GDPR related updates across the EU Vol.2
- DPC issues record €1,2 billion Fine Against Tech Giant Meta
The DPC (Irish DPA) has issued a record-high fine against Meta, for violating Article 46 of the GDPR by transferring personal data from the EU/EEA to the USA. The DPC found that META failed to protect the fundamental rights and freedoms of data subjects by mitigating the risks indicated in the CJEU’s judgement in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. Besides the administrative fine imposed, Meta is also required to stop the transferring of personal data to the USA within five (5) months and to bring its processing operations into compliance with Chapter V of the GDPR, within six (6) months.
- EDPB adopts final version of Guidelines on the calculation of administrative fines
The European Data Protection Board (EDPB) adopted a final version of the Guidelines on the calculation of administrative fines. These guidelines aim to harmonise the methodology data protection authorities (DPAs) use to calculate fines and set several common ‘starting points'. According to the guidelines, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business. Additionally, a 5-step methodology is introduced and it takes into account the number of instances of sanctionable conduct, possibly resulting in multiple infringements; the starting point for the calculation of the fine; aggravating or mitigating factors; legal maximums of fines; and the requirements of effectiveness, dissuasiveness and proportionality.
- IMY issues fine against Spotify AB for violation of the right to access
On the 12th June 2023, IMY (Swedish DPA), published its decision which found Spotify AB in violation of Articles 12, and 15 of GDPR. Namely, the processor failed to provide sufficiently clear information regarding the rights of the data subject, and therefore the subject’s right of access to certain information was infringed. IMY investigated consumer complaints against the streaming platform and found that, while Spotify AB provides the data it processes upon request, it should also explain how it uses this data in a manner easy to understand. Especially for personal data that are difficult to understand (e.g. technical data), IMY noted that they should also be explained in the native language of consumers. Even though IMY did not consider the shortcomings of Spotify AB as critical, it decided to issue a fine of almost €5 million due to the number of registered users and turnover of the company.
- DSB issues fine against facial recognition company Clearview AI
DSB (Austrian DPA) launched an investigation against Clearview AI, a company which owns a database of facial images, which are collected from public web sources and are used to create profiles through the biometric data that are extracted. It is reported that the database includes 30 billion images and that the company can link the profiles that are created to other data such as the geolocation or the web source of the images. DSB found a violation of Article 5, namely that the process of data lacked lawfulness, fairness and transparency, it served a completely different purpose from the original publication of the complainant's personal data and that it did not follow the principle of minimization. In addition, a violation of Article 9 was found, since none of the exceptions stated in Article 9(2) were satisfied in order for the process of special data, such as the scanning of the complainant's face, the extraction of his uniquely identifying facial features and the translation of these features into vectors, to be lawful. DSB ordered the company to erase the complainant’s personal data, ordered the company to designate a representative to the EU and issued a fine of €30 million.
- CNIL issues €40 million fine against CRITEO for personalized advertising
CNIL (French DPA) has fined CRITEO, a company which specializes in “behavioral targeting”, after complaints from the NGOs Privacy International and None of your Business. The company collects browsing data of internet users through cookies when they visit CRITEO partner websites and then analyses the collected data in order to display the most relevant advertiser and product to each user. Subsequently, the company participates in real time bidding and if it has submitted the winning bid, it displays personal advertisements. The decision of CNIL, which was approved by all other 26 European supervisory authorities, found that CRITEO was in violation of the GDPR for failure to demonstrate previous consent (Art. 7), failure to comply with the obligation of information and transparency (Art. 12&13), breach of the right to access (Art. 15), failure to comply with the right of data subjects to withdraw consent and their right to erasure of data (Art. 7&17), as well as to provide an agreement between joint controllers (Art. 26).
- Complaint against the newspaper "Politis" for publishing names and photos of police interrogators
Following a re-examination of the above matter, a decision of the Commissioner for Personal Data Protection, which was issued on 16/1/2023, is pending before the Administrative Court. The Commissioner had decided on 9/1/2019 that with the relevant publication, the newspaper had violated Articles 5(1)(c) and 6(1)(f) of the GDPR. It was decided that the publication of the relevant personal data did not contribute to the interest of public information and that it was not necessary, under the principle of minimization, for the purpose of exercising the right to information. The newspaper could have achieved the intended purpose even if it had disclosed fewer personal data, as for instance by referring only to the initials of the full name and/or by blurring the faces of the police officers. An administrative fine of €10,000 was then imposed. A recourse was filed against this decision, which resulted in its annulment by the Administrative Court, hence the Commissioner re-examined the case. Nevertheless, in reviewing the above matter, the Commissioner, in her decision dated 16/1/2023, reached the same conclusion, but after taking into account all the relevant mitigating factors, the fine imposed on the newspaper amounted to €7000.
- Fine against German bank after lack of transparency over automated rejection of credit card application
The Berlin Commissioner for Data Protection investigated a complaint against a Berlin based bank, which offered a credit card through an online application process. Applicants could use an online form that requested various data such as income and occupation to apply for the issuance of the said card and then an algorithm, based on rules and criteria previously defined by the bank, approved or rejected the application. A client with good credit rating, who had their application rejected, filed a complaint when the bank did not provide a justification for the rejection of their application, but only responded in abstract about the procedure, and not with regards to the particular case. The Commissioner’s investigation found violations of Article 5; unlawful processing of personal data, Article 15; a violation of the right to access and Article 22; a violation of the right not to be subjected to automated decision-making. According to the decision, the bank was obligated to provide information on the decision-making factors and the rejection of each individual case. For the imposition of the fine, the high turnover of the bank and the intentional design of the process were taken into account, but the admission of the violation by the bank and the subsequent improvements of the process were regarded as mitigating factors.