Fines and Penalties imposed by data protection authorities within the EU

It’s been a little over a year since the EU General Data Protection Regulation (GDPR) came into force, but with that it has been clear that dealing with data breaches has become a norm for EU protection authorities.

According to the European Data Protection Board, the majority of the cases were related to complaints, notably 94.622, while 64.684 were initiated on the basis of data breach notification by the controller.

In the list provided by the GDPR Enforcement Tracker, 16 EU countries have already imposed fines and penalties, roughly totalling to €51,980,118 with the highest fines coming out of France, Portugal and Spain. The highest vast majority of that total comes from the €50 million fine France’s CNILissued to Google in January 2019.

The CNIL’s sanction is based on three key problem areas:

  • Lack of transparency: The CNIL has argued that relevant information is not easily accessible to Google’s users because it is scattered and hidden.
  • Deficiencies in information: According to the CNIL, there is a vagueness and ambiguity in the drafting of basic information around data processing.
  • Lack of consent: A lack of legal basis for the processing of data for personalised advertisements is included in the deficiencies already described, since the CNIL considers that the information provided to the user in this sense is not sufficient. In addition, the withdrawal options are neither clear nor easy to access, and consent is marked by default, without the user’s positive action.

The Portuguese Data Protection Authority (CNPD) took its first action on 17 July 2018, when it issued a €400,000 fine to a hospital because staffs, psychologists, dietitians and other professionals had access to patient data through false profiles.

The national Football League (LaLiga) was fined €250,000 by the Spanish Data Protection Authority (AEPD) for offering an app which once per minute accessed the microphone of users’ mobile phones in order to detect pubs screening football matches without paying a fee. The app did not inform users of this malpractice and did not meet the requirements for withdrawal of consent.

In the UK, the Information Commissioner’s Office (ICO) has given out numerous fines but none have yet exceeded the £500,000 maximum penalty. In October 2018, The ICO slapped Facebook with the maximum possible fine of £500,000for failing to protect users’ personal information and its role in the Cambridge Analytica scandal.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Practical guidance on how to process mixed datasets

The European Commission has published guidance on the interaction between the Regulation on the free flow of non-personal data and the GDPR.

One year after the GDPR started to apply, most controllers are (or at least they should) well aware of the security and privacy requirements that should govern the datasets which contain personal data. However, what happens when those datasets include not only personal data but also non-personal information?

There is a new Regulation(Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union), applicable as of 28 May 2019, that sets up the conditions for the processing and transfer of non-personal data in the European Union and aims at removing obstacles to the free movement of non-personal data across Member States and IT systems in Europe. Accordingly, when it comes to mixed datasets, one should consider not only the GDPR, but also this new one.

The European Commission has published guidancein order to clarify the interaction between the Free Flow of Non-Personal Data regulation and the GDPR.

For the purposes of the Free Flow of Non-Personal Data Regulation, non-personal data means:

  • data which originally did not relate to an identified or identifiable natural person, such as data on weather conditions generated by sensors.
  • data which were initially personal data but were later made anonymous.

It is defined just as the opposite of the personal data concept of the GDPR.

The Free Flow of Non-Personal Data Regulation has three notable features:

  • It prohibits, as a rule, Member States imposing requirements on where data should be localised.
  • It establishes a cooperation mechanism to make sure that competent authorities continue to be able to exercise any rights they have to access data that are being processed in another Member State.
  • It provides incentives for industry, with the support of the Commission, to develop self-regulatory codes of conduct on the switching of service providers and the porting of data. ´

Datasets containing the names and contact details of legal persons are in principle non-personal data, except for some cases, as for when the name of the legal person is the same as that of a natural person who owns it or if the information relates to an identified or identifiable natural person.

In the case of a dataset composed of both personal and non-personal data:

  • The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the dataset;
  • The GDPR free flow provision applies to the personal data part of the dataset; and
  • If the non-personal data part and the personal data parts are ‘inextricably linked’, the data protection rights and obligations stemming from the GDPR fully apply to the whole mixed dataset, also when personal data represent only a small part of the dataset.

What does ‘inextricably linked’ mean?

The concept of ‘inextricably linked’ is not defined by either of the two Regulations. For practical purposes, it can refer to a situation whereby a dataset contains personal data as well as non-personal data and separating the two would either be impossible or considered by the controller to be economically inefficient or not technically feasible. For example, when buying CRM and sales reporting systems, the company would have to duplicate its cost on software by purchasing separate software for CRM (personal data) and sales reporting systems (aggregated/non-personal data) based on the CRM data. Separating the dataset is also likely to decrease the value of the dataset significantly. In addition, the changing nature of data makes it more difficult to clearly differentiate and thus separate between different categories of data.

What is the conclusion then?

Whenever personal data is involved, GDPR applies. However, the Free Flow of Non-Personal Data Regulation provides the controllers with a chance of managing personal and non-personal data different where they are suitable separated.

This new Regulation, combined with the GDPR, provides the EU with the most stable legal framework for the free movement of all data within the European Union.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

What data should a controller disclose under a data subject access request?

A recent decision from the Cologne Regional Court addresses whether individuals are entitled to receive emails and personal notes as part of a DSAR.

“I want access to all personal data you handle about me”. What should you do as the controller if you receive an email like this? According to GDPR, individuals have the right to obtain:

  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information, which largely corresponds to the information that you should provide in the privacy policy.

What does “personal data” means in terms of a DSAR? Even though this concept is clear for some data categories like contact data, for some others it may be tricky, especially when it comes to information that might affect other people’s rights and freedoms.

GDPR states that the right of access “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software”. However, expert opinions vary as to the data that should be actually considered to affect third-parties. The Data Protection Act 2018 settle this criterion on the likelihood that another individual could be identified from the information disclosed. On a related note, Cologne Regional Court has recently reached a decision where they assert that the right of access does not include all internal processes, such as notes. Moreover, they claim that the data subject is not entitled to receive all exchanged correspondence. Legal evaluations or analyses are also not considered personal data in these terms. This means that information as ratings and private notes about employees’ performance or appraisals should not necessarily be disclosed under a DSAR.

We think this is an accurate criterion that properly solves the data subject access request plus protects the controller’s interests. However, although this is a binding decision from the Cologne Regional Court, it does not generally apply to other countries that are subject to the GDPR, so it remains to be seen if this rule becomes a standard.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Workplace collection of Biometric Data

Does the collection of biometric data by employer violate privacy?

For the first time in Australian history, an employee was fired for refusing to submit biometric finger scanning data required by his employer.

The employee believes that he had been wrongfully terminated. After he was denied an unfair dismissal claim by an Australia’s Fair Work commissioner, the employee appealed to the ​Australia’s Fair Work Commission (FWC) full bench. He argued that the FWC failed to consider whether the request to comply with the fingerprint scanning policy was lawful and reasonable, particularly when the employee refused to consent to the disclosure of his biometric data. The employee was concerned about the collection of sensitive data and a potential violation of the Australian Privacy Act.

The Fair Work Commission Full Bench granted permission to appeal, as it was satisfied that the matter raises “important, novel and emerging issues,” which the full bench has not previously considered. The FWC will consider current technology and privacy rights in its ruling, which could lead to future standoffs  between employers and employees over the collection of biometric information.

What if this happened in Europe?

According to EU GDPR, the processing of employees’ biometric data by an employer would normally require consent. “For consent to be valid, it must be freely given. Where the employer threatens to fire the employee if they do not give consent to process their biometric data, such consent is unlikely to be freely given,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.