Following the one-year anniversary of the coming into effect of the GDPR, Hogan Lovells’ Privacy and Cybersecurity practice has prepared summaries of key GDPR-related developments of the past 12 months. The summaries cover regulatory guidance, enforcement actions, court proceedings, and various reports and materials.

Regulatory Guidance

Enforcement Actions

  • The ICO issued an Enforcement Notice against AggregateIQ (24.10.2018) – AggregateIQ was an organisation which used personal data to target individuals with political advertising messages on social media, pursuant to contracts with various political organisations. This personal data was still being held by late May 2018 and had been subject to unauthorised use by a third party. The Information Commissioner concluded that AggregateIQ had failed to comply with Articles 5(1)(a)-(c) and Article 6 of the GDPR and issued an Enforcement Notice requiring them to erase any personal data of individuals in the UK retained by them.
  • The CNIL fined Google €500,000 (21.1.2019) – The CNIL received two complaints concerning Google’s processing of personal data. Having concluded that Google had no lead supervisory authority within the European Union, the CNIL carried out an investigation into a particular scenario (creating a Google account on the first use of an Android device). The CNIL decided that the “general information architecture” chosen by the company did not fulfil Google’s transparency and information obligations, as there was a lack of clarity and intelligibility. Google also relied on consent as its legal basis for processing personal data for targeted advertising purposes, and the CNIL found that this consent had not been validly obtained.
  • The Austrian Data Protection Authority decided that the Austrian Post had violated the GDPR by processing special categories of personal data (12.2.2019) – The Austrian Post did this by attributing preferences for certain political parties to data subjects using statistical calculation methods in the absence of explicit consent or any other legal basis. The DPA announced an immediate ban on this kind of processing and ordered the erasure of the data and the carrying out of a new DPIA.
  • The Polish Personal Data Protection Office fined a data company PLN 943 000 (approximately EUR 220,000) (26.3.2019) – The company had failed to meet its information obligations under Article 14 of the GDPR in relation to over 6 million people, and many individuals were having their data processed without being aware of it. The data had been obtained from publicly available sources and was being processed for commercial purposes. It justified its non-compliance on the basis of high operational costs, but this was not accepted. More details in this blog post.
  • Italy’s Garante issued its first fine (4.4.2019) for the lack of implementation of privacy security measures following a data breach on the Rousseau internet platform. The Garante noted a number of security issues, the most pressing of which was the storage of log files regarding the activities performed by the IT support personnel of the platform. The Garante issued a €50,000 fine, not against the data controller (the 5 Star Movement) but against the processor, the internet platform.
  • The ICO issued a preliminary Enforcement Notice against HMRC (4.4.2019) – The ICO had been investigating HMRC’s Voice ID following a complaint from Big Brother Watch, and found that HMRC had failed to give customers sufficient information about how their biometric data would be processed or to give them the chance to give or withhold consent. This was a breach of the GDPR, and the enforcement notice compelled the government department to delete all biometric data held under the Voice ID system for which it does not have explicit consent within 28 days from the final notice.
  • The Swedish Data Protection Ombudsman ordered a financial credit company to correct its data processing practices (24.4.2019) – The Ombudsman pointed out that the company’s online credit decision service should be considered automatic decision-making as regulated under Article 22 of the GDPR and ordered the company to provide the individual who had complained with information on the logic employed in automatic decision-making, its role in making the credit decision and the consequences for the credit applicant.

Court Proceedings

  • The Stuttgart Landesarbeitsgericht decided that an employer which had received a data subject access request from an employee whose contract they were terminating had to provide the employee with records containing performance and behavioural data and information about internal investigations (20.12.2018) – The employer had argued that they were withholding this data on the grounds of whistleblower confidentiality, attempting to rely on the exemption pursuant to Article 15(4) of the GDPR. The court held that such exemptions should be considered on a case-by-case basis and there was no general rule that protection of whistleblower confidentiality overrides the employee’s access right.
  • The Higher Regional Court of Berlin confirmed a judgment that found seven clauses in Apple’s old privacy policy unenforceable and in breach of GDPR (3.2019) – The court held that the privacy policy was a contractual document since users were prompted to “accept” it. In this case the way the privacy policy was implemented in the purchase flow did not constitute valid consent and two other clauses were incompatible with fundamental principles of the GDPR.
  • The Court of Justice of the European Union (CJEU) AG’s Opinion in Planet49 (C-673/17) concerns the interplay between GDPR and the ePrivacy Directive in the context of online advertising involving cookies (21.3.2019) – Planet49 had organised a lottery and prospective participants had to submit their names and addresses before being presented with two checkboxes. The AG was of the Opinion that consent was neither “active” nor “separate” when prospective lottery participants gave consent to the use of cookies for advertising purposes. More details in this blog post.

Reports and Other Materials

  • European Commission Report on the second annual review of the EU-US Privacy Shield (19.12.2018) – The second annual review covered both the commercial and governmental aspects of the administration, oversight and enforcement of the framework, and recent developments in US law. The Commission concluded that the US continues to provide an adequate level of protection for personal data transferred under the Privacy Shield from the EU to US organisations. Steps taken to implement the Commission’s recommendations following the first annual review had improved several aspects of the practical functioning of the framework. However, the report also set out a number of further steps to be taken to ensure that an adequate level of protection continues to be provided, most notably the appointment of a permanent Privacy Shield Ombudsperson before 28 February 2019.
  • EU-Japan Adequacy Decision (23.1.2019) – This created the largest area of safe data transfers and marked the end of a negotiation process which began in January 2017. It set an important precedent as the first adequacy decision adopted with the GDPR in force. To secure the decision, Japan had to adopt a set of rules supplementary to its own data protection law, providing safeguards for personal data of EU citizens transferred to Japan. More details in this blog post.
  • The Irish DPC Annual Report covering 25 May-31 December 2018 (3.2019) noted the rise in the number of complaints and queries to data protection authorities across the EU since 25 May 2018. It listed the statutory enquiries which are underway, which concern Facebook, Twitter, WhatsApp, Instagram and Apple, which are expected to conclude during the summer of 2019.
  • The Dutch DPA issued GDPR Fine Structure guidelines (14.3.2019) –The guidelines divide breaches of GDPR into four categories, from simple ones such as insufficient records up to major incidents such as unlawful profiling or processing of special categories of data. Surprisingly, the top of the range for the most serious breaches is €1m, just 5% of the maximum fine allowed under GDPR itself. More details in this blog post.
  • The CNIL 2018 Annual Report (15.4.2019) showed a record number of complaints, up 33% since 2017. A survey conducted on the CNIL’s behalf showed that 70% of French citizens consider themselves more aware of data protection issues in 2018 than in 2017. It reported that it had carried out 310 investigations in 2018 and issued 49 notices, with a particular focus on the insurance and targeted advertising sectors. As a result of these, it levied 11 sanctions.