Over two years since the GDPR came into force, the full extent of its impact is still developing at pace. In this post, we look back at the 2020 European data protection landscape and five trends that help companies understand not only where we are, but where data protection enforcement, litigation, and practice may be headed.
1. Enforcement against a wide range of violations with no one enforcement model winning out
Data Protection Authorities (“DPAs”) undoubtedly hit their stride in 2020 with a reported 95% increase in the value of published GDPR penalties compared to 2019, and four of the top five highest GDPR penalties to date:
- €35 million against H&M for illegally surveilling employees in Germany
- €27.8 million against telecommunications operator TIM for unsolicited marketing calls
- £20 million against British Airways for its 2018 data breach
- £18.4 million against Marriott for its 2018 data breach
When you dig deeper though, two key points emerge.
First, no one enforcement model wins out. Based on published penalties, regulators in Italy, UK and Germany led the way by value, issuing a total of €58.1 million, €43.7 million, and €37.4 million in GDPR fines respectively. While the UK’s figures were, for example, skewed significantly by its blockbuster fines, other regulators are issuing a high number of smaller fines, opting for a broad enforcement agenda where companies’ cost of engaging with the regulator may often have exceeded the penalty imposed. Some regulators are also issuing multiple fines to the same company for separate GDPR violations, while others are taking more holistic enforcement action when issues arise.
For example, in August 2020 the CNIL issued a €250,000 penalty against France-based online shoe retailer, Spartoo, covering un-related GDPR violations, including breaches of the data minimisation, storage limitation, transparency, and data security principles. In contrast, the Spanish DPA appears to have a preference for taking separate enforcement action: in 2020, it published 29 penalty notices against one company – Vodafone/Telefónica Móviles.
Meaningful differences in DPAs’ enforcement agendas may, therefore, be emerging. Some appear to opt for fewer, bigger penalties, while others choose to enforce against a higher number of less high-profile infringements whether against the same company or not. The practical impact is that both the risk of formal GDPR enforcement action for a given violation, and the size of the potential penalty, could turn in many cases on which DPA has jurisdiction. Companies may want to consider this carefully when assessing enforcement risk, with the usual caveat that past performance is no guarantee of future results.
Second, enforcement goes far beyond data breaches and the GDPR. While often data breaches hit the front pages and the GDPR receives the lion’s share of data protection practitioners’ attention, 2020 enforcement highlighted the need for a holistic approach to data-related risk.
For example, the CNIL’s blockbuster fines of €100 million against Google and €35 million against Amazon for placing advertising cookies without valid consent and failing to meet transparency obligations were issued under France’s ePrivacy Directive implementing legislation. This shows not only that there is still significant enforcement risk under the now somewhat aged ePrivacy Directive, but also that DPAs’ enforcement agendas will likely continue to stretch beyond data breach-related enforcement.
2. DPAs face difficulties in making fines stick
Regulators appeared to have a difficult time making penalties stick. Companies successfully challenged a number of high-value fines through the regulatory process or the domestic courts, suggesting potential high returns on investment for those willing to challenge penalties.
Two of the biggest write-downs came in the UK, where British Airways and Marriott secured reductions of their respective £183.39 million and £99.2 million initially proposed fines to just £20 million and £18.4 million in the end. It seems likely the biggest driver behind the climb-downs may have been strong opposition to the use of the ICO’s “Draft Internal Procedure” for calculating the proposed penalties, which appears to have led the ICO to apply a less punitive, framework.
There were also high-profile successful challenges in Member State courts. In Germany, for example, the Regional Court of Bonn reduced telco 1&1’s fine for violating Article 32 of the GDPR by 90%, from €9.5 million to €900,000, after concluding that the initial sum was unreasonably high for the company’s relatively minor infringement. Google also scored a partial victory in Sweden when the Stockholm Administrative Court ordered a 30% reduction to Google’s €7.3 million fine for right to be forgotten violations, taking the final sum down to €5 million.
Companies challenging the size of penalties may need to be ready for a long road, though. It took the ICO 110 weeks, starting on the date it was notified about the incident, to issue its final penalty notice against British Airways, and 125 weeks for the Ticketmaster penalty notice. Ticketmaster also issued 22 correspondences to the ICO, according to the ICO’s penalty notice, before the resolution. For 1&1, the appeal process was relatively quicker, but still took 48 weeks to prevail on appeal. A protracted challenge might be a small price to pay, though, if a company can secure a significant reduction in a fine.
3. Increased (and increasing) litigation risk
Historically, companies have tended to be primarily concerned with regulatory enforcement action for data protection violations, but last year increasing litigation risk from private plaintiffs came to the fore. The trend accelerated in 2020 driven by changes to civil procedure rules in major jurisdictions, making group litigation (roughly akin to U.S. class actions) easier to launch, and consumer rights advocates entering the fray, often supported by leading litigation funders (or even crowdfunding). This will be further fuelled by the EU Collective Redress Directive which requires Member States to implement procedures to ensure effective collective redress for, among other things, breaches of EU data protection law.
The English courts in particular, saw a flurry of activity, including claims against Marriott (even before the ICO had issued its final penalty), Facebook for Cambridge Analytica-related failings, and YouTube for targeting the data of up to five million children without the requisite consent.
Beyond the UK, the Netherlands also saw a series of high-profile claims, spurred at least in part by the Collective Damages in Class Actions Act, which entered into force on 1 January 2020 and provides for both opt-in and opt-out compensation claims depending on where claimants are based. Perhaps most notable were The Privacy Collective’s parallel claims against Salesforce and Oracle in the Dutch and English courts for alleged failure to obtain valid consent for processing personal data collected through third-party tracking cookies. Dutch courts have also seen other high-profile cases, including the AI-related claims brought against Uber for allegedly failing to disclose information about its automated decision-making process and then relying on it to dismiss employees.
With damages of over €1 billion claimed in the biggest cases, the recent uptick in data protection-related litigation is a reminder for companies that, unlike in the past, a DPA fine is unlikely to be the end of the matter in many cases.
4. Convergence of competition law and data protection issues
Last year the intersection between competition law and data protection issues continued. In June, Germany’s highest court upheld the German Federal Cartel Office’s decision to prohibit Facebook from merging personal data obtained from its WhatsApp platform and other third party sources, on the grounds that it had not obtained the requisite individual consents.
This reflects a wider trend of competition authorities clamping down on the aggregation of personal data. In November, the European Commission took a preliminary view that Amazon had abused its dominant position in the French and German e-commerce markets. Europe’s top competition regulator accused Amazon of using the business data of independent sellers, which it had obtained under its capacity as the marketplace service provider, to give its retail businesses an unfair advantage.
Greater regulatory scrutiny surrounding competition and data protection issues was also met with changes to competition frameworks. Germany’s Draft Act on Digitisation of German Competition Law and the UK Digital Markets Unit will hand authorities wider enforcement powers over companies which exert significant market power, but fall short of being considered dominant under existing rules. Online market places and tech companies have traditionally fallen into the former category, and may therefore face particular scrutiny.
5. Renewed focus on international data transfers
The Schrems II judgment in July put data transfers from EU to non-EU countries (irrespective of mechanism) under increased scrutiny during the second half of the year. The picture continues to shift as we await final versions of the European Commission’s revised Standard Contractual Clauses and the European Data Protection Board guidance on supplementary measures (both covered here). That said, the EU-UK Trade and Cooperation Agreement brought some last-gasp relief to Brexit-related cross-border transfer concerns with a further six month transition period. Hopes remain for a permanent adequacy decision that would maintain, in perpetuity, a “free trade zone” in personal data between the UK and EU.
Moving forward, companies may need to keep a close eye on their data transfers out of the EU given, in the post-Schrems II era, the appetite for regulatory enforcement and private litigation of data transfer issues is likely to increase.
Things to watch out for in 2021
Looking ahead to 2021, we expect all of the trends above to continue. One area to watch particularly closely is pan-EU cooperation, and whether the GDPR can achieve uniform application of data protection standards across the bloc. The CNIL’s fine against Google and Amazon under domestic ePrivacy Directive implementing legislation could be seen as a challenge to the GDPR’s one-stop-shop (like the CNIL’s €50 million 2019 penalty against Google) given the overlapping subject matter. Likewise, the wrangling among European DPAs related to the Irish DPC’s eventual €450,000 Twitter fine shows that consensus building might be hard to achieve in the future.
While the European Data Protection Board has called for the GDPR’s consistency mechanism to be used for future enforcement under the long-awaited e-Privacy Regulation, businesses may still face an increasingly fractured enforcement landscape – not least because the UK ICO can no longer act as a Lead Supervisory Authority under the GDPR. Companies may, therefore, need to prepare themselves for higher levels of parallel regulatory scrutiny from both within and outside the EU into 2021 and beyond. Vigorous enforcement of the UK’s own Data Protection Act and the “UK GDPR” by the ICO can also be expected.
The authors would like to thank Debevoise trainee associate Jesse Hope for his contribution to this article.
To subscribe to the Data Blog, please click here.