Post-Brexit UK to overhaul privacy rules

Post-Brexit UK to overhaul privacy rules in an attempt to increase effectiveness while maintaining adequacy with the EU and other nations. 

The British government is looking forward to creating new privacy rules based on “common sense, not box-ticking”. The new privacy rules might drift the UK away from the EU data protection regulations, including the 2018 GDPR, which still guided the framework of their post-Brexit UK-GDPR privacy rules. According to the culture secretary, this may put an end to the irritating cookie popups and consents requests online. However, the new regime has to qualify for the EU’s adequacy requirement, otherwise continued data transfer between the UK and EU may be affected. 

After October, a new Information Commissioner will be appointed to replace Elizabeth Denham.

The culture secretary aims at developing a globally leading data policy that will help businesses and individuals across the UK. The government plans on giving this daunting task of overseeing the transformation to John Edwards, who will be appointed as the new Information Commissioner. He is currently the Privacy Commissioner of New Zealand, and the UK’s preferred choice to replace the current Information Commissioner, Elizabeth Denham, after the current tenure ends on October 31st. 

Will the new rules help small businesses or result in more trade and investment barriers?   

Whereas cookie consent rules have been widely criticised by the industry and the users, they represent a tiny portion of the current (UK) GDPR framework, and are unlikely to be decisive when it comes to mutual adequacy between nations. The bigger picture is the current freedom to transfer data between the UK and the EU/EEA based on the current European Commission adequacy decision, which still gives UK-based tech companies an edge. “Putting that in jeopardy would likely offset any benefits for tech startups in terms of compliance regime simplification,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner. ‘We must also be aware that the UK consumers have gotten accustomed to a high degree of privacy protection, and they hardly see the current UK GDPR as an unnecessary bureaucratic burden.’

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Google and Amazon fined

Google and Amazon fined: CNIL has fined the two major companies for unlawful cookies.

Google and Amazon, fined by CNIL of France, for placing cookies on users’ computers without getting prior consent or giving satisfactory information.

The CNIL reported last week that both companies have been sanctioned, for their misuse of cookies which breached the French Data Protection Act. Following several investigations from December 12th 2019 to May 19th 2020 on amazon.fr and on March 16th 2020 on google.fr, the CNIL discovered that the websites of both of these companies violated Article 82 of the Data Protection Act. 

Google was found to have three violations of Article 82 of the DPA, while Amazon had two of those three.

Both websites, upon investigation, were found to have been placing cookies on users’ computers automatically, without any action required on their part, or prior consent required from the users. These cookies were deemed non-essential to the use of their service and should only be placed once the user has expressed their consent. This practice violates Article 82, of the DPA and fails to comply with the requirement of obtaining prior consent before placing cookies on users’ computers. 

While both google.fr and amazon.fr issued brief statements via a banner pop-up to the bottom of their screens, informing visitors of either the company’s confidentiality agreement (in the case of Google), or the users acceptance of cookies by their use of the website (in the case of Amazon), both of these banners were found to have inadequately informed users, resulting in further breaches to Article 82. In Google’s case, this banner did not inform users at all, on the cookies which had already been automatically placed on their computers. The “Consult now” button which was placed on the banner at google.fr also did not lead users to any information on those cookies. 

On amazon.fr, while the banner informed users of their automatic acceptance of cookies by using the site, this information was found to be neither clear nor complete. The banner did not specify that cookies placed on users’ computers were mainly used to display personalized ads. It also failed to explain to the user that it could refuse these cookies or how to do it.

In addition, on google.fr, even after using the mechanism provided through the “Consult now” button, to deactivate the personalisation of ads, one of the advertising cookies remained stored on the user’s computer and continued to read information intended for the attached server. The “opposition” mechanism on google’s website was deemed faulty and resulted in an additional violation of the DPA, Article 82.

Google and Amazon fined a total of 100 million euros and 35 million euros respectively. 

GOOGLE LLC was hit with a fine of 60 million euros, and GOOGLE IRELAND LIMITED was fined 40 million euros. The authority justified these fines, and their decision to make them public, by the seriousness of Google’s triple breach of Article 82, the search engine’s reach and the fact that nearly fifty million users were affected by this breach. The advertising revenues generated by companies like Google are indirectly generated from the data collected by the advertising cookies placed on users’ computers. Since a September 2020 update on google.fr, cookies are no longer automatically placed on users’ computers, however the information banner still did not inform users residing in France of the purposes for which cookies are used, nor does it inform them that they could refuse these cookies. In addition to the fine charged to GOOGLE LLC and GOOGLE IRELAND LIMITED, an injunction was also placed under the penalty, threatening a 100,000 euro per day fine, if after three months, companies were still not adequately informing users, in accordance with DPA article 82. 

AMAZON EUROPE CORE was fined 35 million euros, and the fines were also publicized due to the seriousness of the breaches. It was considered that, given the popularity of the website amazon.fr, millions of France’s residents visited this site daily, having cookies placed on their computers. In addition, the main activity of the company is the sale of consumer goods, therefore the personalized ads, made possible by the use of those cookies, lead to a significant increase in the visibility of its products on other websites. It was also taken into account that, until the restructure of the website amazon.fr in September 2020, the company was continuously placing cookies on the computers of users living in France, without informing them. Regardless of the path that led users to the site, they were either insufficiently, or not at all informed that cookies were being placed on their computers. Amazon is also faced with the threat of an additional 100,000 euro per day fine, if they are not in accordance with the act within three months. 

CNIL has released amended guidelines and recommendations regarding the use of cookies, in accordance with the GDPR. 

