Europe’s General Data Protection Regulation (GDPR) reached its 1-year anniversary on May 25, 2019. At the start of its second year, we can now reflect on the GDPR with a new set of questions: Did the mission, motive, and compliance parameters of the GDPR serve a greater purpose? Has data culture changed? What lessons have we learned?
With the diversity of cases and newly created legislation, the year has brought controversy, but also a global commitment to data privacy law.
A Year in the Life of the GDPR
One year in, we can look back to see how this legislation has created a strong avocational presence for data privacy on a global level. The GDPR is prompting governments, nongovernmental organizations (NGOs), for-profits, nonprofits, charities, etc., to evaluate their data collection, handling, and processing for the greatest good of the data subject.
The focus on data subjects, their rights, and data privacy continues to foster a culture shift toward data transparency. Read further to learn about case complexities and outcomes—from good faith efforts to potential GDPR infractions and fines.
The Diversity of GDPR Cases
When the GDPR was enacted in 2018, we could only speculate about the type of enforcement that would result. Would large-scale examples be made? Would imposed fines be considered equitable? How would small businesses and sole proprietorships fare? The following cases show the wide-spanning impact of the GDPR.
A Good-Faith Effort Spoiled: Bristol City Council’s Email Faux Pas
The city council of Bristol, England, is apologizing for a data breach that came in the form of accidentally disclosed email addresses. The exposed addresses were from an email that was touting GDPR compliance.
The mishap occurred when former participants and applicants for the Bristol Citizen’s Panel were shown the email addresses of others in those two groups. In place of using the blind carbon copy (bcc) option, which keeps email addresses hidden, carbon copy (cc) was used—showing all of the recipients’ addresses.
Ironically, the email was sent to inform those who were not selected for the panel, as well as those who had previously participated, that their email addresses would be deleted to comply with GDPR regulations. Instead, the hundreds of email addresses were shared.
Adding insult to injury, citizens began to deliberately use Reply All so that their responses would go to the entirety of the list—further exacerbating the GDPR faux pas.
Bristol’s good-faith effort to comply with the GDPR ended with an apology clarifying that the city council’s data controller had been made aware of the data breach and that the email addresses would be deleted from the database. It said that no further contact would be made. No GDPR fines were issued.
Amazon Retrieves a Stranger’s Files Following a GDPR Request
As virtual assistant devices and services continue to proliferate, so do the chances of data privacy mishaps. Amazon’s Alexa is the subject of a recent data breach, in which a German Amazon customer requested that the company grant access to his personal audio recordings. The goal was to uncover his personal data held by Amazon (a data subject right covered under the GDPR). He made the request and received and downloaded 1,700 audio files from Alexa—and then discovered they were not his.
Amazon claimed that this was standalone case, wrought with human error (although few details are documented). Amazon successfully removed the files in the link sent to the customer; however, any files he downloaded would still remain on his computer unless he deleted them. Amazon reportedly resolved the issue with the two parties and was in touch with the appropriate regulatory authorities—but just as a precaution.
First GDPR Fine in Poland: The Unlawful Processing of Data
Bisnode, a data analytics company with an office in Poland, has been fined €220,000 (about $247,600) by the country’s data protection agency for failing to inform more than 6 million individuals that it was processing their data.
Bisnode elected to only inform individuals for whom it had email addresses. It is noteworthy that of the 90,000 people informed, more than 12,000 objected to the processing. Bisnode claimed that it did not try to contact the remaining individuals, as it was too costly to do so through the mail. Those who were not notified were unable to opt out, fix incorrect data, etc. In place of contacting these individuals, Bisnode chose to publish a notice about the processing on its website.
While there may have been legitimate interest for data processing (data was obtained via the government public register of business activity, then used for a commercial purpose), indirect data collection requires notice to be sent to the individuals that discloses the grounds for legitimate interest.
Additionally, the controller at Bisnode was aware of the obligation to provide information to individuals regarding data processing. The intentional decision not to inform them impacted the weight of the fine. There is residual controversy over whether mailing notifications about processing would constitute a “disproportionate effort” toward compliance.
France’s Regulator Fines Google for Poor Consent Practices
The Commission Nationale de l’Informatique et des Libertés (CNIL), France’s data protection regulator, has placed a €50 million (about $56 million) fine on Google for multiple failure points relating to GDPR compliance.
Currently, Google plans to appeal the fine and claims it is committed to transparency. We may speculate that if Google did not appeal this fine and claim, it would be admitting fault. This could leave the company open to further fines from other countries or locations with similar concerns.
Hall and Hanley Sends Millions of Unlawful Direct Marketing Texts
Hall and Hanley, based in the U.K., specializes in financial compensation for improperly sold Payment Protection Insurance (PPI). The Information Commissioner’s Office (ICO) has fined the company £120,000 (about $152,000) for sending 3.5 million unsolicited direct marketing texts about its services.
