GDPR two years on: What’s happened and what’s ahead?

It has been two years since the GDPR came into force on 25 May 2018 and during that time, we have seen more guidance published at an EU level as well as from data protection authorities in Member States which has impacted how organisations approach areas of GDPR compliance. We have also seen enforcement action from data protection authorities across the EU and UK. There have also been other significant developments, over the past two years including Brexit and COVID-19.

In this article, we reflect on the key developments over the past two years, both at a European level but also specifically for the UK, France, Germany, Spain, Italy, Belgium, Netherlands, Sweden and Poland , as well as what we expect will be the key areas of focus going forward from a data protection perspective.

Jump to the country overview most important to you via the links below:

EU

The European Data Protection Board (“EDPB”) has been busy publishing guidelines over the past two years on a number of different topics. In particular, there has been guidance on the following topics (amongst others):

• territorial scope of the GDPR (our summary of the key points is available here);
• connected vehicles (our summary of the key points is available here);
• processing personal data in the context of the provision of online services to data subjects;
• consent (our summary of the key points is available here);
• data protection by design and default;
• processing of personal data through video devices.

The EDPB has also rapidly published guidelines on data protection considerations in relation to COVID-19, including use of location data and contact tracing tools and processing of health data for purposes of scientific research during the COVID-19 outbreak.

The European Commission also published a Recommendation and Toolbox in relation to contact tracing apps and mobile data in April 2020, to establish a common approach to use of digital measures to address the COVID-19 crisis in the EU. We summarised the key points of the Recommendation here, as well as the EDPB Guidance on contact tracing and the Commission’s toolbox here.

On 18 May 2020, the EDPB published its 2019 annual report, setting out the EDPB’s main objectives for 2020, which includes new guidance on controllers and processors, data subject rights and legitimate interests as a legal basis for processing personal data. The EDPB will also continue to focus on advanced technologies such as connected vehicles, blockchain, AI and digital assistants. 

E-Privacy Regulation

The proposed E-Privacy Regulation was originally published by the European Commission in January 2017 and intended to come into force at the same time as the GDPR.  However, two years on, we are still awaiting the final position from the Council on the proposed text. The latest proposals from the Croatian presidency of the Council were published in February and March 2020, and introduced the concept of “legitimate interests” in relation to placing of cookies. We summarised the key points from the latest proposals here.

Challenge to Standard Contractual Clauses

In December 2019, advocate general Hendrik Saugmandsgaard Øe (a.g.) gave his opinion on how the European Court of Justice (CJEU) should deal with the second Schrems case (Schrems II) in terms of the legitimacy of the EU standard contractual clauses. In summary, the opinion advises the CJEU to affirm the validity of standard contractual clauses as a means of legitimising transfers of personal data from the EEA to third countries. We are currently awaiting the CJEU’s final judgement in this case, which is expected on 16 July 2020. We summarised the key points of the a.g.’s opinion here.

Cookies

In addition, in October 2019, the CJEU issued its decision in the Planet49 case (Case C-673/17), confirming
that consent for cookies cannot be obtained via a pre-ticked checkbox.  The CJEU also confirmed in that
case that a valid consent for cookies requires, among other things, prior information on how long the cookies will be stored and whether third parties have access to the cookies.  You can read our summary of the Planet49 case here.

A number of European supervisory authorities have also issued guidance on cookie compliance (see further below).  While the delays to the e-Privacy Regulation initially led to uncertainty regarding the interplay between the e-Privacy Directive and the GDPR, in particular in relation to the standard of consent required to set cookies, it is now well established that cookie consent must meet the GDPR standard.

UK

In the UK, the ICO has been active over the past two years, both in relation to new guidance and in terms of enforcement. Key areas of new guidance included cookies, data sharing, children’s data, direct marketing, accountability, AI and data subject requests. In addition, the ICO has been particularly focused on real time bidding and adtech over the past year as well as biometric data and live facial recognition, in addition to its focus on use of personal data in the context of political advertising.

The main developments in the UK are further summarised below, as well as key enforcement action from the ICO.

Cookies

The ICO was one of the first data protection authorities in the EU to publish updated guidance in relation to cookies consent, which made clear that the implied consent approach which many organisations followed previously was no longer permissible. We summarised the key points from the ICO’s updated guidance on cookies here.

Children’s Data

The ICO is required under the Data Protection Act 2018 to produce certain statutory codes of practice, and published the final version of its Age Appropriate Design Code for online services in January 2020, which is expected to be approved by Parliament later this year and come into force in autumn 2021. The Age Appropriate Design Code potentially applies to a large number of online services, as it applies to information society services likely to be used by anyone under the age of 18. Please see our summary of the key points and practical impact of the Age Appropriate Design Code here.

Direct Marketing

The ICO also published a draft Direct Marketing Code of Practice for consultation in January 2020, which would replace its existing Direct Marketing guidance. The draft Direct Marketing Code is more detailed than the current direct marketing guidance and covers additional areas such as online advertising and new technologies, including social media, subscription TV, on-demand and “over the top” services, facial recognition and detection, in-game advertising, mobile apps, ad IDs, location based advertising and connected devices.  

You can read more about the proposed Direct Marketing Code in our summary here.

AdTech

The ICO published a report in June 2019, outlining its concerns from a data protection perspective with Real Time Bidding and AdTech (you can read our summary of the report here). The ICO published an update in January 2020, which noted it was encouraged by some industry developments since its report, but that there were also some organisations that had not taken sufficient steps to address its concerns (you can read our update on this here).

In May 2020, given COVID-19 the ICO announced it is pausing its investigation into real time bidding and adtech, but that it would resume its work in this area when the time is right. You can read more about this here.

AI

In February 2020 the ICO published draft guidance on an AI auditing framework for public consultation. AI has previously been identified as one of the ICO’s strategic priorities, and the guidance focuses on four key areas: accountability and governance, fair, lawful and transparent processing, data minimisation and security and data subject rights. We summarised the key points from the draft guidance here.

Enforcement

The ICO has been particularly active since 25 May 2018 in terms of enforcement.

For example, in relation to events which occurred before the GDPR came into force, the ICO can still issue monetary penalties but only up to the maximum of £500,000 under the previous Data Protection Act 1998 (“DPA 1998”). Since the 25 May 2018, the ICO has issued the maximum monetary penalty under the DPA 1998 on four separate occasions, having never previously issued a maximum fine under the DPA 1998 before.

In addition, in 2019 it was widely published that the ICO had issued notices of intention to impose monetary penalties under the GDPR on two organizations for £183.39m and £99m respectively in relation to cyber security incidents. However, these monetary penalties have not yet been formally issued by the ICO.

The ICO did issue its first monetary penalty under the GDPR in 2020, which was amounted to £275,000 for (amongst other things) failing to keep sensitive health data securely and providing adequate privacy notice information to data subjects. You can read our summary of the key lessons from this enforcement action here.

The ICO has continued its focus on electronic direct marketing compliance, and issued a maximum penalty of £500,000 under the Privacy and Electronic Communications (EC Directive) Regulations in March 2020 regarding telephone direct marketing infringements (you can read more about this here).

The ICO has also actively been enforcing for non-payment of the data protection fee, which is a fee required to be paid to the ICO by controllers under the Data Protection Act 2018 (replacing the previous registration requirement under the DPA 1998).

Brexit

After January 31, 2020 the UK ceased to be a Member State of the European Union and, under the terms of the Withdrawal Agreement agreed between the UK and the EU-27, a transition period now applies until December 31, 2020 (unless extended).

During the transition period, there is no substantive change to the data protection position. However, attention is now shifting to what will happen after the transition period including data transfers between the EU and UK and whether the UK will be able to benefit from an adequacy decision from the European Commission. There are also other potential impacts such as appointing representatives, and updates to privacy notices and records of processing. We summarised the key data protection considerations in relation to Brexit here.

COVID-19

In the short to medium term, the ICO has stated it has reshaped its priorities in light of COVID-19 and in summary is focusing on the following six priorities: protecting vulnerable individuals, supporting economic growth and digitisation, proportionate surveillance, good practice in AI, transparency and business continuity.

Although in the short term some ICO projects are on hold (like its investigation into Real Time Bidding and AdTech),the ICO will still be dealing with complaints, investigating data breach reports and discharging its statutory functions. You can read more about the ICO’s current priorities here, and our summary of the ICO’s revised regulatory approach during the COVID-19 public health emergency here.

There is likely to be a lot of attention on contact tracing technologies and apps from a data protection perspective over the next weeks and months, as part of the battle against COVID-19 and returning to work. Please see our summary here for more information on the approach to contact tracing in the UK and EU.

Looking forward

Longer term we expect a continued focus on issues such as transparency, biometric data, children’s data, direct marketing compliance, data security breaches, AI and accountability.

In addition, in light of Brexit, data transfers are likely to be an area that organisations will need to address. Once the transition period is over, organisations will also need to be on top of the new legislative landscape in the UK from a data protection perspective. Although in the short term the position in the UK is likely to be very similar to the EU position, it is possible there may be divergence in the UK and EU approach to data protection in the longer term.

Belgium

The Belgian Data Protection Authority (“DPA”) has been very active regarding the GDPR since May 2018, including by:

• publishing guidance and recommendations, such as practical guidance in 13 steps for businesses to prepare for the GDPR, FAQs in relation to certain aspects of the GDPR, general recommendations regarding the appointment of a data protection officer, carrying out data processing impact assessment, preparing records of processing activities, processing of personal data for direct marketing, and processing of personal data by employers in relation to COVID-19;
• carrying out investigations and imposing sanctions such as reprimands, warnings and fines on individuals or organizations whose processing activities were not in line with GDPR;
• issuing opinions on draft bills relating to the processing of personal data; and
• setting its strategic priorities for the next 5 years in a Strategic Plan 2019-2015.

Guidance and Recommendations

We have summarized below some of the key guidance and recommendations issued by the DPA since the entry into force of the GDPR.

• Cookies and other tracking technologies: In April 2020, the DPA published new guidance and recommendations regarding the use of cookies, with a new thematic file and FAQs available its website. It is worth noting that the DPA had sanctioned a company (see below) in December 2019 for non-compliance with the cookie-consent requirement.
  • The guidance focuses notably on information requirements (transparency), conditions for consent for non-essential cookies and cookies lifespan. The DPA considers that consent is required for audience measuring cookies (statistical or analytical cookies), as well as for the use of social media plug-ins on a site or mobile app. Consent cannot be validly obtained “by continuing to browse” a site. So-called “cookie walls” are also not valid.
• Direct marketing: in January 2020, the DPA published its Recommendation 1/2020 on the processing of personal data for direct marketing purposes. Direct marketing is one of the top priorities identified by the DPA in its Strategic Plan 2019-2025 (see below). This Recommendation aims at clarifying the concept of direct marketing and the complex rules applying to the various stakeholders involved in direct marketing activities. It also covers enrichment of personal data, legal bases for the processing, and conditions for consent.
• CCTV systems: the DPA has published a new thematic folder and recommendations on its website in relation to the new requirements applying to the use of CCTV systems for surveillance purposes, dashcams, etc. It is also worth noting that the Belgian Act and Royal Decrees on camera surveillance have been amended at the same time as the GDPR entered into force.
• Controller/processor concepts: the DPA has published a legal analysis of the concepts of controller and processor under the GDPR, with a specific application to professionals such as lawyers.
• Guidance regarding specific GDPR requirements: Data Protection Officer, Data Protection Impact Assessment, Records of Processing activities, etc.

Enforcement

We can observe from the enforcement activity of the Litigation Chamber of the Belgian DPA over the past two years that the DPA has imposed a number of sanctions on controllers for violation of the GDPR, and that there is a general trend of these sanctions becoming more significant over time.  Significant enforcement actions have included:

• May 2019: A fine of €50,000 to a social network for processing personal data, as part of a function for inviting contacts, without a valid legal basis. The Belgian DPA indicated that the decision had been made in consultation with 23 international data protection authorities.  
• April 2019: A fine of €50,000 to a telecom group for non-compliance with the requirements for the appointment of its DPO under Art. 38(6) GDPR.
• December 2019: a fine of €15,000 for violation of Art. 12 and 13 GDPR to an operator of a website providing legal news; due to insufficient information about the identity of the controller and the cookies used on the website; the fact that the privacy policy was only available in English, while the website targeted a Dutch and French speaking audience; and for violation of  Art. 6 and 7 in conjunction with Art. 4(11) GDPR due to lack of valid consent required for certain types of cookies;
• December 2019: an order imposed to a medical care/nursing platform to comply with a request for access to – and erasure of – personal data under Art. 12, 15 and 17 GDPR, and a fine of €2,000 for failure to act on requests from the data subject;
• November 2019: a fine of €5,000 for violation of Art. 6 GDPR (insufficient legal basis) to a municipal alderman for the use of a list of data subjects obtained in the context of a profession that he exercised in parallel with his public mandate for political mailings;
• November 2019: a fine of €5,000 for violation of Art 6 GDPR (insufficient legal basis) to the mayor of a Belgian city for the further use of personal data initially collected in the context of the exercise of his public functions to send materials in relation to his electoral campaign;
• September 2019: an order imposed on a trader to bring processing operations into compliance with Art. 5 (data minimization), 6 (legal basis) and 13 (information requirements) of the GDPR and a fine of €10,000 for violation of Art. 5 and 6 of GDPR for the use of the Belgian e-ID card to create a loyalty card;
• May 2019: a reprimand and a fine of €2,000 for violation of Art. 5(1)(b) (purpose limitation) and 6 (4) (insufficient legal basis) GDPR to the mayor of a Belgian city for the use of email addresses initially collected in the context of a building permit to send materials in relation to his electoral campaign.

It is also worth noting that, in a number of cases, the Litigation Chamber imposed a reprimand or a warning, but not a fine:

• a reprimand for violation of Art. 5(1)(b) (purpose limitation) and Art. 6(4) (insufficient legal basis) GDPR to a candidate to local elections for the further use of personal data initially collected as part of its membership to a Whatsapp group to send materials in relation to his electoral campaign;
• a reprimand for the violation of Art. 5(1)(b) (purpose limitation), 6(4) (insufficient legal basis), 24(1)(2) and 25(1)(2) GDPR (insufficient technical and organisational measures) to a trader for sending a mass email to all its customers where all the recipients were visible;
• a prohibition of processing and order to delete personal data for violation of Art. 5(1)(2) (data minimisation) GDPR to the owner of a building who had placed a camera in a common space of the building;
• a reprimand to the controller (public authority) for failure to provide access to personal data in accordance of Art. 12 and 15 GDPR;
• a reprimand to the controller for the violation of Art. 12, 13 and 30 GDPR for failure (i) to act on a data subject’s request to erase his personal data provided in the context of an application and (ii) to maintain a records of processing activities in accordance with Art. 30 GDPR.

Opinions

Under the Act of 3 December 2017, the Belgian DPA (in particular the so-called knowledge center within the DPA) has competence to issue:

• opinions concerning any matter relating to the processing of personal data;
• recommendations relating to social, economic and technological developments that can impact on the processing of personal data.

Since May 2018, the knowledge center has issued many opinions commenting on draft bills, and, most recently, commenting on two draft bills in the COVID-19 context governing: (i) the use of an app for contact tracing and (ii) the creation of a database by Sciensano, the Belgian institute for health.

Strategic priorities

On 12 December 2019,the Belgian DPA published a draft Strategic Plan 2019-2025, highlighting its priorities and areas of focus for that period.

The DPA indicated that it will focus on five main sectors: telecommunications and media, public authorities, direct marketing, education and SMEs.

Three important social topics will also benefit of particular attention from the DPA: online data, sensitive data and images/CCTV.

The processing of sensitive data, the role of the DPO and the legitimacy of processing also appear to be other priority areas for the Belgian DPA.