On October 1st 2020, the CNIL released its guidelines on the use of cookies and other tracking devices. These guidelines are part of its action plan on targeting advertising and the enforcement of the GDPR. CNIL is asking all parties to comply with the rules clarified therein, specifying that their adaptation period should not exceed six months. CNIL has also indicated that it will continuously monitor other requirements which have not been modified and, if necessary, adopt corrective measures to protect the privacy of individuals.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Dutch DPA Imposed a Fine

The Dutch DPA Imposed a Fine on the Dutch Tennis Association under the GDPR for Illegally Selling Personal Data for marketing purposes.

The Dutch DPA Imposed a fine on the Dutch Tennis Association (The KNLTB) of EUR 525,000, for the unlawful sale of personal data of its members to two sponsors.

 

The Dutch DPA recently imposed a fine on the Dutch Tennis Association (KNLTB) under the GDPR, for the illegal sale of their members’ information to two of its sponsors. The information shared included personal data such as their names, addresses and genders. This information was then used by the two sponsors, to market offers to these individuals by both phone, and the post. One sponsor purchased the information of 50,000 members, while the other sponsor purchased the data of over 300,000 members. While the KNLTB argued that it had legitimate interest in selling its members data, the Dutch DPA does not agree and believes that financial gain was the basis of the KNLBT’s decision to infringe on the basic rights of its members under the GDPR, by selling their data. 

 

Previous Fines by the Dutch DPA.

 

The Dutch DPA had, prior to this most recent fine on the Dutch Tennis Association, imposed two fines under the GDPR. The first of which was ruled against the Dutch UWV (Employee Insurance Agency) in 2018. As a result of the fine the UWV was required to improve its logging security level by October 2019, however this has now been postponed by a year, which could carry a fine of EUR 150,000 per month, up to a total of EUR 900,000. The second fine, imposed on the Dutch Haga Hospital, was because of the insufficiency of their internal security of patient records, resulting in approximately 200 employees having unauthorized access to medical records of a Dutch celebrity, and this person’s private, personal information being leaked to the press. For this, the Dutch DPA imposed a fine of EUR 460,000.

 

On another note, the DPA has launched an investigation in the past into Facebook’s failure to adequately inform users that their data was being used for targeted advertising. This did not result in a fine, but did inspire a change in Facebook’s personal data policy. 

 

The Dutch DPA’s Policies for Determining Administrative Fines. 

 

In an effort to maintain consistency in the fines it imposes, the Dutch DPA has specific policies for determining the level of these administrative fines. Infringements are divided into categories, determined by the relative GDPR article. As reported by the INPLP in their article, the fines imposed based on this policy can be increased or reduced, depending on the following relevant factors: 

 

  • The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
  • The deliberate or careless nature of the infringement.
  • The measures taken by the controller or the processor to limit the damage to the data subjects involved.
  • The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR. 
  • Previous infringements, where relevant, by the controller or the processor.
  • The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
  • The categories of personal data affected by the infringement.
  • The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
  • In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
  • Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
  • Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.

 

Their general guide for imposing fines it’s based on the following categories, as determined by the corresponding GDPR infringement:

 

Category Range of Fines  Standard Fine
I €0 to €200,000 €100,000
II €120,000-€500,000 €250,000
III €300,000-€750,000 €525,000
IV €450,000-€1,000,000 €725,000

 

The fine imposed on the Dutch Tennis Association, KNTLB, was based on a category III infringement and therefore incurred the basic fine for that category; €525,000. So far this year, we reported on two fines issued by the Italian DPA (Garante) on TIM Spa ,and Eni Gas E Luce, for Euro 27.8 million and 11.5 million respectively, and more recently, on CRDNN Ltd, of half a million pounds, by the UK’s DPA, the ICO. 

 

With officials cracking down on companies which mismanage their data, it is imperative that companies ensure that they are in line with the GDPR, PECR 2003, and the DPA 2018. While this is only the third fine being imposed by the Dutch DPA under the GDPR, the Dutch DPA is the first in the EU to define its own policy for imposing fines, which may inspire other countries to do the same. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

AEDP approved first BCR

The AEPD has approved its first Binding Corporate Rules (BCRs) under the GDPR

The Spanish DPA, AEPD, has approved its first Binding Corporate Rules (BCRs) under the GDPR. The AEPD acted as lead DPA and counted with the EDPB’s favourable Opinion.

The AEPD has issued their final opinion concerning the first binding corporate rules drafted by Fujikura Automotive Europe Group, two months after the EDPB approved them. This will be included in the register of decisions which have been subject to the consistency mechanism, and it means that Fujikura Automotive Europe Group will be free to use, from now onwards, the BCRs for transferring personal data to the group members based in third countries with appropriate safeguards. 

What are BCRs?

GDPR defines Binding Corporate Rules as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.

Once approved by the competent DPA, BCRs are considered a valid instrument that provides appropriate safeguards for personal data transfers to third countries.

What is the approval process of BCRs?

First, the lead DPA confirms whether the draft BCRs include all article 47.2 GDPR mandatory requirements. Then, pursuant the consistency mechanism covered in articles 63 and 64.1 GDPR, the EDPB should issue their opinion, after which the lead DPA communicate their final decision and, where approved, BCRs are included in the relevant register.

How did the process apply to this case?

Pursuant to Recital 110 GDPR, “a group of undertakings should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group”, as long as said BCRs include “all essential principles and enforceable rights to ensure appropriate safeguards for transfers”. 

Back to this case, the BCRs were first drafted by Fujikura Automotive Europe Group and the AEPD reviewed them as the Lead DPA. Accordingly, the AEPD submitted its draft decision to the EDPB, who, early this year, issued their opinion, by which they considered that the BCRs contained appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR was not undermined when transferring and processing personal data to and by the group members based in third countries. Two months after, the AEPD has finally approved them and communicated their final decision to the EDPB.

Do you need assistance with the appropriate safeguards that should apply to international transfers of personal data? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  Contact us today.