New Calculation Model for Data Protection Fines in Germany

On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board.

The document contains:

  • a method to assign a value to the seriousness of an offense; and
  • a method to calculate the amount of the fine in light of the seriousness of the offense.

Seriousness of the infringement.  Based on the factors set out in Art. 83(2) of the GDPR, the DSK proposes to classify an offense as minor, medium, serious or very serious. The method assigns to each classification a range of values from which a Supervisory Authority can choose (for example, if an infringement is serious pursuant to Art. 83(5) or (6), the Supervisory Authority can assign a value of between 8 and 12). This number will then be used in step 4 of the calculation methodology described below.

Calculation of the fine.  According to the DSK’s proposal, fines should then be calculated on the basis of the following 5 steps:

  1. a Supervisory Authority should start by reviewing the undertaking’s annual turnover in the preceding financial year to classify it according to its size as a micro (A), small (B), medium (C) or large (D) undertaking and assign it to a specific sub-group (for example, A.II covers micro undertakings with a turnover between € 700.000 and € 1.4 million);
  2. the Supervisory Authority should then determine the average annual turnover of the respective sub-group (in the above example, for an undertaking classified as A.II, the allocated average turnover would be € 1,050,000);
  3. then, the Supervisory Authority should divide the average annual turnover of the respective subgroup by 360 to determine the “basic economic value of the undertaking” (in the above example, the basic economic value is € 2,917);
  4. the “basic economic value” is then multiplied by the value of the seriousness of the infringement as described above;
  5. finally, the amount obtained through this multiplication is adjusted in light of “other circumstances not yet taken into account” (the DSK’s proposal is not more specific on this point).

Unfortunately, the DSK proposal does not address in detail the meaning of “undertaking” in Art. 83(4) and (5) when a company belongs to a corporate group and how the relevant annual turnover of an “undertaking” should be calculated.  In this respect, the guidance refers to recital 150 and provides that “undertaking” has the meaning given to it under Articles 101 and 102 of the TFEU, i.e., “a functional meaning of undertaking”.

This is in line with what the DSK stated in another guidance on GDPR sanctions (available here in German):

(…) the DS-GVO provides a concept of undertaking that is broader than that of Art. 4(18) GDPR. The term “undertaking” in the context of enforcement proceedings is to be inferred from Recital 150 of the GDPR. According to this recital, the broad, functional concept of enterprise borrowed from antitrust law in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) applies. The consequence of this is that parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine.

New Draft ePrivacy Regulation Released

The Council of EU Member States – one of the two main EU lawmaking bodies – recently released a new draft version of the ePrivacy Regulation (“EPR”).  Negotiations on the regulation have been deadlocked for a while, but seem to be gathering new momentum under the Finnish Presidency.  Below we highlight some selected topics that may be of interest to readers.

  • Users will have to be reminded (probably every 12 months) of their right to withdraw their consent to the processing of electronic communications content or metadata, unless users request not to receive these reminders. This does not apply to consent for cookies or direct marketing by e-mail or SMS.
  • Member States continue to reserve the right to implement data retention obligations, for example, for law enforcement purposes. This remains a controversial topic in light of past and pending CJEU case law.
  • The consent requirements for cookies do not materially change, although the derogations are more clearly defined; they now include audience measuring and software updates, among others, under certain conditions. In the draft, it is clear that the consent must be a GDPR-consent, which is in line with the recent CJEU Planet49 decision, but the draft also explicitly indicates that consent can be obtained by “appropriate” technical settings of software.
  • Recital 21 addresses the issue of cookie walls (e., subjecting a service to consent for cookies used for advertising purposes). The current draft suggests that this is indeed possible and that the required consent (users must “accept such use”) should not be considered an invalid (tied) consent under Art. 7(4) GDPR when the processing for advertising is “necessary” for the performance of the service.  In other words the acceptance is freely given.  However, the tortured language of the recital demonstrates its political sensitivity – e.g., the recital refers to accept, not “consent”.
  • Direct marketing by e-mail or SMS for own products and services to existing customers would still be based on legitimate interest with a right to opt-out. However, Member States could set an expiration time on this, following which the relevant party would presumably have to seek an opt-in consent if it wants to continue sending advertising.  This risks creating a patchwork of un-harmonized marketing rules across the EU, despite having an EU-wide regulation.
  • Electronic communications metadata can be used for scientific research, without consent, under certain conditions. Interestingly, under the most recent version of the EPR, these conditions no longer require that the research be based on Union or Member State law ( a contrario Art. 9(2)(j) GDPR).  This is a welcome change, given that these laws do not exist in most cases.

U.S. and U.K. Sign CLOUD Act Agreement

On October 3, 2019, the United States and United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party. The Agreement will go into effect 180 days after its transmission to Congress by the Attorney General, unless Congress disapproves by joint resolution.

Continue Reading

CJEU Issues Decision on Consent for Cookies and Intersection with the GDPR

On September 10, 2019, the Court of Justice of the European Union (“CJEU“) issued its decision in the Planet 49 case.  The case centers on the consent requirements for the use of cookies.

