See below for the latest Data Blast from our Legal team; UK set to receive adequacy decisions by the European Commission; 2020 saw increase in GDPR fines and data breach notifications; BA data breach class action gathers steam; Belgian regulator takes aim at websites flouting GDPR enforcement; Advocate General’s Opinion seeks to clarify roles under the GDPR ‘One-Stop-Shop’ mechanism…

Positive news for businesses as European Commission publishes adequacy decisions for the UK

On 19 February 2021, the European Commission (EC) published draft data protection adequacy decisions on personal data protection transfers to the UK. If adopted, personal data will be permitted to continue to flow to the UK without restriction, without the need to rely on mechanisms such as the EU Standard Contractual Clauses.

The EC spent nearly a year considering the UK’s data protection framework, and ultimately decided that it meets the EU’s standard for an ‘essential equivalent level of protection’ for personal data.

Under the EU-UK Trade Cooperation Agreement, a transition period beginning on 1 January 2021 and running for a period of 6 months was agreed, during which the UK is to be treated as an adequate jurisdiction. Provided the draft decision is adopted, this interim adequacy recognition will lapse, and the adequacy decision will apply.

Formal adoption of the decision is expected to follow the issuance of a non-binding opinion by the European Data Protection Board, and the ‘green light’ for adoption from a committee of EU Member State representatives.

2020 GDPR fines jump up as regulators increase scrutiny

Over the past year, fines imposed under the General Data Protection Regulation (GDPR) have increased considerably as EU authorities have begun handing out harsher penalties despite the impact of the Covid-19 pandemic.

Since the introduction of the GDPR in May 2018, EU data protection authorities (DPAs) have levied €272 million worth of fines, over half of which have been imposed by DPAs in Italy and Germany. Of this total, €159 million were imposed in the last calendar year, representing a roughly 40% increase over the first 20 months of the GDPR era.

To date, the largest GDPR fine was levied by CNIL, the French DPA, for €50 million against an internet search provider for failing to meet the transparency requirement under Article 13 of the GDPR, and to obtain valid consent in relation to its use of personal data used for personalising advertisements. Other notable fines issued in the past year include those against H&M in the sum of €35 million (covered here) and British Airways in the sum of €20 million (here).

The increased scrutiny of regulators for data security matters appears to caught the attention of businesses, as 2020 saw a 20% increase in data breach notifications to DPAs over the previous year.

However, despite increasing fines, EU DPAs have faced some notable setbacks when fines have been appealed. For example, in December 2020 the Austrian DPA saw its €18 million fine against the country’s postal service overturned on appeal by the Austrian Federal Court. The Belgian DPA also saw its first ever GDPR fine against a private company overruled by the Brussels Court of Appeal in February 2020.

Some observers had speculated that the Covid-19 pandemic would lead DPAs to take a lenient approach to fines, particularly for businesses in industries most affected by lockdowns and global travel restrictions. Two fines issued by the he UK Information Commissioner’s Office (ICO) suggest that such leniency will be limited; the ICO’s £20 million fine against British Airways reflected a reduction of £4M in recognition of the impact of Covid 19, and its £1.25 million fine against Ticketmaster in November 2020 (covered here) included a reduction of just £250,000 owing to the pandemic.

British Airways faces UK class-action suit over 2018 data breach

More than 16,000 individuals have joined a collective action seeking damages from British Airways plc (BA) as a result of a 2018 data breach, the largest such ‘class action’ to date in the UK.

As previously covered here, BA revealed in 2018 that a hack of its remote access portal had resulted in the exposure of personal and financial data of over 400,000 customers. The ICO eventually fined BA £20 million in relation to the breach, having initially proposed a fine of £183 million. The ICO’s investigation concluded that BA was ‘processing a significant amount of personal data without adequate security measures in place’ which led to the unnecessary exposure of customer data.

