When regulation gets teeth
Recent moves on data protection by authorities could indicate a direction for future activity
8 February 2019 | 0
In recent weeks there have been a number of significant moves on the data privacy and protection fronts.
Firstly, the announcement that Google would be fined a hefty €50 million by the French data protection authority, CNIL. In the grand scheme of things, this is a mere trifle in terms of financials, but the public perception is vastly more important.
Google was fined for a lack of clarity in its presentation of information for users, as the authority said that there was a violation of regulation under obligations for transparency and information. The information for users, it said, was not always easily accessible, or in one place. Furthermore, some information is not always clear nor comprehensive.
“Users are often unaware of this flow of data and cannot prevent it if they want to use the services. We need to be rigorous in tackling the abuse of power that comes with data,” Katarina Barley, German Justice Minister
A further violation was around the obligation to have a legal basis for ad personalisation processing. CNIL said the consent was not validly obtained for two reasons, firstly the users’ consent was not sufficiently informed, and that collected consent was neither “specific” nor “unambiguous”.
For these violations the fine was levied.
Of course, Google has said it will appeal but hopefully the point is made. Ambiguous, unclear or non-explicit information or consents will not be tolerated.
Then there was the German judgement against Facebook’s data gathering.
The results of a three-year probe, and in the wake of the Cambridge Analytica scandal, had the chief of the German Federal Cartel Office say “In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook accounts.”
Facebook would, said the cartel office, only be allowed to assign data from WhatsApp or Instagram to its main Facebook app accounts if users consented voluntarily. The collecting of data from third-party web sites and its assigning to Facebook would similarly require consent.
The implications are that if consent is withheld, Facebook would have to substantially restrict its collection and data combination. There was also the requirement to develop proposals within 12 months for alternatives, subject to the outcome of any appeal proceedings in Duesseldorf’s Higher Regional Court.
An antitrust lawyer from the firm Clifford Chance in Brussels, Thomas Vinje, said the ruling was a landmark decision.
Vinje said though the ruling was limited to Germany, it “strikes me as exportable and might have a significant impact on Facebook’s business model.”
“Users are often unaware of this flow of data and cannot prevent it if they want to use the services. We need to be rigorous in tackling the abuse of power that comes with data,” said Katarina Barley, German Justice Minister.
Added to all of this is a concern expressed by the Irish data protection commissioner at reports that Facebook plans to merge its messaging services on WhatsApp, Messenger and Instagram.
The DPC said it “will be very closely scrutinising Facebook’s plans as they develop, particularly insofar as they involve the sharing and merging of personal data between different Facebook companies.”
Reports are that the DPC is demanding a meeting with Facebook to address these concerns.
Furthermore, there have been reported rumours, that are US authorities are also in the closing stages of investigation that may also see the social media giants levied with hefty fines for similar violations.
However, this apparent crack down comes as a report from law frim DLA Piper has found that of 59,430 disclosed data breaches across Europe, there resulted only 91 fines.
Perhaps unsurprisingly, the Netherlands, Germany and the United Kingdom led the way in the number of reports, together accounting for nearly two-thirds of data breach notifications, with 15,400, 12,600 and 10,600 disclosures, respectively.
All of this might seem to be conflicting to an extent, apparent tightening of regulation and yet a low number, though with definite high profile, fines.
However, it must be borne in mind that these investigations can be complex, time consuming and labour intensive. Despite the GDPR itself, and its attendant legislation ensuring that governments provide sufficient resources to data protection authorities to properly police bodies within its jurisdiction, often it can be hard to find the right people and enough of them.
Secondly, the initial period of regulation will see some organisations being over cautious, perhaps resulting in a bump in numbers of reported breaches, that on inspection, prove to be innocuous.
Rather than look at volume then, it is probably more valuable to look at the nature of those cases that have resulted in fines. They are the ones that set out clearly that old practices will no longer be sufficient. The rambling, dense and often disjointed EULAs or notifications will not be overlooked going forward.
Clarity, ease of consumption and comprehension will be the order of the day, and the requirement. This may not ultimately result in people abandoning services such as Facebook or Gmail, or the like, but what it may do is make people more aware of the value that providers can derive from people’s usage of such service and so of their own individual value in the process.
This combined with the increasing capabilities of watchdogs to process complaints and investigate potential violations will likely mean that business models that do not stand up to scrutiny will be targeted first.
Watch this space.