Eva Jarbekk
Partner
Oslo
Newsletter
by Eva Jarbekk
Published:
It is only four weeks since the last privacy update but many things have happened including, of course, a continued focus on cookies and cloud services. A first point of interest is the approach taken by the Belgian Data Protection Authority in the so-called "IAB-case on cookies and ad-tech". Whereas a substantial fine could have been imposed the Authority instead chose to apply a smaller fine (EUR 250,000) together with a deadline of 6 months in order to make the set-up legally compliant. This approach is good for all parties as it ensures both appropriate privacy protections and the ability for companies to rectify any shortcomings before being fined heavily.
There has also been an increasing focus on whether the Data Protection Officer ("DPO") is to be considered independent or not. This has been a topic that has been long and heavily debated in privacy forums, but now that the first sanctions are coming I believe it will be an important subject moving forward. The same goes for auditing your data processors – it just has to be done. If you want a template for what you should ask them – do contact us. Another interesting decision has recently come from the Danish Data Protection Authority, where a company was criticised for mentioning processing in their privacy declaration that actually did not happen. Happy reading!
A minor auditing case in Belgium has given rise to key considerations concerning the independent role of DPOs: An ordinary audit at a bank revealed a possible conflict of interest between an employee's role as DPO and other roles held by the employee in the bank. In addition to being the DPO, the employee also held roles as head of the Operational Risk Management, Information Risk Management and Special Investigation Unit. The bank was ultimately fined EUR 75,000.
In Norway similar issues seems to be considered in connection with an ongoing inspection at Telenor.
This development is not surprising. Since 2018 European privacy forums have discussed how the independence of the DPO is to be ensured. However what is new is the importance placed by the data authorities on this and in the future it seems likely that every company's DPO will need to be a genuinely independent role. This will be a real challenge in smaller companies where there are fewer heads to share the roles.
There is even more happening in Belgium that could have ripple effects on other countries: The Belgian Data Protection Authority has fined IAB Europe, a multinational industry organisation for media houses and advertisers, EUR 250,000 for breach of the GDPR. The breach concerned the data framework IAB Europe developed for collection and consent to marketing/advertising used by a very large number of companies. The Authority ruled that there were significant breaches of basic principles for processing personal data, lack of legal basis, duty of disclosure and security of processing.
The Belgian Data Protection Authority found that even though IAB Europe considered itself to be only a data processor they are in reality to be regarded as a data controller as it is IAB Europe that determines the terms and guidelines for the use of the data framework.
Another thing that may be worth noting in this case is both the size of the fine and the deadline for rectification: IAB Europe has been given a deadline of 2 months to come up with a plan to rectify the errors and implementation of the plan must take place within 6 months. This strategy of giving a low fine first, coupled with an opportunity to correct errors is fairly new from a data authority but is likely to be perceived as fairer and may be the way in which most data authorities will proceed in future. Tellingly the Swedish and Danish Data Protection Authority already in many cases issues "reprimands" rather than imposing fines. This could, therefore, well be the start of a new trend that ensures privacy but also provides more predictability for companies.
If you read the case about IAB Europe, you will see that the handling of cookies is a central part of the decision and the requirement for correction. The pressure on cookies is increasing and here in Norway we are now among the "worst" when it comes to accepting and using cookies. This is because we, strangely enough, still accept browser consents. The Norwegian Data Protection Authority has therefore sent a letter to the Ministry of Local Government and Regional Development to streamline Norwegian cookie rules with those that apply in the EU.
Regardless of this it is our strong recommendation that companies with activities in several countries not wait for the Ministry's response but should comply with EU rule as it simplifies internal administration. A similar situation has been criticized by the Danish Data Protection Authority in a new critique of the magazine "Den Blaa Avis":
The Danish Data Protection Authority assesses that the various types of processsing, which a visitor accepted by clicking "Accept", constituted several different processing purposes, including marketing, collection of information in order to improve and personalize the user experience on the website and disclosure of information to third party companies such that these third parties could process the information. The purposes were therefore not divided and precisely stated.
Furthermore, the third party companies were not specifically identified, nor was there a link or drop-down menu in close connection with the purpose for which the information was passed on.
As part of the EDPB's Coordinated Enforcement Framework, 22 data authorities in Europe have launched a joint investigation into the public sectors' use of cloud services. The purpose is first and foremost a mapping of such use with the aim of being able to formulate general guidelines on how the public sector can use such services and remain compliant. See more about this here:
A funny little case from the Danish Data Protection Authority shows how important it is that the privacy statements correspond to the data processing that actually takes place: The Data Protection Authority concluded that Næstved municipality had breached Article 5 (1) (a) of the GDPR by claiming in its privacy statement that they used the data for marketing, when they demonstrably did not do so. And that also becomes wrong!
The Italian Data Protection Authority has issued a fine of EUR 400,000 to a company that had not sufficiently ensured that a subcontractor processed the personal data in a correct and responsible manner. Vendor audits? Yes, you have to do them.
Meta, the parent company of Facebook, has settled USD 90 million in a class action that has been pending in the court system for 10 years. The settlement concerns a practice that Facebook has long since abandoned, namely that they tracked users' activities on the internet even after they were logged off the platform.
We have learned that it takes a long time to close major privacy cases. Practices that ended many years ago can persist in the judicial system for a long time afterwards. The point is simple: not being compliant now can be costly well into the future.
Finally the Norwegian Data Protection Authority is maintaining its focus on credit information and the abuse of such information. If you have access to credit information make sure that access is not misused. In the case below an investigation agency conducted a credit rating on behalf of a customer who claimed to have a claim for damages against the credit-rated person. The investigation agency stated that the purpose of the credit rating was to fulfill the agreement with its customer and examine the complainant's financial situation in order to assess any legal steps. This was found notto be a sufficient legal basis and a (not so large) fine of NOK 50,000 was imposed.