Personal Data Processing News [July 2019]
Personal data protection does not go unnoticed even in the summer. Great attention was attracted in particular by the British data protection authority ICO, which announced the possibility of imposing fines worth of millions of pounds on British Airways and Marriott. The European Data Protection Board also kept busy and adopted a series of important documents at its last meeting. The fate of standard contractual clauses and the Privacy Shield as a tool for transferring personal data to third countries and the US remains in the centre of attention.
British ICO as a possible pioneer of massive fines for GDPR breaches
The highest fine for a GDPR breach to date, specifically EUR 50 million, was imposed on Google by the French supervisory body CNIL. This threshold may soon be exceeded by the British supervisory body ICO, which announced its intention in early July to fine British Airways and Marriott.
Marriott hotel chain
The well-known hotel chain faces a fine of GBP 99,200,396 for an alleged leak of contact and financial data of tens of millions of customers. The leak is supposed to have taken place in 2014, when the systems of the Starwood hotel group, purchased by Marriott two years later, were attacked. This case clearly shows that the area of personal data protection is not to be underestimated in acquisition projects.
The leak was discovered in 2018, when it was also reported – in line with the new EU rules for personal data protection – to the British regulator, which had Marriott’s full cooperation throughout the investigation and the identified flaws were remedied.
The fine that could be imposed on the airline is almost twice as high as the one to be imposed on the Marriot hotel chain, specifically, it could be as high as GBP 183 million. British Airways is supposed to have committed an infringement of the GDPR by not adopting sufficient security measures and failing to prevent a hacker attack on its website and mobile application, which allegedly led to the leak of data of almost half a million customers. Through a false website, the attackers had harvested details of customer names, payment cards, email and postal addresses since June 2018.
The airline reported the incident in September of last year and similarly to Marriott, it provided full cooperation during the investigation and took remedial action. Like Marriott, British Airways has an opportunity to make representations to the ICO as to the proposed findings and sanction. Data protection authorities in the EU whose residents have been affected by the leak will also have the same right.
The fine amount is not final in either of these cases. Both companies have allegedly committed a similar infringement of the GDPR, i.e. a data leak as a result of insufficient security. While both fines may seem very high, the question remains whether the British ICO would not have proposed an even higher amount if the companies had not reported the leak immediately or had not fully cooperated during the investigation. In the case of British Airways, the proposed fine corresponds to 1.5% of its annual turnover, while the maximum fine for a GDPR breach may amount up to 4% of the company’s global turnover.
Transfers of personal data outside the EU at risk? Developments surrounding the Privacy Shield and standard contractual clauses
The primary tool for transferring personal data to the United States of America, namely the resolution of the European Commission known as the “Privacy Shield” is subject to scrutiny of the Court of Justice of the EU, together with so-called standard contractual clauses, which are the most common instrument for transferring personal data to third countries.
Austrian lawyer Maximilian Schrems, who was behind the invalidation of the previous instrument for transferring data to the United States of America (“Safe Harbour”), filed a complaint with the Irish data protection authority stating that personal data protection in the US was insufficient since the transferred data were accessible to US authorities. The preliminary questions referred to the Court of Justice of the EU are available on the eur-lex website.
The ruling of the Court of Justice of the EU can be expected in the first half of 2020. Until that time, the United States is trying to address certain complains of EU bodies regarding the level of personal data protection in the US. As an example, we can mention the recent appointment of an ombudsman whom EU citizens may contact regarding the processing of personal data by US authorities. Following the confirmation by the US Senate in late June 2019, this role will be held by Keith Krach.
Standard contractual clauses, whose timely review was promised by Czech EU Commissioner Eva Jourová in her June speech on the first anniversary of the effective date of the GDPR, also do not remain unnoticed. The current version of standard contractual clauses still refers to the previous data protection directive.
The potential invalidation of the Privacy Shield or standard contractual clauses would have extensive consequences, as there would be no legal framework for transferring personal data not just to the US but also to most non-EU countries. An alternative could consist in the use of so-called binding corporate rules, which are, however, used rather rarely (primarily due to their limited flexibility, since they have to be approved by the competent data protection authority) and they are suitable primarily for cross-border transfers of personal data within multinational corporations. Prospectively, codes of conduct or data protection certificates could represent a suitable method of transferring data. Since they are new GDPR institutes, their use has not caught on so far as the procedures of their set-up have not yet been fully finalised.
DPIA: further developments regarding the methodology of its preparation
In February 2019, the Czech Data Protection Office issued the first part of the long-awaited methodology, which answers the question of data controllers whether they need to prepare a Data Protection Impact Assessment (DPIA) for a specific case.
The second part of the methodology, which lists exceptions from the obligation to perform a DPIA, has yet to be issued. However, a draft already exists and has been submitted to the European Data Protection Board (EDPB), which issued an opinion on it on 10 July 2019. However, the opinion does not contain the full list of the proposed exceptions. Nevertheless, its wording indicates that the Czech office proposed exempting at least the following processing events from the obligation of preparing the DPIA, but it has to amend or exclude the relevant parts according to the EDPB:
- Processing in the area of HR, social security and health insurance (according to the EDPB, the exception is admissible only under the condition that it is a legally required processing and not on a large scale);
- Processing in relation to business activities (according to the EDPB, the exception is admissible only under the condition that the processing concerns non-sensitive data of customers and the processing is not on a large scale);
- Processing for the purposes of direct marketing (according to the EDPB, the exception is admissible only under the condition that the processing does not concern sensitive data and data of vulnerable groups of persons); and
- Footage of a camera installed on a vehicle (the EDPB is against this exception).
The European Data Protection Board issued guidelines on camera systems
At its July plenary meeting, the European Data Protection Board (EDPB) adopted draft guidelines on processing of personal data through video devices. The draft is intended for public consultation.
On almost 30 pages, the EDPB analyses several legal aspects, with the most interesting ones being:
- When the processing by camera systems is not subject to the GDPR and when it is;
- How to correctly inform natural persons about the use of camera systems;
- What are the specifics with respect to the request for exercising the rights of the data subjects; and
- A significant part addresses questions regarding the combination of camera systems with biometrical analysis.