In this weeks blog I have selected two main articles for your attention. The first confirms the acceptability of the EU-US Privacy Shield but warns that more enforcement must follow for breaches.
The second is another Data Breach class action launched, this time against Equifax for a breach in 2017.
The most notable fine this month came from Poland, where an organisation was fined €9,380 for an insufficient data processing agreement. This is an area we work hard on for clients, putting in appropriate data sharing agreements with processors ranging from an outsourced HR function to the use of a confidential waste provider.
If you would like an assessment of your current agreements, or possible lack of them, contact us.
EU Commission: US Provides Adequate Protection in Data Transfers
The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.
Good news: The report, titled Report from the Commission to the European Parliament and the Council on the Third Annual Review of the Functioning of the EU-US Privacy Shield, finds that the United States continues to provide an adequate level of protection for EU/EEA (European Economic Area) personal data transfers. The report states that since the second annual review, the United States has made various improvements, such as appointing a permanent Privacy Shield Ombudsman.
However, the EU Commission calls for further strengthening of the Privacy Shield framework, particularly regarding enforcement. So far, the US Federal Trade Commission (FTC) has overseen just seven enforcement cases on the Privacy Shield.
The EU Commission points out that certain concrete steps should be taken, such as:
- Further strengthening the recertification process for companies that want to participate by shortening the time of the recertification process. The report indicates that companies remain on the Privacy Shield “active” list for too long, as significant “grace periods” are granted for companies that have not yet completed the recertification process by the expiration of the (re)certification period.
- Expanding compliance checks. The report recommends expanding the scope of the current US Department of Commerce (DOC) “spot checks” from formal requirements only (e.g., lack of response from designated points of contact or inaccessibility of a company’s privacy policy online) to also cover more substantive obligations (e.g., compliance with the Accountability for Onward Transfers Principle). The EU Commission would also like to see an expansion in the search for companies making false claims of participation in the framework, including companies that have never applied for certification.
- Developing additional guidance for companies for human resources data. The report notes the “real added value” possible in the development of a “joint guidance” issued by the DOC, FTC, and EU Data Protection Authorities (DPAs).
- For the FTC to share information about ongoing investigations with the EU DPAs and the EU Commission. The report acknowledged that this can be difficult for confidentiality and political reasons, but should be possible in an aggregate and anonymous form in the spirt of cooperation among authorities on which the Privacy Shield is based.
The biggest risk for the Privacy Shield framework remains the pending proceedings at the European Court of Justice, as mentioned in the report. Access by US authorities (e.g., law enforcement and Homeland Security) to EU data remains an issue. We continue to expect a ruling on these proceedings in early 2020 and will keep you posted.
Second data breach class action launched in the UK
Shortly after the Court of Appeal handed down its judgment this month in Lloyd v Google allowing a £1bn to £3bn representative data protection claim against the technology giant to proceed in the Media and Communications Court in London, a second data breach class action was launched in the English High Court.
This time the claim was against credit reference agency Equifax. The High Court compensation action relates to Equifax’s failure to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017.
In 2018 Equifax was fined £500,000 for this breach by the UK’s data protection and information rights regulator, the Information Commissioner’s Office (ICO). This was the maximum fine possible at the time, as the applicable relevant legislation pre-dated the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Under the UK’s new privacy and data regime, the fine could have been up to €20m (or the equivalent in sterling), or 4% of the total annual worldwide turnover in the preceding financial year, whichever was higher.
The incident affected 146 million customers globally and happened in the US, but the ICO decided that Equifax Ltd was responsible for the personal information of its UK customers.
We could shortly see many more representative actions of this nature being launched in the English High Court. Only time will tell, particularly as Google has said it will appeal this month’s Court of Appeal decision allowing data protection class actions to proceed in the UK.
Latest Fines issued around Europe
These are the latest fines issued around Europe due to lack of sufficient data protection.
Austrian Data Protection Authority (dsb)
2019-10-23
€18,000,000 – Austrian Post – Art. 5 (1) a) GDPR, Art. 6 GDPR – Insufficient legal basis for data processing
Insufficient legal basis for data processing The Austrian Post had created profiles of more than three million Austrians, which included information about their home addresses, personal preferences, habits and possible party affinity – which were subsequently resold, for example to political parties and companies.
Polish National Personal Data Protection Office (UODO)
2019-10-18
€9,380 – Major of Aleksandrów Kujawski – Art. 28 GDPR – Insufficient data processing agreement
No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
2019-10-17
€2,500 – UTTIS INDUSTRIES SRL – Art. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPR – Insufficient fulfilment of information obligations
The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorised ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.
Spanish Data Protection Authority (aepd)
2019-10-16
€60,000 – Xfera Moviles S.A. – Art. 5 GDPR, Art. 6 GDPR – Insufficient legal basis for data processing
Xfera Movile has used personal data without a legal basis for the conclusion of a telephone contract and has continued to process personal data even when the data subject requested that the processing be discontinued.
2019-10-16
€8,000 – Iberdrola Clientes – Art. 31 GDPR – Lack of cooperation with the supervisory authority
Iberdrola Clientes, an electricity company, had refused to make a request to a person to change its electricity supplier because it claimed that its data would be included in the solvency list. As a result, the AEPD requested that Iberdola Clientes provide information about the possibility of adding the person’s data to the solvency list to which the company did not respond. This lack of cooperation with the AEPD was a violation of Article 31 of the GDPR.
References:
