RF v L Primary School  EWHC 1046 (QB), the Claimants (a child with Down's syndrome and their mother) alleged that the Defendant primary school had breached the Data Protection Act 1998 (the ""DPA 1998").
Following an incident involving the child Claimant, the headteacher of the Defendant sent a letter to the parents of all the pupils in the Claimant's school year. The contents of this letter included information about the child Claimant's name and Down's syndrome diagnosis.
The High Court held that the mother's consent for the inclusion of the personal data comprised in the letter had not been obtained by the Defendant. Since the typing of the letter "amounted to the processing of data", and was processed in a manner that was neither fair, necessary nor lawful, the Defendant had breached the DPA 1998. In addition, the Court also held that the letter amounted to a publication of personal information about the child Claimant to a group of unknown people, in breach of the Claimant's Article 8 right to respect for private and family life under the European Convention of Human Rights.
The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (the “New DP Law”) will come into effect from 1 July 2020. The New DP Law applies to businesses operating, conducting, or attempting to conduct business in or from the DIFC, whether or not processing takes place in the DIFC. The updates in the New DP Law aim to bring the current 2007 law more in line with the EU GDPR and other international data protection legislative developments. The New DP Law increases privacy compliance obligations including the requirement to appoint data protection officers, where necessary, and conducting Data Protection Impact Assessments. Dubai is seeking EU adequacy for data flows and this new law may see those discussions progress further.
In light of Covid-19, businesses subject to the New DP Law are being given a grace period of three months (up to 1 October 2020) to take the necessary steps to ensure compliance. In order to prepare, organisations should begin to look at their current data protection practices and understand the impact of changes to data protection law for them and their business. We have written detailed guidance on how to ensure compliance with the New DP Law here.
Please do get in touch with the Data Protection team if you wish to discuss how we can help you or your business navigate the New DP Law.
As we start to edge closer to the end of the Brexit transition period, the EDPB has written to Members of the European Parliament this month expressing concern about the UK obtaining adequacy status after it entered into a data-sharing agreement with the U.S. in October 2019 (the “US Agreement”). The US Agreement will allow law enforcement to go directly to tech companies or communication services based in the other country to access electronic data rather than go through governments. It is envisaged that this will allow for more efficient access to data for criminal investigations and prosecutions. The letter states that the EDPB will have to consider the US Agreement in its “overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of “onward transfers” from the UK to another third country.” This is a preliminary assessment from the EDPB but suggests it may have an impact on the ultimate adequacy decision for the UK post-Brexit.
Honda announced that a cyber-attack had taken place on the Honda global network earlier this month. It is thought to be a virus which permeated the network in Tokyo and affected the company’s ability to access computer servers, use email and make use of its internal systems. The attack forced the company to suspend its global production with issues reported in Japan, the US, Turkey, India and Brazil. The company is not aware of any leak of customer or employee information as a result of the attack and has insisted that they see minimal business impact. It is not yet clear how the criminals infiltrated the network but it comes at a time when attacks are on the rise as hackers continue to take advantage of the pandemic.
On 19 June 2020, the Conseil d'État, France's highest administrative Court, dismissed Google's appeal against the EUR 50 million fine imposed on it by the CNIL (France's data protection authority) on 21 January 2019.
The Conseil d'État held that Google had failed to meet the GDPR requirements for clarity and accessibility with regard to information provided to Android users about their data protection options. Further, the Conseil d'État held that Android users did not give well-informed consent to targeted advertising when creating a Google account. This was predominantly because Google's descriptions regarding targeted advertising information were not sufficiently clear and distinct to obtain valid user consent.
Finally, the Conseil d'État stated that the EUR 50 million fine was not disproportionate, given the severity and duration of the breaches. The full judgment can be read here (in French).
This is a significant fine for Google, and a reminder to readers that GDPR compliance should not be seen as a mere "tick box" exercise. Readers must take meaningful measures to obtain consent for data processing.
In March 2020, the Swedish data protection authority fined Google USD 8 million for GDPR breaches concerning its practices relating to the delisting of information from search results at the request of data subjects.
Google has now appealed the decision to the Swedish administrative Court, arguing that the Swedish data protection authority lacked jurisdiction to determine the lawfulness of its activity in this regard, which, Google claims, rests with the Irish Data Protection Commission (the "Irish DPC") given the location of Google’s European headquarters.
The Swedish administrative Court is expected to rule on this matter by March 2021, and its decision will provide important guidance on how the GDPR "one-stop shop" mechanism will be applied by national Courts in the context of cross-border investigations.
Various developments in the Irish DPC’s inquiries into "big-tech companies" were announced on 22 May 2020. In particular, the Irish DPC announced that it had completed its inquiry into Twitter. This inquiry was commenced following a data breach notification from Twitter which resulted in some users' protected tweets being made public due to a bug in its Android app in 2019. It is understood that the preliminary decision has been shared with the other national supervisory authorities for their comments.
The Irish DPC had also sent a preliminary draft decision to WhatsApp on its compliance with the GDPR on transparency of information shared with Facebook. WhatsApp will be allowed to make final submissions, which the Irish DPC will take into consideration in preparing its draft decision.
These developments are likely to be welcomed by national data protection agencies across the EU. As many tech companies are headquartered in Ireland, the Irish DPC is increasingly bearing the burden of investigating any data protection breaches committed by these companies.
On 28 May 2020, the German Federal Court of Justice referred proceedings brought against Facebook to the Court of Justice of the European Union ("CJEU").
The claim was commenced in 2014 by the German Federation of Consumer Organisations ("VZBZ"), a non-governmental organisation which acts as an umbrella for 42 German consumer associations, against Facebook, under the pre-GDPR German Federal Data Protection Act.
