3 July 2018

Data Protection: Social media and tech companies face first GDPR complaints over ‘forced consent’

Within hours of the GDPR coming into force, complaints of GDPR non-compliance were filed by the newly established privacy group None of Your Business (‘noyb’) against some of the largest social media and tech companies, including Facebook, Instagram and WhatsApp. Noyb argues that although the GDPR explicitly allows any data processing that is strictly necessary for use of the service, users are being forced to consent to targeted advertising in order to use services in what it refers to as a ‘take it or leave it’ approach to consent. The complaints have been filed with regulators in Austria, Belgium, France and Germany. Noyb argues that the GDPR prohibits forced consent and any form of bundling a service with the requirement to consent (Article 7(4) GDPR). Consequently, access to services can no longer depend on whether a user gives consent to the use of the data.

Noyb states that prohibiting forced consent does not mean that companies can no longer use customer data, but that they must get valid consent in order to do so. Noyb argues that there should be a clear separation between what it refers to as ‘necessary and unnecessary data usage’, and that processing of data for the purpose of targeted advertising is not a necessary purpose and should, therefore, have a separate consent option.

Noyb’s overview of its complaints can be read here. It has also been reported that similar complaints have been filed in France by the French digital rights group La Quadrature du Net against Apple, Amazon and LinkedIn. Noyb also states that it is already planning further complaints about the illegal use of user data for advertising purposes or ‘fictitious consent’, so watch this space!

German Court Weighs in on the Battle for WHOIS

The implementation of the GDPR on May 25th 2018 saw some notable legal challenges regarding data privacy, including complaints made against Facebook and others as reported above. Yet a less publicised action initiated on the 25th could be of considerable importance to internet safety. 

 On May 25th, ICANN (the Internet Corporation for Assigned Names and Numbers) filed injunction proceedings against EPAG, a German domain name registrar owned by the Tucows Group.  The action was in response to EPAG’s stated plans to cease the collection of registrants’ technical and administrative contact information (in violation of their contract with ICANN). 

In a May 25th statement, EPAG explained that ICANN’s Registrar Agreement required them to not only collect unneeded information, but to do so when they may not have a legal basis.  They argue that collecting technical and administrative info requires processing of personal information belonging to people with whom they do not have a direct relationship. They also note that in the vast majority of cases, this information is the same as Registrant details and therefore collection is pointless.

On May 30th, the court decided not issue the injunction.  However, in denying the injunction the court only ruled that it would not require EPAG to collect the relevant data for new registrants, and did not indicate whether such collecting would violate the GDPR. ICANN has argued that technical and administrative data serve important functions, as they facilitate the secure operation of the domain name system and allow customers causing technical or legal issues via their domain names to be identified.  

The extent to which the German court decision will impact WHOIS going forward is unclear. However, in light of this decision and certain registrars electing to shield domain name data above and beyond ICANN’s Temporary Specification model, it is possible that WHOIS as we know it will soon cease to exist.

GDPR: Legitimate Interests and Data Subject’s Reasonable Expectations

Under the GDPR, processing data without a data subject’s consent is allowed if done so on the basis of legitimate interest. This basis is met when processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the rights and interests of the data subject.

The Article 29 Working Party (to be called WP) warns that this test should be documented such that data subjects, enforcement agencies and the courts may examine them, and must include a broad range of factors, one of which involves considering ‘the reasonable expectations of data subjects based on their relationship with the controller.’  Regarding digital marketing, the The WP has stated that ‘consent should be required, for example, for tracking and profiling for purposes of … behavioral advertising, data-brokering,… [and] tracking-based digital market research.’

This largely depends on the relationship between the data subject and controller/processor.  If you provide a free service through your app or website, it is likely that data processing enabling advertising is something that a data subject would reasonably expect. Another example would be where a person uploads their CV to a job site, and a recruiting company passes it on to third party companies looking for qualified candidates. 

Ultimately, the test becomes whether a customer would be surprised and upset in learning that their data is being processed and how it is being done. As such, potential data processors looking to process data without gaining consent should ask themselves, ‘is this processing activity something that our customer/client would expect us to do?’

First GDPR Fines Forthcoming?      

Dixons Carphone has publicly admitted a massive data breach concerning 5.9 million payment cards and 1.2 million personal data records. Less than a month into the GDPR era, this breach has data privacy experts wondering whether Dixons Carphone will be the first company hit with a GDPR level fine.

Of the 5.9 million compromised cards, 5.8 million were chip and pin protected, and there is no evidence of fraud relating to the other 100,000 cards. More importantly, and luckily for Dixons, the breach happened close to a year ago, which may allow Dixons to escape the much larger fines available under the GDPR.

Dixons has suffered data breaches before, they were fined £400,000 earlier this year by the Information Commissioner’s Office (ICO) for a similar breach three years ago in which the credit card details of 90,000 customers were exposed. However, under the GDPR, an organisation may be fined up to 4% of annual global revenue or €20 million, whichever is higher, for failure to comply with the new law. For Dixons, who reported 2017 revenues of £10.5 billion, this would result in a maximum fine of £423 million. While the breach itself happened pre-GDPR, which went into effect May 25th, 2018, it remains unclear under which regime the ICO will enforce the law.

In a June 13th statement, the ICO stated that “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Act.” The recently passed 2018 Data Protection Act incorporated the GDPR into UK law, and its application would likely result in the considerably larger fines outlined above.

The case promises to set an interesting precedent, as Dixon’s breach occurred pre-GDPR implementation, but the impacts of the breach are now being felt afterwards, a scenario which is likely to be repeated in the future. Complicating matters is the recent fine for Dixon’s 2015 breach, which could put the ICO in the position of not wanting to be seen as being lenient towards repeat offenders, despite their having shown a preference for not imposing large GDPR-like fines.

Even if they are fined under the GDPR, the ICO may settle on a warning fine in light of the breach’s unique timing. Regardless, companies that handle large consumer data bases should keep an eye on this case going forward, as it will provide an important first glimpse into the ICO’s enforcement approach under the GDPR.