31 May 2020

Data Blast: Dutch fine employer for fingerprint use, US considers a Health & Privacy Act and more…

See below for the latest Data Blast from our legal team: Dutch fine employer for fingerprint use, US considers a Health & Privacy Act, European Data Protection Board Annual Report, and Easyjet data breach…

Dutch DPA issues fine for unlawful processing of employee fingerprint

On April 30th, the Dutch Autoriteit Persoonsgegevens (the Dutch DPA) imposed a €725,000 fine on an employer for unlawfully processing employees’ fingerprints, for the purposes of taking attendance and time registration.

Fingerprints and other biometric data qualify as sensitive personal data under the GDPR and are subject to stricter processing requirements. The Dutch DPA found that the company in question, which was not named, did not have valid legal grounds for processing the data, as it could not establish that fingerprinting was necessary to achieve any of its stated goals.

Sensitive personal data processing is prohibited, save for where an Article 9 GDPR condition applies. In the present case, there were two legitimate conditions on which the company may have been able to process the fingerprint data; explicit consent, and necessity for authentication or security purposes, the latter of which was introduced by the Dutch GDPR-implementing legislation.

However, the Dutch DPA stated that neither exception could be relied on in the circumstances. Regarding consent, it was found that many of the employees felt obliged to permit the use of their fingerprints, and employee consent is generally not seen as valid in light of the subordinate employer/employee relationship. Necessity for authentication or security purposes can only be relied on where IT system or building security cannot be achieved by less invasive means than through the use of biometrics. The Dutch DPA found that, although the company’s activities were to remain confidential, biometric data usage was not justified.

The Dutch DPA concluded that the fingerprint processing was unnecessary and disproportionate, but confirmed that the defendant company will appeal the decision. This decision is of particular importance given the recently issued guidance by several EU data protection authorities (covered here), concerning the processing of sensitive health data by employers in order to combat the spread of Covid 19.

US Democrats introduce the Public Health Emergency Privacy Act

On May 14th, Democrats in the US Senate and House introduced the Public Health Emergency Privacy Act (the Act) which seeks to implement temporary rules relating to the collection, use and disclosure of all emergency health data used to combat the spread of Covid 19.

The Act applies only to personal data concerning the coronavirus pandemic, including physical and behavioural health information and data collected for the purposes of tracking, monitoring, screening or contact tracing, including geolocation data and proximity data. In order to secure personal data and protect the privacy of the data subjects whose data has been collected, the Act requires that organisations and government departments adhere to certain restrictions, including:

Only collect, use or disclose data necessary and proportionate for health purposes;

  • Ensure data accuracy and provide a means by which individuals may correct any inaccuracies;
  • Establish and implement reasonable data security policies;
  • Only disclose data to a government entity if it is a public health authority;
  • Adopt reasonably safeguards to prevent unlawful discrimination on the basis of emergency health data;
  • Obtain affirmative and express consent prior to collecting or using emergency health data, unless one of several exceptions applies; and
  • Provide notice in a privacy policy detailing to purposes for which collected data will be used, and to whom and for what purposes the data will be disclosed.

The Act also prevents government agencies from using the data to deny or restrict voting rights, and creates a private right of action for violation of the Act, where a particularised injury has occurred.

Importantly, the rules imposed by the Act would cease to exist after the Public Health Emergency, declared by the Secretary for Health and Human Services, has been lifted, and data collected may not be used or maintained for more than 60 days afterwards.

EDPB releases Annual Report for 2019

The European Data Protection Board (the EDPB) released its annual report (the Report) on May 18th, featuring general guidance and guidelines, as well as binding decisions regarding EU data protection law.

The Report outlined the adoption of 5 data protection law guidelines, as well as 16 Consistency Opinions regarding processing activities that give rise to a mandatory data protection impact assessment. The Report also provided an update regarding the EDPB’s participation in the joint review of the EU-US Privacy Shield adequacy decision, and included an adopted statement regarding the use of personal data during political campaigns.

The Privacy Shield adequacy decision review was conducted by the European Commission in order to review the system’s practical implications and robustness. The EDPB was supportive of efforts made by both the US and EU, including the adoption of the initial certification process, starting ex-officio oversight and expanded enforcement, all of which enhanced transparency in the system. The EDPB also welcomed the appointment of a new Chair and 3 members of the Privacy and Civil Liberties Oversight Board, and a permanent Ombudsman.

However, the EDPB also outlined a number of concerns regarding the Privacy Shield, many previously expressed by the EDPB’s predecessor, the Article 29 Working Party (previously covered here) regarding the lack of assurances aimed at excluding indiscriminate collection and access of personal data for national security purposes.

Furthermore, the EDPB did not consider the Privacy Shield Ombudsman to have sufficient power to remedy non-compliance, and noted that the measures employed to ensure compliance with the Privacy Shield’s principles were not sufficiently strong. The EDPB also voiced concern regarding the checks needed to comply with onward transfer requirements, the scope of HR data and the Privacy Shield recertification process.

In their statement regarding the use of personal data during political campaigns, the EDPB highlighted the following points to be taken into consideration by political parties when processing personal data during electoral activities:

  • Under the GDPR, personal data revealing political opinions is a special category of data and its processing is prohibited except under a limited number of conditions;
  • Personal data made public, for instance on social media, is still subject to EU data protection law;
  • Even where data processing is lawful, organisations must respect their duties of fairness and transparency to individuals whose data has been collected. Political parties and candidates must be prepared to demonstrate how they have complied with data protection principles;
  • Automated decision-making, including profiling, is only lawful with the valid explicit consent of data subjects;

In case of targeting, adequate information should be provided to voters explaining why they are receiving a particular message, who is responsible for the message, and how they may exercise their rights as data subjects.

The Report (full text of which can be found here) also highlights the EDPB’s concerns regarding cross-border compliance with GDPR, particularly as it relates to cooperation between Member State DPAs.

EasyJet announces data breach affecting 9 million passengers

EasyJet has announced that hackers have breached the personal data of at least 9 million passengers in what the airline has described as “a highly sophisticated cyber-attack”.

It is understood that the data accessed includes the full names, email addresses and travel information (destination, departure and arrival dates etc.), but not credit card or other payment information. However, the credit card details of a relatively small number of passengers (2,208) was stolen.

This is the latest serious data breach to affect the airline industry in recent years. The ICO issued British Airways with a fining notice (with the amount yet to be finalised) in relation to a breach in 2018, and more recently, the ICO fined Cathay Pacific Airways for various security failures between 2014 and 2018, which led to a breach of the personal data of some of its passengers.

Under Article 82 of the GDPR, individuals affected by a data breach may be able to claim for compensation in certain circumstances. The breach comes at a difficult time for the airline, which continues to experience the effects of the Covid-19 pandemic.

EasyJet’s announcement can be read here.

For more information please contact Partner, James Tumbridge at