The class action was filed shortly after BA’s announcement of the breach in 2018, with a deadline of March 2021 for affected individuals to join the claim. The claimants’ solicitors have suggested that, were all of the individuals affected by the breach to join the suit, BA could face financial liability up to £800 million.

In response to the suit, representatives of BA have stated that the company ‘continues to vigorously defend’ against the action, and that BA is open to settlement negotiations with the claimants. As previously reported here, a class action brought by Morrisons’ employees following a data breach was decided in favour of the company last year.

Belgian DPA to take down GDPR-infringing websites

On 26 November 2020, the Belgian DPA signed a cooperation agreement with DNS Belgium (the DNS), the organisation tasked with managing ‘.be’ country code domain names.

The agreement allows for the DNS to suspend websites linked to GDPR infringements, and establishes a two-tier cooperation system by which the institutions’ enforcement system will be conducted. At a first stage, the cooperation system will see the DNS provide information to the Belgian DPA in relation to its investigations of GDPR breaches. Where non-compliance persists following enforcement action by the Belgian DPA, the regulator will be able to issue a notice to the DNS, which will then be passed on to the owner of the relevant domain, and the domain will be re-directed to a Belgian DPA warning page.

If non-compliance with the Belgian DPA’s order persists, the domain will continue to redirect to the DPA’s warning page for 6 months, after which time it will be cancelled and made available for re-registration. The ‘notice and action’ procedure will only be available for GDPR infringements deemed likely to cause serious harm to individuals’ rights.

CJEU Advocate General issues Opinion regarding GDPR’s One-Stop-Shop

On 13 January 2021, Court of Justice of the European Union (CJEU) Advocate General Michal Bobek (AG) issued his Opinion in the case of Facebook Ireland Limited, Facebook Belgium BVBA, Facebook Inc. (Facebook) vs. the Belgian Data Protection Authority (Case C-645/19).

In September 2015, the Belgian DPA initiated judicial proceedings against the Facebook group companies. The DPA sought a court order prohibiting Facebook from installing cookies on users’ devices without their consent, as well as an order to cease excessive collection of data by Facebook while users browse websites through either the Facebook.com domain, or through other third party websites via Facebook plug-ins. These proceedings were eventually narrowed to include only Facebook Belgium BVBA, due to jurisdictional concerns raised by the Court of Appeal of Brussels regarding the other Facebook defendants.

Facebook had argued that with the May 2018 introduction of the GDPR, the Belgian DPA lacked competence to maintain proceedings concerning GDPR infringements regarding data processing that occurred across EU borders. Given that Facebook’s main EU establishment is in Ireland, Facebook suggested that the Irish DPA was the competent (or ‘lead’) DPA in this case.

As a result, the Court of Appeal of Brussels referred several questions to the CJEU in order to clarify whether the One-Stop-Shop regime under the GDPR prevents a non-lead DPA from launching judicial proceedings in its respective Member State regarding alleged GDPR infringements related to cross-border data processing. The GDPR One-Stop-Shop is a cooperation mechanism which grants lead DPAs a significant role in investigating and taking enforcement action regarding cross-border GDPR infringements.

Two key aspects of the AG’s opinion are his findings that:

  • DPAs must comply fully with the GDPR’s competency and cooperation rules. This was contrary to the assertions of the Belgian DPA and several national governments, which argued that the Charter of Fundamental Rights meant that the GDPR rules did not prevent non-lead DPAs from instigating their own procedures in relation to cross-border data processing;
  • Whilst all EU DPAs are empowered to initiate proceedings for suspected infringements GDPR affecting their territories, such power is limited where cross-border processing is at issue, as the lead DPA must be able to perform its regulatory function in that regard. The lead DPA must, however, work closely with other concerned DPAs in compliance with the regulatory framework.

The CJEU’s final judgment in the case is expected in the coming month. Whilst not binding on the CJEU, AG opinions have historically been followed by the court in approximately 80% of cases.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk