We look at a number of significant developments over the past few weeks.
The Queen's Speech on 10th May confirmed that reform of the UK's data protection laws remains very much a part of the government's agenda. You can read our thoughts here on what we could potentially see in a Data Reform Bill to be published in the coming months.
Included in this issue of data and privacy news: new guidelines from the European Data Protection Board on the calculation of fines for GDPR breaches, the European Commission's FAQs on its new Standard Contractual Clauses, and the ICO issuing its third-largest penalty to date to Clearview AI. Clearview's fine is also the subject we'll be discussing at our upcoming Data Download webinar - click here to register.
- ICO weighs in to fine Clearview – but will it stick?
The ICO has imposed a fine of £7,552,800 on Clearview AI for committing numerous infringements of the UK GDPR. Clearview, which describes itself as "the World’s largest facial network" has systematically scraped billions of images from social media and other websites, without obtaining individuals' consent or informing them that this data collection was taking place. The ICO concluded that this practice infringes the rights of UK data subjects. It has also demanded that Clearview stops collecting images of UK citizens.
The ICO is the third European regulator to take action against Clearview for breaches of data protection law, after the Supervisory Authorities (SAs) in France and Italy also concluded their investigations in December and March. Both have insisted that Clearview stops processing data relating to their citizens, and the Italian Garante also imposed a €2 million fine.
There are a couple of very noteworthy elements of the case. First, the final penalty issued by the ICO represents a substantial reduction of the £17.5 million figure that it provisionally indicated it would fine Clearview in November last year. This means that each of the ICO's top three fines for data protection breaches have been subject to deep discounts (though the impact of the COVID-19 pandemic played a significant role in the ICO's concessions to Marriot and British Airways).
Second, the case raises fundamental questions about the jurisdictional scope of the (UK) GDPR. Clearview has stated that it does not intend to comply with the decisions of the ICO and Italy's Garante, arguing that neither the regulator has jurisdiction. Clearview is headquartered in New York, claims that it does not offer its services to customers in the UK or Italy, and that it does not "monitor" individuals located there. In the event of any formal appeal lodged by Clearview, much is likely to turn on whether capturing facial images through scraping is deemed monitoring (a term not defined by the (UK) GDPR). Whatever the outcome of such an appeal collecting the fine from Clearview will not be easy, given that it has not appointed an EU representative under Article 27 GDPR – another apparent breach.
This will be a very interesting one to watch, with further investigations into Clearview underway in several other jurisdictions. If Clearview – which the New York Times described as "a secretive company that might end privacy as we know it” – cannot be effectively sanctioned despite widespread failures to observe universal principles of privacy, it could indicate that the jurisdictional test for the application of European data protection laws might require reform.
- Commission answers (some of the) frequently asked questions on standard contractual clauses
The European Commission has published an FAQ document (FAQs) seeking to clarify a number of issues surrounding its updated Standard Contractual Clauses for EU data exports (2021 SCCs).
The release of the SCCs last summer was welcomed by controllers and processors seeking to respond to the requirements of the Shrems II decision, but some important questions remained unanswered. Many would have been hoping that the FAQs would be more comprehensive and provide some additional guidance on the conduct of Transfer Impact Assessments (TIAs), but there are at least some helpful practical takeaways. Some of these might help ease some of the bottlenecks for organisations seeking to repaper their model clauses before the deadline at the end of the year:
- The FAQs confirm that the 2021 SCCs should not be used for scenarios where the data importer as well as the exporter is subject to GDPR, and that the Commission working on a new set of SCCs for this scenario. Unfortunately, there is no guidance on how such transfers are to be legitimised in the meantime, nor on how long it will be before the new version is available.
- While the FAQs do not explicitly endorse incorporation of the 2021 SCCs by reference (despite this becoming market practice), the Commission states that this is a matter for the national law which governs the 2021 SCCs. So in many cases, it seems this option will be available.
- There is also no specific instruction regarding execution requirements, or whether the 2021 SCCs can be executed electronically. The FAQs acknowledge that the 2021 SCCs are not prescriptive regarding how signatures should be formalised, and provides flexibility for the parties to choose the best approach within the parameters of the national law which governs their SCCs. Given that "click-thru" SCCs have also been broadly adopted in practice, it would have been expected that the FAQs would have specifically excluded this option if the Commission does not accept this approach.
- The Commission reiterates that parties to the SCCs may not restrict liability to data subjects or exclude liability to one another altogether, since this would act as a disincentive to compliance for the party benefiting from that provision. However, it is not clear from the FAQs whether liability caps as between the parties could be justified.
- The FAQs also provide specific information to data subjects on their rights to information about the export of their personal data, and to obtain copies of the specific SCCs governing such transfers. They reiterate the obligations on exporters to provide sufficient notice to data subjects regarding transfers, and serves as a reminder that organisations may need to revisit their privacy policies to ensure they are up to date.
The UK has also now issued its own International Data Transfer Agreement, and a UK Addendum which organisations can use in conjunction with the 2021 SCCs where they export personal data from both the UK and the EU to third countries. The ICO has also undertaken to publish guidance to facilitate the use of these documents, though there is no sign of this at the time of writing.
- Austrian DPA finds that use of Google Analytics is unlawful, again
The Austrian Data Protection Authority (DSB) has issued a second ruling that transfers of EU personal data to the US through Google Analytics (Analytics) infringed GDPR. It is the latest in a series of decisions by EU regulators taken in response to the 101 complaints issued by Max Schrems' None of Your Business (NOYB) non-profit across Europe, which came in the wake of the Schrems II case. In the cases that have concluded to date SAs have required organisations to stop using Analytics, and there is growing scepticism as to whether a "risk-based" approach to data exports to the US can be justified.
NOYB alleged that IP addresses and other personal data obtained through Analytics cookies were transferred to Google in the US without adequate protections when visitors used the publisher's website. Google argued that:
1. the data was not "personal data", due to Google's efforts to anonymise users' IP addresses; and
2. that it was pursuing a legitimate “risk-based approach” when assessing the legality of the transfer in question.
Both arguments failed. On the first point, the DSB found that IP addresses were not properly anonymised until they had already been transferred to the US, so personal data was being transferred. Further, since Google is classed as an “electronic communications services provider” under US Surveillance laws, even if adequate anonymization subsequently takes place government agencies can still compel Google to provide the data they receive from Europe.
On the second point, the DSB rejected the idea that a risk-based approach is permitted in relation to international transfers of personal data. The DSB highlighted that there is no mention of a risk-based approach in Chapter V of the GDPR, and that the standard contractual clauses entered into between the parties provided insufficient protection for EU data subjects.
It is this second issue which is causing the most alarm for the many EU (and UK) organisations that rely on Analytics in order to remain competitive in their markets. But the case does not necessarily confirm either that using Analytics will always be unlawful for EU companies, nor that the risk-based approach to transfers to the US is a non-starter. In particular, it has been highlighted that the transfers under examination took place under the "old" Controller-processor SCCs from 2010, and that a risk-based approach is now essentially baked in to the 2021 SCCs and the accompanying EDPB's Guidelines. It has also been argued that while Chapter V does not specifically permit a risk-based approach to transfers, the entire ethos of the GDPR is that organisations should take a risk-based approach to all aspects of their data processing.
There could be many more decisions from SAs regarding the use of Analytics to follow in the coming months as well as the prospect of further specific guidance from regulators, so the debate on this fundamental issue for EU businesses may be just getting started.
- CJEU clears the way for opt-out actions by representative associations
The CJEU has issued a significant decision in relation to representative actions for breaches of data protection law. It establishes that the GDPR does not preclude national legislation which permits a consumer association to bring representative actions in the civil courts, even where:
- there is no allegation of a direct infringement of a specific data subject right; and
- there is no direct mandate from the data subject (i.e. it is an opt-out representative action).
In the underlying case, a complaint was made against Meta Platforms Ireland (Meta) for passing personal data to third parties offering free games to Facebook users. The Federation of German Consumer Organisations e.V. (VZBV) brought a claim for injunctive relief against Meta, arguing that the user consent for the disclosure of the data was insufficient, and that users were required to accept detrimental and unreasonable terms and conditions regarding the use of that data which breached German consumer laws.
The case reached the Federal Court of Justice in Germany (BGH). The BGH found that the claims against Meta were well-founded, but raised questions about the standing of VZBV to bring the action. Specifically, it was not clear whether the national consumer protection laws in Germany which previously permitted such claims remained effective, or whether Article 80 of the GDPR now represented the last word on the standing of such bodies and should be interpreted as overriding the national consumer laws.
The CJEU found that GDPR does not preclude such national legislation provided that: (a) the rights of identifiable individuals would be affected by the data processing operation in question; and (b) the consumer association was pursuing an objective in the public interest. So, if national laws provide sufficient standing, GDPR does not get in the way.
This is consistent with the GDPR's general principles. It endorses a permissive approach to redress for impacted data subjects, and it is no surprise that the CJEU decided in favour of an outcome which contributes to achieving a higher level of protection for individual rights.
The impact of this particular intervention could be far-reaching. There is growing momentum for the utilisation of class actions against data controllers alleged to have trampled data subjects' rights, and this decision could release the brakes on a substantial number of pending cases. With the resources of several influential SAs stretched so thin it seems likely that private actions could prove an increasingly attractive option, particularly once the Collective Redress Directive has been implemented across Europe. From 2023, consumer groups in all EU countries will be able to bring claims on behalf of consumers against “traders” that breach a variety of EU laws, including the GDPR.
Data controllers may also need to prepare themselves for a further uptick in complaints and threats of litigation from representative bodies emboldened by this decision. The potential for reputational and financial damage from private actions as well as intervention by SAs may become in increasingly important factor in risk assessments relating to processing consumer data.
- EDPB seeking to harmonise calculation of GDPR Fines
On 12 May 2022, the EDPB published draft additional guidelines on the calculation of GDPR fines for public consultation (Guidelines). While decisions as to the amount of a GDPR fine will remain at the discretion of national SAs, the EDPB intends to promote a more harmonised approach and establish a consistent methodology for these calculations across the EU.
The Fining Guidelines set out a 5-step process:
1. Identify the relevant processing operation(s). Determine if there one, or multiple elements of sanctionable conduct, and whether several distinct breaches have occurred.
2. Establish the "starting point" for the fine based on seriousness of the infringement(s):
(a) categorise seriousness as low, medium or high, considering the nature and purpose of the processing; gravity of the infringement (e.g. high-risk processing, vulnerable data subjects, geographic scope), duration of infringement; intentional/negligent character, categories of personal data involved).
(b) apply the following bandings to the starting point, based on the categorisation above:
- Low - 0 to 10% of the maximum potential fine
- Medium – 10 – 20% of the maximum potential fine
- High – 20 – 100% of the maximum potential fine
(c) in order to ensure fines are "effective, dissuasive and proportionate", adjust the starting amount by considering the turnover of the undertaking.
3. Adjust for aggravating/mitigating circumstances. The Guidelines build on the factors set out in the GDPR itself, including how the infringement was brought to the SA's attention (i.e. self-reported vs complaint/investigation), whether the undertaking is a repeat offender, and whether the undertaking benefited from the infringement.
4. Identify the maximum fine that may be imposed. The GDPR does not set out fixed penalties for particular types of infringement (or "price tags", as they are called in the Guidelines), but does set out different caps for infringements in GDPR Article 83(4) – (6). These are set at either €10 million/2% of total annual turnover, or €20 million/4% of total annual turnover, depending on the GDPR provision(s) breached (and in each case, the higher cap will apply). Where the applicable maximum is a percentage of turnover and the company is part of a larger economic undertaking, it is the combined turnover of the undertaking as a whole which is used to determine the upper limit.
5. Assess whether the proposed fine meets the requirements for it to be effective, dissuasive and proportionate. If it fails to do so in light of the overall context, additional adjustments may be necessary. The Guidelines specifically state that SAs can take into account the undertaking's ability to pay, and that it may be justified in certain cases to impose a "deterrence multiplier".
If the Guidelines are adopted in their current form, they could pave the way for a marked increase in the level of fines imposed for serious infringements, particularly for organisations with substantial turnover. Given the sums involved and the fact that these are merely Guidelines for SAs, it seems highly likely that deep-pocketed undertakings in receipt of large fines will look to test their veracity through appeals to the European Courts.
The Guidelines are open for public consultation until 27 June 2022, with a final version expected to be adopted by the end of the year.