At the beginning of February, the Bavarian Data Protection Authority (DPA) participated in the Safer Internet Day (SID) 2019 and searched 40 websites of large companies based in Bavaria. Under the theme of “Together for a better internet”, the European Commission had called for action worldwide to enhance internet security as part of the yearly SID. The DPA reviewed cyber security and user tracking practices with the – “sobering” – finding that in the DPA’s view none of the 40 companies provided for GDPR-compliant practices on their websites. As a result, the DPA announced it is considering fines under the GDPR.
The DPA explicitly stated that ensuring GDPR compliance for that matter should be made a priority within all companies – not only in the technology sector (several leading tech companies reside in Bavaria), thus irrespective of their area of business or industry. In fact the companies searched by the DPA offer goods and services within the fields of, inter alia, online retail, sports, banking and insurance, media, automotive and electronics as well as home and residential.
Fine imposed on Google by French Data Protection Authority (CNIL)
As widely reported, the CNIL fined Google with 50 million euros in January especially for not obtaining valid, GDPR-compliant consent to targeted marketing from Google users. Initially, this high amount had shaken many companies, but the question remained whether Google was to be qualified as a special case and whether companies that did not mainly “deal” with personal data such as Facebook or Google would indeed have to fear similar actions by authorities.
The overall good news for Germany is in this respect that the authorities have been very reserved to impose high fines; in fact they have been surprisingly low so far. This, however, might change in the future depending on the specific audits performed.
Required actions according to DPA
The DPA found that 30 of the 40 audited companies did not sufficiently inform data subjects on their websites and requests that all cookies/trackers are identified and disclosed to the website users as well as that data subjects are informed about the specific purposes for which personal data is processed.
While the German data protection authorities previously announced that consent is generally required for the processing of personal data in connection with cookies and tracking functionalities, the DPA now leaves that up to interpretation. The DPA noted that most of the 40 websites used cookie banners, however, that none of these banners resulted in effectively obtaining consents for the processing of personal data from the users.
Companies making use of those cookie banners would assume that consent must be obtained from data subjects as a legal basis and lay that out accordingly in their website privacy policies. Due to this practice, i.e. choosing consent as legal basis but not obtaining valid consent, their processing might be unlawful. By that, we understand that the DPA indicates that consent is not the only possible legal basis here. The report in particular does not state that data processing in the context of tracking technologies always requires consent as legal basis.
As regards cyber security, the DPA especially reviewed the following aspects: whether strong passwords are required for user logins or multi-factor authentication is implemented, whether the user receives an email confirmation after the registration process or is warned of phishing activities, is informed about failed logins and if they are provided with support in case of hacking. This should be taken into account by companies double-checking safety on their websites.
Consequences and risk based recommendations
In our view, depending on the setup, both analytics and profiling potentially can be based on legitimate interests as a legal basis under the GDPR, especially because obtaining informed and valid consents for cookies and tracking in practice will be extremely challenging. This approach is not explicitly ruled out by the DPA . However, companies that choose to rely on that legal basis should entirely stick thereto, state so in their privacy policies, provide the required right to object, and not indicate that they rely on consent for the processing of personal data (for instance by putting up an ambiguous cookie banner).
It must be noted that this is not an entirely risk-free solution though. Due to the conflicting statements of the German data protection authorities, it is not completely clear for the time being, which measures must be taken. Very risk-averse companies might consider stop using respective tools at all. However, the others should try to provide for detailed information on tools used including name and location of service provider and the visible right to object to the data processing.
Companies not correctly documenting the legal basis they have chosen and neither checking whether the cybersecurity measures indicated by the DPA are indeed implemented on their websites are exposed to a significant risk. It is therefore, conclusively, of high importance to document the measures taken to review the data flows and applicable legal bases in order to be ready for an audit, which is – in the case of the DPA – clearly on the horizon.