Privacy Shield Invalidated: What's next?
There have been a few interesting developments in European data protection that non-European Economic Area (‘EEA’) companies, particularly those based in the U.S., should pay attention to in order to not expose themselves to unnecessary and potentially costly regulatory risks.
Posted on 6 Aug 2020
CJEU Invalidates Privacy Shield
What is of note to U.S. firms is the long-awaited CJEU decision on the E.U.-U.S. Privacy Shield (“Schrems II”) in which the CJEU invalidated the adequacy decision applied to the U.S. self-certification regime Privacy Shield due to invasive U.S. national security laws applicable to certain organisations. Privacy Shield was originally created following the invalidation of the original international data transfer mechanism, the U.S. Safe Harbor ("Shrems I"). The CJEU has now determined that the Privacy Shield did not give E.U. citizens protections equivalent to the GDPR. The CJEU, in the same decision, reiterated the validity of Standard Contractual Clauses (the “SCCs”) which now may become the standard fallback position for those relying on Privacy Shield; however, it also emphasised that the SCCs should not be treated as a box-ticking exercise as, although templated, they do create enforceable contractual obligations. If their provisions cannot be observed due to legal requirements imposed by the third country on the data importer, the SCCs will be invalid
The CJEU’s decision in Schrems II creates further uncertainty about the future of transatlantic data transfers. As the E.U. and U.S. negotiate the path forward, U.S. businesses in the scope of the GDPR should review their personal data flows, identify whether they or their sub-contractors are subject to U.S. national security laws and determine the feasibility of additional contractual or technical measures to supplement the required reasonable safeguards.
Further, they should also ensure that if they do not have European establishment, then they need to have a European Representative as set out in Article 27 of the GDPR, as the lack of such a representative when the business has no establishment in the EEA constitutes a violation of the GDPR.
The GDPR is here to stay and although the table below highlights the investigations into the operations of well-known brands, it does not mean that smaller businesses will not become the focus of regulatory scrutiny. This is especially the case given that the CJEU, also in Schrems II, emphasised the duty of the E.U. regulators to act on any irregularities and therefore more investigations and enforcement actions are to be expected.
Largest Fines so Far
Since May 2018, the implementation date of the General Data Protection Regulation (“GDPR”), E.U. data regulators have imposed fines on many companies for GDPR violations. Although individually the majority of these fines have been relatively low in value, E.U. member states have collectively imposed more than €430 million worth of penalties in total.
Potentially, British Airways might receive the largest fine of yet £183 million off the back of the U.K. Information Commissioner's Office (the "ICO") notice of intention to fine. This was in response to a data breach that compromised the personal information of approximately 500,000 customers. The ICO investigation found that users of British Airways’ website had been diverted to a fraudulent site where personal data, including bank and credit card details, were stolen. In an interesting turn of events, however, there is evidence to suggest that the actual fine may be a mere fraction of the eyewatering £183 million. The International Consolidated Airlines Group, British Airways’ parent company, published an Interim Management Report on Monday 3 August 2020 in line with its reporting obligations. Within this report, it states the figure of EUR 22 million which “has been recorded in respect of a provision concerning the theft of customer data at British Airways in 2018.” This, of course, does not give us certainty as to what the final fine amount will be; however, it may be an indicator. Nevertheless, due to Brexit, the highest fine in the short history of the GDPR may go to a non-EEA company!
The GDPR introduced two principles concerning territorial applicability: the principle of establishment and the principle of extra-territorial effect. Article 3 of the GDPR states that it applies to non-EEA companies:
- If the processing of personal data takes place in the context of the activities of an establishment or organisation in the E.U., regardless of whether the processing itself takes place in the E.U. (Article 3, Section 1 of the GDPR); and
- If the personal data of individuals who are in the E.U. is processed by an organisation not established in the E.U. and the processing concerns the offering of goods or services to individuals in the E.U., or monitoring the behaviour of individuals that takes place in the E.U. (Article 3, Section 2 of the GDPR).
Therefore, U.S. or other non-EEA companies doing business with Europeans or in Europe may fall within the scope of the GDPR, examples of this are U.S.-based multinational companies Marriot International and Google LLC. They now may be subject to the second and third (or possibly first and second considering the new developments in British Airways’ case) largest fines to be imposed by the E.U. regulators.
In July 2019, the ICO issued a notice of intention to fine hotel chain Marriott International Inc. £99 million after the company uncovered an earlier data breach and notified the ICO in November 2018. The vulnerability was thought to have begun in late 2014 in Starwood Hotels Group which Marriott International then acquired in 2016 before the implementation of GDPR. This breach compromised the passwords and credit card records of 30 million E.U. residents. The ICO’s potential fine against Marriott International represented 3 per cent of its worldwide annual revenue, which is close to the maximum penalty allowed by the GDPR. Marriott later stated that it plans to appeal the fine.
Similarly, in January 2019, French data authorities fined Google LLC €50 million after finding Google’s use of blanket consent forms and pre-ticked boxes was not sufficient enough to constitute ‘valid and explicit consent under GDPR’. At the time, this was the largest fine issued for a GDPR violation. Google’s fine represented approximately 0.4 per cent of its worldwide annual revenue, which is substantially less than GDPR’s maximum penalty of 4 per cent (in this case, 4 per cent would amount to more than $4 billion for Google). Google is in the process of appealing the fine. Additionally, Greece fined U.S. consulting company PwC for failing to gain employee consent for the use of their personal data for analytics purposes.
There are currently several ongoing investigations regarding potential GDPR violations by U.S. firms. Many of these investigations are directed at U.S.-based tech companies, given that tech firms frequently use personal data to conduct business. Ireland, the country in which many U.S. tech firms base their European operations, is leading many of these investigations (see the table below). However, France, the UK, and Germany are also conducting certain investigations into the activities of U.S. firms.
How can we help?
If you would like to find out whether your non-EEA business is in the scope of the GDPR, Laven’s Data Protection specialists can provide an accurate assessment of this. If you are in scope, Laven has a range of GDPR and European Representative services that will help ensure you remain compliant and avoid the large penalties for a breach.
For more information on Laven’s EU representative services click here to check out our partner website, eurorep.eu.
For more information on our GDPR services, click here.
|U.S. Firms||Alleged GDPR Violation|
Right of access: whether Facebook’s Hive database observed obligations to ensure user data is transferrable.
Lawful processing: whether Facebook’s terms of service respect the “lawful basis” for processing personal data; Facebook’s use of personal data for behaviour analysis and targeted advertising.
Data breach: 5 ongoing investigations regarding whether Facebook met breach notification requirements as well as technical/organisational obligations before and directly following breaches, in addition to whether Facebook violated GDPR in keeping user passwords in plain text on internal servers.
Lawful processing: whether WhatsApp’s terms of service follow the lawful basis for processing personal data.
Transparency: whether WhatsApp meets transparency obligations on information provided to users.
|Lawful processing: whether Instagram’s terms of service follow the lawful basis for processing personal data.|
Right of access: whether Twitter’s ability for users to access links meets GDPR right of access obligations.
Data breach: whether Twitter met technical/organisational requirements to safeguard data following a breach.
|Lawful processing: LinkedIn’s use of personal data for behaviour analysis and targeted advertising.|
Lawful processing: Apple’s use of personal data for behaviour analysis and targeted advertising.
Data access: whether Apple meets its data access request obligations under GDPR.
|Lawful processing: Google’s use of personal data for behaviour analysis and targeted advertising. The investigation will also look at transparency and data minimisation obligations under GDPR.|
|Quantcast||Lawful processing: Quantcast’s use of personal data for behaviour analysis and targeted advertising.|
|Verizon||Lawful processing: Whether Verizon’s use of online cookies complied with lawful processing requirements.|