Data protection – third quarter update

Spotlight
13 September 2019

Now that the General Data Protection Regulation (GDPR) has been in force for more than a year, the (European) supervisors seem to be reaching cruising speed. This update provides you with an overview of the most important developments in the past quarter.

Supervisors impose fines for inadequate security, among other things, and also make use of alternative sanctions

Organisations must take appropriate measures to ensure the protection of personal data (Article 32 GDPR). Some recent decisions from the supervisory authorities of our neighbouring countries demonstrate that non-compliance with this obligation can have serious financial consequences:

  • In the Netherlands, the Dutch Data Protection Authority ("Autoriteit Persoonsgegevens" or "AP") has imposed a fine of EUR 460,000 (details in Dutch) on the Haga Hospital for inadequate security of patient records, as a result of which dozens of employees of the hospital had unnecessary access to the digital patient record of a Dutch reality star. According to the AP, the hospital should have regularly checked who was accessing which file by means of log files and should have established the identity of the employees who had access to the digital patient file by means of two-factor authentication.   
  • The UK supervisor (the ICO) is considering imposing a sample fine of over GBP 180 million on British Airways and GBP 99 million on Marriott International for breach of their data security obligations following cyberattacks. At British Airways, cybercriminals diverted traffic to its official website to a fraudulent website that would have allowed cybercriminals to obtain personal data from approximately 500,000 customers. At Marriott International, cybercriminals are said to have succeeded in stealing personal data from about 339 million guests through a poorly secured reservation system.    

Recently, the Belgian Data Protection Authority (DPA) announced (details in French) that it will closely monitor a data leak at an access control system supplier of Adecco. As a result of the leak, millions of items of biometric data, such as fingerprints and facial recognition images, of customers' employees (including some 2,000 from Adecco) could be found unprotected and unencrypted on the internet. It remains to be seen what action the DPA will take in this regard. 

The imposition of an administrative fine is not the only option available to supervisors to follow up on infringements of the GDPR. For example, the DPA's Litigation Chamber decided to reprimand (details in Dutch) FPS Public Health for failing to respond to a request for inspection despite an earlier order to do so (Article 15 GDPR). In particular, the DPA pointed to the fact that the FPS had taken no or insufficient internal measures to be able to respond to such requests in a timely manner, even though the GDPR has been in force since 25 May 2018. 

Earlier, the DPA clarified the role of the Data Protection Officer (DPO) in requests by data subjects to exercise their rights. In its decision of 28 May 2019 (details in French), the DPA ruled that it is the controller, and not the DPO, that takes the final decision on these requests. An investigation by the Inspection Service of the DPA in one particular case revealed that the DPO itself had decided to delete personal data from a mailing list of the data controller, which according to the DPA is not within the powers of the DPO. The DPA finally decided to issue a warning and to publish the decision on its website.

Websites that use the Facebook "Like" button can be (jointly) responsible with Facebook

In an earlier contribution, we already reported on the Opinion of Advocate General (AG) Bobek in the Fashion ID case. In that case, the AG found that the operator of a website who integrates a third-party plug-in, such as the Facebook "Like" button, into his website is responsible, together with that third party, for the processing of personal data collected via the plug-in.

In its judgment of 29 July 2019, the Court of Justice seems to follow the conclusion of the AG. However, the Court of Justice nuanced the AG's conclusion by ruling that the referring court must finally verify whether the website operator and Facebook effectively determine together the purpose of and the means for the processing of personal data. Like the AG, the Court of Justice clarifies that this joint responsibility of website operators does not cover the processing of personal data carried out by Facebook after it has received the personal data from the operators.

From a practical point of view, this judgment means that website operators must provide visitors to their website with sufficient information about the processing of their data, including via the Facebook button. This can be done, for example, in the privacy policy of the website. The website operator will also need to obtain the visitor's consent before their personal data are collected and passed on to third parties such as Facebook. Finally, website operators will have to enter into an agreement with the provider of the social plug-in, stipulating their respective responsibilities and obligations as required by Article 26 GDPR. 

European Data Protection Board publishes (draft) guidelines on the processing of personal data through video devices

On 10 July 2019, the European Data Protection Board (EDPB) published (draft) guidelines on the processing of personal data by both traditional and smart cameras. The guidelines discuss, inter alia, the lawfulness of the processing of video images, the exception for personal or household use, the processing of biometric data (such as facial recognition) and the sharing of images with third parties, including law enforcement agencies such as the police.

Data protection authority launches awareness campaign for SMEs

The DPA will soon launch an awareness campaign (details in French) for micro, small and medium-sized enterprises (SMEs) on the application of the GDPR. The DPA is planning several actions, including a revision of the SME manual it previously published and the creation of a collective communication platform to exchange information between the DPA, the professional organisations represented and the professional networks of data protection officers.

UK and French supervisors publish new guidelines on the use of cookies

On 4 July 2019, the ICO published new guidelines on the use of cookies and similar technologies such as (tracking) pixels and plug-ins. A few weeks later, on 23 July 2019, the CNIL also published new guidelines on cookies (details in French). The new guidelines update previous guidelines from these two supervisors on the use of cookies and take into account, among other things, the stricter requirements for consent in the GDPR.

From these guidelines, the views of the supervisors on "cookie walls" and "further browsing" should be noted. The French supervisor (and earlier also the Dutch supervisor – see our earlier contribution on this topic) ruled that "cookie walls" are not permitted. On the other hand, the UK supervisor does seem to accept partial "cookie walls" if they only limit access to the website to certain content.

Both supervisors agree that consent of the website visitor presupposes clear and active action. As a result, mere further browsing of the website by the website visitor cannot be regarded as a positive action by which the website visitor gives his/her valid consent. 

EDPB publishes its 2018 annual report and provides insight into future priorities

On 16 July 2019, the EDPB published its Annual report 2018, which outlines its main activities in 2018 and its future priorities. In its annual report, the EDPB refers to its 2019–2020 work programme in order to refocus its future priorities. These priorities include the rights of data subjects, the concept of controller and processor, legitimate interest as a legal basis for the processing of personal data and the use of new technologies, such as connected vehicles, blockchain and artificial intelligence.