The authors of the European Union’s General Data Protection Regulation (GDPR) left a lot to be interpreted by the courts. After 21 months we have seen initial complaints and fines against the big companies like Facebook and Google as expected. However, there are several smaller profile cases that have already been decided that provide insight into how GDPR will be applied, and perhaps just as importantly how smaller organizations are just as likely to be caught as the ones with deep pockets. For those racing to be CCPA compliant, these initial decisions provide insight into how CCPA may be interpreted.
Case 1: Invasiveness A Key Factor
The Swedish Data Protection Authority fined a municipality 20,000 euros for testing facial recognition technology to monitor student attendance. This case is interesting for three reasons. First, although the data subjects had provided consent, this ruling indicates that is not always enough. Second, as it called out testers for not having consulted the Swedish DPA or having conducted an impact assessment prior to executing a test using sensitive biometric data. Finally, despite being for a single class of 22 students, a relatively small group, it did not fly under the GDPR radar.
The Swedish DPA determined that data subjects’ consent was not legally valid because of a meaningful imbalance between the controller and the data subject. Given that many marketers use consent, or a liberal interpretation of a legitimate interest of the data controller, as the basis for their activities, this judgement should be a warning against interpreting consent as a blank check.
Case 2: Right to Access May Include Everything
While there have been several conflicting court decisions out of Germany regarding the Right of Access, the most concerning one from the Appeal Court of Cologne held that a data subject’s access rights includes all personal data pertaining to them and processed by the insurance company in question, including any internal notes regarding conversations between company employees and the customer. The court dismissed the argument that this was impractical and stated that the IT systems should be updated to address this level of access.
For marketers attempting to determine what information to pass along, the safest path appears to be to overshare. For some companies this may expose their use of 3rd party data used in their marketing efforts and the sources.
Case 3: Unexpected Kind of Hammer Dropped on Foreign Processor
Sometimes there are worse penalties than fines. The Canadian firm AggregateIQ Data Services was been instructed to “Cease processing any personal data of UK or EU Citizens obtained from UK political organizations or otherwise for the purpose of analytics, political campaigning or any other advertising purposes”, effectively removing them from the UK data market. If you are unfamiliar with this firm, they are the Brexiteers’ version of the now-bankrupt Cambridge Analytica. As a processor, AggregateIQ received personal data from various political Leave parties and campaigns to support targeted social media campaigns. However, the ICO decision clearly views them as a controller with all associated obligations and found them to be in violation of:
– Not processing personal data in a way that the data subjects were aware of
– Not processing personal data for purposes for which data subjects expected
– Not having a lawful basis for processing
– Not processing the personal data in a way which was compatible with the reasons for which it was originally collected
– Not communicating appropriate fair processing information to those individuals
Political beliefs aside, this case calls out two key points. First, processors need to have reasonable confirmation that their use of data given to them by controllers falls within the privacy and data usage notice of the collectors. Second, some controller obligations may be held against processors even if GDPR explicitly calls out that controller obligations may not be assigned to processors by controllers. How the DPAs and courts view organizations that straddle the controller-processor fence may not be as clear cut as initially thought.
As more time goes by, more fines are levied, and court cases are decided, organizations will have a better understanding of how GDPR will be applied. For those subject to CCPA, these decisions provide direction in how to proceed with implementing right of access, dealing with 3rd party data, and understanding limits to consent. Until then, the best many organizations can do is be overzealous in following the law as they understand it, and learn lessons from those who found out the hard way their interpretation was not aligned with the intent of the law.
For more on our CCPA Assessment Services, click here