See below for the latest Data Blast from our legal team: Amazon fined 746 million euros for targeted ads; Hundreds of European businesses face cookie complaints to regulators; First GDPR fine in the UK is reduced by two thirds on appeal; Consultation period announced for new post-Brexit data transfer agreement for UK organisations; ICO allows public bodies to send email and text messages without consent…

The Luxembourg data protection regulator, the CNPD, has issued a fine of 746 million euros against Amazon for alleged breaches of the GDPR relating to targeted advertising to its users. The fining decision was not published by the CNPD, but came to light from a regulatory disclosure filed by Amazon in the US. The fine represents by far the highest penalty levied under the GDPR, the previous record being a 50 million euro fine levied by the French regulator CNIL. Amazon has stated that the fine will be appealed.

The CNPD fine resulted from a complaint lodged by the French group La Quadrature du Net on behalf of 10,000 Amazon users, alleging that Amazon used their personal data for targeted marketing without having users’ informed consent. The complaint was originally made to the French data protection authority, the CNIL, in May 2018 and passed to the CNPD in Luxembourg under the GDPR’s one-stop-shop mechanism; Luxembourg being Amazon’s chosen EU base. La Quadrature du Net has previously brought a successful case before the European Court of Justice in relation to the bulk retention of communications data by internet service providers, and has recently been critical of the Irish data protection regulator’s failure to conclude investigations stemming from the group’s complaints against Apple, Facebook and others.

The reported fine against Amazon comes at a time of growing criticism of the GDPR’s one-stop-shop mechanism, and may give momentary pause to its critics, pending an appeal by Amazon. The fine is likely to increase pressure on the Irish Data Protection Commission (DPC) to conclude its investigations into various ‘big tech’ firms; Ireland and Luxembourg being the EU bases of choice for such organisations due to their favourable tax regimes.

NYOB files 422 cookie complaints with regulators in ten European countries

Max Schrems, the Austrian lawyer and privacy activist who successfully challenged the EU-US Safe Harbour and Privacy Shield data transfer arrangements, has set his sights on businesses which allegedly use cookies to track individuals’ online activities without meeting the GDPR requirements for user consent.

NYOB, the data rights organisation led by Mr. Schrems, has lodged 422 complaints with the data protection regulators in ten EU member states, seeking investigations into a variety of allegedly illegal practices around the use of cookies; the complaints follow an initial round of threats by NYOB to more than 500 organisations in the spring of 2021, which resulted in some businesses bringing their practices fully in line with what was sought. The practices at issue in the NYOB complaints include:

  • Setting non-essential cookies by default
  • The use of pre-ticked boxes for cookie consent
  • The use of ‘dark patterns’ such as deceptively coloured buttons to encourage ‘consent’
  • Improper reliance on legitimate interests the legal basis for the use of cookies
  • Failure to allow withdrawal of consent as easily as the provision of consent

NYOB has stated that the complaints are based on the various cookie guidelines issued by European regulators, and that this highlights the need for harmonisation of e-privacy approaches at the EU level. An EU e-privacy regulation has been in development since 2016, and a draft proposal put forward by the EU Council in the spring will now be subject to the EU’s ‘trilogue’ process where it will be negotiated by the Member States and the European Parliament, with the European Commission also weighing-in.

The complaints target a wide range of businesses, and NYOB highlights in particular that ‘major’ global organisations including Amazon, Facebook and Twitter refused to implement changes following NYOB’s efforts earlier in the year.

NYOB has filed approximately half of the complaints with the Austrian data protection authority, citing NYOB’s inability to produce complaints itself in the requisite national languages for those targeted businesses. To date, at least the French regulator, the CNIL, has publicly acknowledged receipt of NOYB’s complaints, and has stated that it will conduct its own inquiries.

First GDPR fine against a UK business is greatly reduced on appeal, but failings confirmed

The first GDPR era fine issued by the ICO was for £275,000 against a pharmacy, Doorstep Dispensaree Limited (Doorstep), which we first reported on here. The fine resulted from the revelation that Doorstep had stored crates of printed records in an unsecured courtyard, determined to consist of more than 500,000 documents containing personal data, including special category patient heath data.

Doorstep appealed the fine to the First Tier Tribunal (Tribunal). The parties agreed that appeals to the Tribunal are to be heard de novo, with the Tribunal reaching its own conclusions on the parties’ evidence. Doorstep adduced new evidence following an external audit of the documents at issue; the ICO did not submit any new evidence on the appeal, and the Tribunal accepted Doorstep’s evidence showing the number of records containing personal data was considerably lower than had been assessed by the ICO.

The Tribunal ruled on two important procedural aspects of appeals from ICO enforcement actions resulting in a fine; the applicable burden of proof on the parties, and the standard of proof in relation to ICO-issued fines. In relation to the burden of proof, the Tribunal concluded that the ICO bears an initial evidential burden to prove that an infringement of the relevant law has occurred; the party found to be in breach then bears the onus of disproving the alleged breach.

The parties accepted that the civil standard of proof (the balance of probabilities) applies to the appeal of an Enforcement Notice itself, however, counsel for Doorstep argued that the administrative fine issued by the ICO should be reviewed on the criminal standard (beyond a reasonable doubt), as it was in essence a punitive measure. Citing the distinct penalty regimes in the UK Data Protection Act 2018 – one providing for administrative fines, and the other providing for criminal sanctions – the Tribunal judge concluded that ICO fines are reviewable on the lower, civil standard of proof.

The Tribunal confirmed that Doorstep had breached its GDPR obligation to store personal data securely (amongst other failings), and that a fine was appropriate. Accepting the new evidence submitted by Doorstep showing that fewer than 70,000 records containing personal data had been improperly stored (rather than 500,000 as originally assessed by the ICO), the Tribunal reduced Doorstep’s fine to £92,000, roughly one third of the original fine.

ICO seeking comments on proposed approach to post-Brexit data transfers

The ICO has published for public consultation a suite of documents covering the transfer of personal data to third countries from the UK. The documents include an ICO consultation paper seeking views on the approach to be adopted on matters such as the scope of application of the UK GDPR where data is transferred abroad in the context of services offered by a business in the UK.

The principle draft documents published by the ICO are; an International Data Transfer Agreement (IDTA) which would serve as the UK equivalent to the EU’s Standard Contractual Clauses (SCCs), which we have previously outlined here; and an International Transfer Risk Assessment Tool, to enable data controllers to determine whether the IDTA will provide sufficient protection for personal data for a given international transfer.

Helpfully, the ICO has also proposed an Addendum which can be used by parties where the EU SCC’s have previously been adopted. The Addendum would serve to modify the language of those EU SCC’s in relation to data transfers from the UK and subject to the UK GDPR.

The ICO consultation runs until 7 October 2021, and parties can submit their responses via the ICO website. The ICO will thereafter publish finalised international data transfer documents which will become mandatory, replacing the current bespoke UK version of the ‘old’ EU SCCs which were in force at the end of the Brexit transition period.

ICO announces policy shift allowing public sector bodies to send promotional communications without consent

The UK ICO has recently issued a statement setting out its view as to whether promotional communications by public bodies are subject to privacy rules intended to prevent individuals from receiving unsolicited marketing by electronic means, including by email, text or telephone. The ICO’s position appears to have changed significantly from its past practice, effectively taking most public sector communications outside the scope of rules restricting the sending of ‘direct marketing’ messages.

Sending direct marketing email and text messages, and making marketing phone calls, are restricted by the Privacy and Electronic Communications Regulations (‘PECR’). Direct marketing by email or text message requires the consent of individual recipients. The UK GDPR is also relevant, as it is sets out the threshold for consent; valid consent must be freely given, specific, informed, and unambiguous.

The ICO has consistently distinguished between direct marketing messages, requiring consent, and ‘service messages’ which do not require consent. Service messages are informative in nature, rather than promotional, and do not constitute direct marketing; for example, a message from an internet service provider notifying users of a system outage. The ICO has issued many fines to organisations for direct marketing communications in contravention of the PECR; we have previously reported on such fines, including here and here.

Non-commercial promotional messages from senders such as public bodies and political campaigners have historically been treated by the ICO as direct marketing messages, and subject to the consent of the recipient, unless they were purely ‘service’ messages. The ICO’s recent position statement means that promotional communications from public bodies will not be treated as direct marketing – and will be exempt from the requirement for consent – provided that the public body instigating the communication is satisfied that it is ‘necessary for [its] task or function and proportionate to [its] aim.

The UK GDPR provides individuals with an absolute right not to be subject to direct marketing; following the ICO’s position statement, individuals will only have a right to object to such communications (after having received an unsolicited communication), as those communications will not be considered by the ICO to be direct marketing. The change in approach is likely to cause considerable frustration for political campaigners and advocacy groups who remain subject to the strict direct marketing rules. It remains to be seen how widely the new latitude will be adopted by public bodies, but it may not be long before the ICO is required to address complaints stemming from unsolicited promotional messaging by public bodies.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.