The ICO began investigating Hall and Hanley after receiving a large number of complaints (1,353 complaints were received in total). It found that a third party was used for this direct marketing work. However, the consent required by law was missing. Hall and Hanley claimed that the marketing consent came from individuals subscribing to one of four websites that named Hall and Hanley directly. After investigation, only two of these websites listed the company outright. Even if the company was listed on all four websites, as stated, it remains unlawful to require consent to give third parties marketing privileges as a condition for subscription.
Marriott International: A GDPR Violation for Unencrypted Passport Information
Marriott International is under investigation for a data breach that exposed the personal data of an estimated 383 million guests, 5.25 million unencrypted passport numbers, and 18.5 million encrypted passport numbers. The breach reportedly started in 2014; full disclosure did not occur until November 2018.
Marriott may be a U.S.-based company, but guests come from all over the world—many are European Union (EU) citizens. Because the data of EU citizens was involved, the breach falls under the GDPR. Additionally, there are pending class-action lawsuits against Marriott from U.S.-based law firms.
The maximum financial penalty under the GDPR, should Marriott be found responsible, is 4% of its global annual revenue, which in 2017 was $22.89 billion. This would mean a fine of up to $915 million. At present, no fines have been issued.
The Push for Privacy Legislation Outside of the GDPR
Considering the global span of the GDPR, it is important to recognize that countries all over the world—and individual U.S. states—are making concerted efforts to heighten data protection. The following three legislative examples highlight data privacy for the greater good of the data subject.
Brazil’s Data Protection Law
Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) is scheduled to take effect in February 2020. This law applies to individuals or companies that are involved with 1) processing activities in Brazil, 2) personal data collected in Brazil, or 3) processing data for the purpose of providing services/goods in Brazil or of individuals located in Brazil. Like the GDPR, the LGPD grants data subjects the following rights: anonymization, deletion, data portability, and revocation of consent, and all requests must be provided to the data subject free of charge. For lack of compliance, Brazil’s data protection agency may fine up to R$50 million (about $12.8 million) or 2% of total revenue from the previous year, whichever is higher.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) of 2018, with an enactment date of Jan. 1, 2020, is intended to protect the personal data of consumers who reside in California. Similar to the GDPR, although broader in scope, if your organization, regardless of its location, is collecting personally identifiable information (PII) from California residents, this law applies to you. Examples of PII include names, addresses, IP addresses and email addresses, internet activity records, biometric information, commercial information, and employment-related information. Just as with the GDPR, there are residual questions about fines and penalties and how they will be applied. Penalties can be up to $7,500 per violation if the wrongdoing is intentional (a lesser fine if not). A question remains as to the definition of a violation—is this per consumer, per action, or another measure?
Uganda’s Data Protection and Privacy Act
Uganda’s Data Protection and Privacy Act protects the data and the privacy of individuals by regulating the collection and processing of data. The act defines the responsibilities of the data collectors, processors, and controllers and requires them to be in alignment with the rights of the data subjects. It took effect on March 1, 2019. Key objectives include: 1) protect the privacy of subject data, 2) regulate collection and processing of personal information, 3) ensure that the rights of the data subject are upheld, 4) provide the obligations of data collectors and processors, and 5) regulate the use or disclosure of personal information.
Insights Discovered Over the Last Year
In closing, as the GDPR becomes increasingly mainstreamed, it is prudent to take heed of some of the important lessons learned over the last year (in no particular order):
- Informed consent cannot be passive, all-or-nothing, or conditional. A data subject must freely give consent, be well-informed of the facts through clear language documentation, and have the option to withdraw consent if desired.
- Claiming a disproportionate effort is not an excuse for noncompliance. If an organization is going to use disproportionate effort as a reason for not upholding a legal parameter of the GDPR, documented proof of hardship is essential. Claiming disproportionate effort without an adequate documented hardship has been shown to increase GDPR fines.
- Be prepared to prove lawful processing. Proving a legal basis for processing data can be difficult and complex; consult your legal team if you are uncertain. Proving lawful processing if using a third party in some capacity may have additional limitations.
- Know who is responsible for GDPR compliance. The areas responsible for ensuring GDPR compliance vary by organization (e.g., IT, finance, or legal departments). There is no hard-and-fast rule for designating compliance roles. However, if an organization isn’t firm in assigning responsibility and providing expectations, GDPR compliance will suffer.
- A good-faith effort goes a long way. Accidents happen, interpretation of the law is a continual challenge, and 100% GDPR compliance remains in the minority. However, the ability to prove your organization is working toward compliance through documentation and notification protocols goes a long way.