October Newsletter

Newsletter October

1.The Swedish DPA holds specific recipients must be listed following an access request

The data subject filed his complaint at the DPA in Germany. The German DPA transferred the complaint to the Swedish DPA, which was the Lead Supervisory Authority in this case. The Swedish DPA used the mechanisms for cooperation and consistency (Chapter VII GDPR), because this complaint regarded cross-border processing. The DPA determined that the bank violated Article 15 GDPR. The DPA held that in the present case, the data subject had explicitly requested information about recipients of his personal data. The bank did not prove that providing this information was impossible or would involve disproportionate effort. Since the bank did not prove this thereby he violated the provisions of the GDPR.

2. Advocate General issues opinion on non-material damages for GDPR violations

This case concerned ?sterreichische Post AG (controller), a logistics and postal service provider in Austria. Since 2017 onwards, it published address directories and collected information on political party affinities of the Austrian population. With the assistance of an algorithm, it defined certain ‘target group addresses’ based on selected socio-demographic features. One person whose data was processed in this way was upset by the storage of data about his party affiliation, and offended by the affinity attributed to him for a particular party. The data subject sought 1,000 euros in damages for internal discomfort in the court of first instance, which dismissed the data subject's claim. The ruling was later confirmed by an appeals court. The data subject then appealed to the Austrian Supreme Court.

Supreme Court asked TSUE: Does an infringement of the GDPR alone gives rise to a right to compensation, regardless of whether or not harm occurred?

The AG considered two interpretations of the question, but has previously stated that both interpretations of these first questions should be answered in the negative. Among other things, the AG concluded that the compensation for non-material damage does not cover mere upset which a data subject may feel as a result of an infringement.

3.Britain to replace GDPR data privacy regime with own system

Britain will replace the European Union's data privacy regime known as the General Data Protection Regulation (GDPR) with its own system. Culture secretary Michele Donelan said that: “We will be replacing GDPR with our own business- and consumer-friendly British data protection system," Donelan said, speaking at the annual conference of Britain's governing Conservative Party in Birmingham”. This rebooted reform approach entails the government taking aim at bureaucratic EU “red tape” that Donelan claimed is responsible for current U.K. rules being a disproportionate burden for small businesses as a result of a “one-size-fits-all” approach in the GDPR. The (paused) data reform bill was the culmination of the Brexiter government’s thinking on data protection under Johnson. They would continue works on new system.

Decisions

1.The CNIL has imposed a fine of EUR 20,000,000 on Clearview AI

The investigations carried out by the CNIL revealed several breaches of the RGPD:

• unlawful processing of personal data (breach of article 6 of the GDPR) because the collection and use of biometric data are carried out without a legal basis;
• the failure to take into account the rights of individuals in a effective and satisfactory way, in particular requests for access to their data (articles 12, 15 and 17 of the GDPR).

On 26 November 2021, the Chair of the CNIL decided to give CLEARVIEW AI formal notice to:

• cease the collection and use of data of persons on French territory in the absence of a legal basis;
• facilitate the exercise of individuals' rights and to comply with requests for erasure.

CLEARVIEW AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice. The Chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions.

On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR. You can find more here.

2.The British DPA has fined the construction group Interserve Group Limited EUR 5,033,000

Between 18 March 2019 and 1 December 2020 Interserve Limited (“Interserve”) failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR. This rendered Interserve vulnerable to a cyber-attack which took place in the period 30 March 2020 to 2 May 2020 and affected the personal data of up to 113,000 employees of Interserve. Read more here.

3. The UK DPA has imposed a fine of EUR 1,547,000 on Easylife Ltd.

The Information Commissioner’s Office (ICO) has fined Easylife Ltd ￡1,350,000 for using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent.

The company was also fined ￡130,000 for making 1,345,732 predatory direct marketing calls.

Easylife is a catalog retailer that sells household items, as well as services and products under their Health, Motor, Supercard, and Gardening Clubs.

The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalog, the company would make assumptions about their medical condition and then market health-related products to them without their consent. You can find details here.