This is to update you on the latest news and developments in matters of data protection law.
If you would like to be provided with more details, you may contact us via the commentary function. We will also link to our blog posts if we have already reported on this topic.
What has happened lately?
1.National data protection laws entered into force or have been adopted
The Brazil General Personal Data Protection Law, which largely aligned to the GDPR, has entered into force on 18 September 2020.
In Egypt the Data Protection Law came into force in October 2020, 3 months after the publication in the Offiziell Gazette. The Data Protection Law applies to the processing of personal data carried out electronically. It establishes the data subject’s consent as the main legal basis for the processing of personal data. The Data Protection Law provides for data subjects’ rights in relation to the processing of their personal data and the conditions and principles that data processing must respect. It addresses, among other things, the processing of sensitive personal data, cross-border data transfers, electronic direct marketing practices, and monetary penalties and criminal sanctions for violations of the Data Protection Law itself.
Switzerland has adopted the revised version of the 28-year-old Federal Act on Data Protection 1992 (‘FADP’), which is adapted to EU data protection law. However, it is expected that it will not come into force before 2022. The revised law aims to ensure that the EU recognizes Switzerland as equivalent in terms of data protection and includes provisions to ensure compliance with European standards on, among other things, the right to be informed, the protection of minors, and sensitive personal data. Moreover, a new feature is the proactive Data Protection Impact Assessment (‘DPIA’) for processing that involves a high risk (especially when new technologies are used).
More information in German on the revised Federal Act on Data Protection can be found here.
The Federal Court of Justice has ruled on May 28th 2020 that consent on webpages must be obtained prior to storing or accessing non-essential cookies, such as tracking cookies for targeted advertising. Consent cannot be implied or assumed. A banner which, in its initial settings, technically prevents any tracking when accessing the website and giving the user the actual choice of “agreeing” or “disagreeing”, will therefore be required.
Our blog article in German on the decision can be found here.
3. European Court of Justice: Privacy Shield invalid
On July 16, 2020, the European Court of Justice (EJC) declared the European Commission’s Privacy Shield Decision invalid on account of invasive US surveillance programmes, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal. The ECJ also pointed out, that the adoption of SCCs alone is not sufficient to ensure an adequate level of data protection. Although the main focus of the ruling impacts primarily data transfers between the EU and the US, the consequences therefore also extend to transfers of personal data to other third countries. Hence, it is the obligation of the parties to ensure that appropriate measures are in place for the transfers of personal data to any third country. The legal circumstances in the respective third country must be taken into consideration and supplementary measures implemented to ensure an adequate level of protection, e.g. encryption of data transfer, access to data only per password etc., especially if the destination country does not provide for the data importer to abide by the SCCs.
a) Germany: Ruling of LG Bonn on 1&1 fine
The Federal Commissioner for Data Protection and Freedom of Information (‘BfDI’) had issued in December 2019, a fine of €9.5 million against the telecommunications provider 1&1 Telecom GmBH for an inadequate authentification procedure during telephone consulting services, where callers were able to receive extensive information on further personal data of single persons simply by stating the name and date of birth of a customer. The BfDI had used the total annual turnover as the primary calculation basis for the imposition of its fine.
The regional court of Bonn confirmed the breach of the obligation to implement adequate technical and organizational measures and therefore the legality of the imposition of a fine in its judgment of 11.11.2020. However, the amount of the fine was considered to be unreasonable.
According to the court the annual turnover should only be one of various calculation factors. Other factors, such as the nature of the violation, the sensitivity of the data concerned, the question of how many customers are affected and whether it is a first-time violation or a repetition should also be taken into account. Against this background and as the company immediately adapted adequate measures after the “gap” was noticed, the court reduced the amount of the fine to 900,000 Euro.
For further information in German please see here.
b) Italy: Garante fines Vodafone €12.2M for unlawful telemarketing activities
The Italian data protection authority (‘Garante’) announced, on 16 November 2020, that it had fined Vodafone Italia S.p.A. €12.2 million for unlawful telemarking activities. After hundreds of individual complaints concerning unsolicited marketing calls, serious violations in relation to the collection of consent, as well as to the principles of accountability and Privacy by Design were investigated by Garante. Vodafone had received marketing lists from commercial partners without the free, informed, and specific consent of data subjects. Furthermore, Garante found that Vodafone had adopted inadequate security measures in relation to the clients management systems, since Vodafone’s employees requested individuals to send identity documents via Whatsapp with the potential purpose of carrying out spamming, phishing, or other unlawful activities.
e) UK: ICO fines “Ticketmaster” £1.25M for failing to protect 9.4M customers’ payment details
The Information Commissioner’s Office (‘ICO’) has fined in November 2020 “Ticketmaster UK Limited” £1.25 million for failure to secure its customers’ personal data and implement appropriate security measures to prevent a cyberattack for its online payment page, which potentially affected 9.4 million EEA customers. The data breach concerned personal data such as names, full payment card numbers, Ticketmaster usernames and passwords, expiry dates and Card Verification Value (‘CVV’) numbers. Ticketmaster did not monitor network traffic to its online payment page until nine weeks following fraud alerts of international banks and has therefore not reacted in a timely manner to assess the risk and identify the source of the fraudulent activity.
f) France: CNIL imposes €250,000 fine on Spartoo for multiple GDPR violations
The French data protection authority (CNIL) imposed in August 2020 a €250,000 fine on Spartoo SAS for violating multiple provisions of the GDPR, which affected the three million clients. Permanent recording of telephone calls with customer service employees, the recording of customer bank details, and the collection of customers’ health cards were found excessive and contrary to the principle of data minimisation. Spartoo retained personal data for longer than was necessary as it had not set up any retention periods for customer data and did not regularly erase and archive personal data. Spartoo failed to abide by the obligation to inform their customers under Article 13 of the GDPR as customers were misinformed about the legal bases for the data processing, the purpose behind the processing, the recipients of the data, the data retention period, and their rights. Also Spartoo had not used adequately strong passwords for accessing customer accounts and to take adequate measures to ensure the security of data as required by Article 32 of the GDPR.