VZBZ alleged that the information provided by Facebook with regards to disclosure of personal data to third parties was not sufficiently clear, and therefore there was no effective consent for Facebook to make the disclosures.
The claim was initially stayed pending the CJEU's decision in the "Facebook Like-Button" case, in which, in July 2019, the CJEU confirmed that VZBZ had a right of action for the period prior to the GDPR. Specifically, the CJEU held that the Data Protection Directive did not prevent enforcement by consumer protection associations.
In May 2020, the Federal Court of Justice referred the matter to the CJEU for guidance on whether VZBZ also has the right of action for the period after the GDPR came into force (as the CJEU's decision in the "Facebook Like-Button" case concerned the Data Protection Directive, the predecessor to the GDPR only).
The CJEU's decision in response to the May 2020 referral will have a significant impact on the right of consumer associations to bring actions for theoretical breaches of the GDPR, where the claim is not brought on the instructions of an affected data subject by reference to a specific infringement.
The judgment can be read here (in German).
On 18 May 2020, the Finnish Data Protection Ombudsman issued fines against three companies for breaches of the GDPR. The breaches respectively related to a failure to give sufficient information on data protection rights, neglecting to conduct a data protection impact assessment, and the unnecessary collection of personal data. The fines totalled EUR 122,500.
Additionally, the Ombudsman fined Taksi Helsinki EUR 72,000 on 26 May 2020 for serious deficiencies in data processing. In summer 2019, Taksi Helsinki replaced its camera surveillance system with one which recorded both video and audio, failing to carry out the necessary data impact assessment. The Ombudsman also found that Taksi Helsinki had failed to inform customers that it was processing their personal data.
These fines were the first four GDPR-related fines issued by the Finnish Data Protection Ombudsman. It is a sign that GDPR enforcement is accelerating across the EU.
On 29 May 2020, the Lithuanian State Data Protection Inspectorate (the “Inspectorate”) found that three unidentified companies operating sports club in Lithuania had breached the GDPR. In particular, these companies were found to have unlawfully processed fingerprints through access control systems used at gym premises and workplaces. The Inspectorate ordered one company to suspend processing customers' fingerprints until it had carried out a data protection impact assessment. The other two companies were ordered to ensure that they had appropriate security measures in place to process the fingerprints. The Inspectorate also required all three companies to ensure that they had obtained customers' consent to process their fingerprints before doing so, and to offer an alternative means of identification.
Separately, on 5 June 2020, the Dutch Data Protection Authority warned the Dutch supermarkets trade association on the use of facial-recognition cameras in stores, and ordered a supermarket which had implemented this technology to stop using it. This follows a further decision of the Dutch Data Protection Authority (as reported in our May 2020 update) by which it fined a Dutch company for unlawfully processing its employees' fingerprints.
On 11 June 2020, the AEPD ruled that Twitter had breached Spain's 2002 rules on information society services due to its failure to provide adequate information on its use of tracking cookies. In particular, it held that Twitter did not clearly identify that its partners could use the information collected by cookies, and had failed to inform data subjects about how to opt out of cookies being tracked on its website. Twitter was fined EUR 30,000 for the breaches, and has two months to appeal the decision (accessible here in Spanish).
Separately, on 9 June 2020, the AEPD also fined app developer Glovoapp23 EUR 25,000 for failing to appoint a Data Protection Officer ("DPO"), as required by Article 37 of the GDPR.
Glovoapp23 had instead appointed a "Data Protection Committee", and argued that it did not have an obligation to appoint a DPO because its processing activities were exempt. The AEPD disagreed. It found that Glovoapp23 should have appointed a DPO because it performs large-scale data processing, due to its number of customers.
On 14 May 2020, the Belgian Data Protection Authority's Litigation Chamber ("Belgian DPA") issued a fine for GDPR infringement in relation to a social media provider's "invite a friend" function. The function required users to give the provider access to the user’s phone contact list and would send a marketing email inviting their “friends” to join the social media platform by processing personal data shared by users. The Belgian DPA found that a user could not give valid consent to the provider to process the personal data of third parties on this basis. The Belgian DPA referenced the opinion of the Article 29 Working Party (now the EDPB) which sets out four conditions for a permitted "invite a friend" function on social media platforms. Importantly, the Belgian DPA also banned the practice of sending an email to intended recipients to seek consent for marketing communications, stating that this was not compliant with the GDPR. Readers are reminded to avoid such practices to avoid breaching the GDPR.
Separately, on 8 June 2020, the Belgian DPA fined a municipality's employee EUR 5,000 for misusing a list of the municipality's personnel, following a complaint filed by the municipality.
On 2 June 2020, a class action was filed against Google LLC and Alphabet Inc (Google's parent company) in the Northern District Court of California. The lawsuit claimed that Google had violated federal wiretapping law, in addition to a California privacy law requiring users to consent to Google reading or learning the content of their communication.
The lawsuit arises from allegations that Google had collected information about what users were doing without permission for their internet browsing activities on Google's Chrome browser Incognito mode (the private browsing mode). Incognito mode gives users the choice to not have their internet browsing activities saved on the browser or device. The lawsuit claimed that, despite this, Google continued to allow website publishers and advertisers to track the users' browsing activities on Incognito mode through tracking tools.
Google's spokesman, Jose Castaneda, told the New York Times:
"Incognito mode in Chrome gives you the choice to browse the internet without your activity being saved to your browser or device. As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity during your session."
The complaint can be accessed here.
The stay of proceedings in information rights cases in the First-tier Tribunal (Information Rights) which was implemented on 1 April 2020 as a result of the Covid-19 pandemic expired on 27 May 2020. There has been no application to extend the stay, which suggests proceedings have now resumed. The First-tier Tribunal is still operating under the new Pilot Practice Direction which allows for remote hearings and determinations without a hearing.