Planet49 GmbH offered an online lottery service for which interested users had to register.  The registration form asked users to tick a box allowing Planet49 GmbH to share their data with commercial partners.  Ticking this box was mandatory to participate in the lottery.  A second pre-ticked box allowed users to opt out from the use of cookies (by unticking the box).  If they chose to opt out, they could still participate in the lottery. Users were asked to click on the button “participate” in order to submit their registration form.

The CJEU decision focuses on the second pre-ticked box used to obtain consent for cookies and, in particular, on whether it met the requirements for unambiguous and specific consent.

The CJEU decided that consent obtained using a pre-ticked box is not valid because it does not meet the requirement for an affirmative consent imposed by the ePrivacy Directive, the Data Protection Directive and, now, the GDPR. According to the CJEU, the use of a pre-ticked box makes it “practically impossible to clarify in an objective manner whether the user of a website has actually given his consent to the processing of his personal data (…),” and “[i]t cannot be ruled out that the user may not have read the information attached to the checkbox or that he may not have noticed this box before continuing his activity on the website he visited” (Para. 55).

On the specificity of the consent, the CJEU decided that the consent could not be obtained by actively clicking on the “participate” button, since from that action one cannot “assume that the user has given his effective consent to the storage of cookies” (Para. 59).  This suggests that the CJEU would also consider implied consents (such as consents derived from a continued use of the service) to be unacceptable.

The CJEU expressly declined to decide on the “freely given” nature of the consent since this was not included in the questions submitted by the German Federal Court of Justice.

The CJEU was also asked to decide on whether the requirement to obtain consent for cookies applied only if these cookies were used to collect personal data.  In this regard, the CJEU clarified that the requirement under the ePrivacy Directive to obtain consent applies “to ‘the storage of information’ and ‘access to information already stored’ without specifying that information or specifying that it must be personal data”. However, the CJEU noted that in the case at hand, the collected data was personal data because the cookies stored in the terminal equipment of a user assigned a number to each user which was linked to the registration data.

Finally, the court decided that, as part of the “comprehensive information” that must be provided to users, such users must be informed of the duration of the cookies and about whether third parties can access them. The court did not say that all the third parties must be individually identified.

European Parliamentary Research Service issues a briefing paper on implementing EU’s ethical guidelines on AI

On 19 September 2019, the European Parliamentary Research Service (“EPRS”)—the European Parliament’s in-house research service—released a briefing paper that summarizes the current status of the EU’s approach to developing a regulatory framework for ethical AI.  Although not a policymaking body, the EPRS can provide useful insights into the direction of EU policy on an issue.  The paper summarises recent calls in the EU for adopting legally binding instruments to regulate AI, in particular to set common rules on AI transparency, set common requirements for fundamental rights impact assessments, and provide an adequate legal framework for facial recognition technology.

The briefing paper follows publication of the European Commission’s high-level expert group’s Ethics Guidelines for Trustworthy Artificial Intelligence (the “Guidelines”), and the announcement by incoming Commission President Ursula von der Leyen that she will put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within her first 100 days in office.

Continue Reading

GDPR’s right to be forgotten limited to EU websites

On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here).  The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search results displayed on all the search engine’s versions.  According to the court, it suffices for search results to be deleted from the search engine’s EU versions (i.e., EU domain name extensions, such as .eu, .fr or .de).  For more information on the Advocate General’s opinion, see our prior blog post here.

Continue Reading

Italian Supervisory Authority approves Code of Conduct under the GDPR

On September 12, 2019, the Italian Supervisory Authority (“Garante”) approved a code of conduct for consumer credit agencies (the “Code”), pursuant to Art. 40 GDPR (see here in Italian).

The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the Garante in accordance with the GDPR procedures. The Code was submitted for approval by the Italian associations AISREC, CTC and ASSILEA on March 19, 2019, after a consultation with representatives of the relevant data subjects and the sector.

The Code regulates the processing of personal data of individuals located in Italy. It can be adhered to by entities located in Italy that professionally manage credit information systems (e.g., banks, financial intermediaries and other entities offering credit services).

The Code’s structure follows the requirements of Art. 40(2) of the GDPR.  The Code installs a monitoring body, composed by three members: a representative of the Italian National Consumer and User Council, a person designated unanimously by the entities adhering to the Code and a person appointed by the two other members, who will also serve as president.

The Code provides that the legal basis for processing the personal data contained in credit information systems for credit scoring purposes is the legitimate interest of the credit agencies, hence it is not necessary to obtain consent.  Nevertheless, data subjects must receive a complete and clear information notice – Annex 3 of the Code contains a template notice.  The Code itself does not serve as a legal basis for international transfers.

The Code’s approval is made conditional on the accreditation of the monitoring body by the Garante which, according to the Garante, is not yet possible because of the lack of uniform criteria for accreditation at EU level. Pending the accreditation, Code members shall “carry out the processing operations of personal data in compliance with the rules and principles governed by it as well as any other applicable legislation”.

NIST Releases Preliminary Draft of Privacy Framework

The U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) now has released the preliminary draft of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.”  NIST is seeking comments on the preliminary draft of the Privacy Framework and plans to use these comments to develop version 1.0 of the Privacy Framework.  Comments are due by 5:00 p.m. ET on October 24, 2019.

Continue Reading