France

The CNIL has developed several compliance tools, as well as publishing and updating a lot of guidance and recommendations since May 2018. It has also assumed its role as Supervisory Authority by conducting several investigations.

Investigations and fines carried under the GDPR

Each year, the CNIL publishes its annual control strategy, guiding stakeholders on its areas of focus in light of new developments and topical issues involving the processing of personal data. The controls carried out following this strategy represent approximately 20% of the formal control procedures carried out by the CNIL during the year. The rest of the CNIL’s inspections are generally triggered by complaints.

In 2019, the CNIL has carried out 310 investigations (including 204 onsite). Its annual program focused on the processing of children’s data and data subjects rights requests. In 2019, CNIL issued 9 public financial penalties. Several sanctions were pronounced against companies that did not ensure their obligations to preserve the security of the personal data they were processing, provided for by Art. 32 of the GDPR (for example real estate). Personal data security appears to be a key priority for the CNIL; for example, the company SERGIC was fined EUR 400,000 by the CNIL after it was revealed that the company had not implemented a procedure to authenticate users of the website to ensure that those accessing the documents available on a personal account were the ones who had downloaded them. In another notable case, the company ACTIVE ASSURANCES was fined EUR 180,000 after a control revealed that the accounts of the company’s customers were accessible via hypertext links referenced on a search engine.

Since 2018, the CNIL also had the occasion to use its power to issue daily financial injunctions. For example, in its decision against UNIONTRAD COMPANY, the CNIL had enjoined the company to ensure the traceability of accesses to shared professional messaging and to justify this within two months of the notification of its decision.

In terms of level of fine, the first time that the CNIL has applied the new ceilings on fines provided for in the GDPR was on 21 January 2019 (EUR 50 million). CNIL considered that the amount of the fine and the publicity surrounding the decision was justified by the seriousness of the breaches observed, which concerned essential principles of the GDPR: transparency, information and consent.

In 2020, the CNIL has chosen to focus its inspection strategy on three priority themes: health data, geolocation for proximity services, and cookies and other tracers (see our alert: what are CNIL’s inspection priorities in 2020)

Issuing guidance and recommendations

Under the GDPR, compliance is an indicator of good governance, addressing the issue of reputation, trust and competitive advantage for companies. In order to help private and public organizations to comply with the GDPR, the CNIL has published several guidance documents and recommendations adapted to the contextual issues encountered by these stakeholders and, sometimes, in anticipation of new regulations in progress:

• Facial recognition: recognizing that this theme raises unprecedented questions about societal choices, the CNIL had called, in 2018, for a democratic debate on this subject. In November 2019, it presented the technical, legal and ethical elements which, in its view, must be taken into account while approaching this complex issue.
• Cookies: in  July 2019 CNIL modified its previous guidance from 2013 and, like a number of other European DPAs, no longer considers that the continuation of browsing constitutes valid consent for cookies. In addition, and considering the adoption of the E-Privacy Regulation is still in progress, the CNIL launched a public consultation in early 2020 on a draft recommendation on practical procedures for collecting Internet user consent for operators using tracers, as part of its action plan on targeted advertising (the final version of this draft has yet to be published).
• COVID-19 pandemic: In light of the COVID-19 pandemic, the CNIL has turned its attention to related data protection issues relevant to both companies and public health authorities, such as processing by employers to ensure the safety and health of their employees or by the government in the context of contact tracing operations, for example. Therefore, it has published and updated its guidance relating to processing operations implemented by employers in the context of the COVID-19, and has contributed to national initiatives, such as the creation of the “Contact Covid” file to ensure contact tracing of the population by health authorities or the development of the STOPCOVID application, which has yet to be implemented in France.
• Processing of personal data relating to minors: following its annual control strategy for 2020, the CNIL launched in April 2020 a public consultation regarding the rights of the minors in the digital environment in order to adopt recommendations to clarify the applicable framework and offer practical advice.

Providing for practical compliance tools

In addition to its guidance and recommendations, the CNIL has provided for several tools in order to help stakeholders ensure their compliance to the GDPR, such as:

• The DPOs Certification Standards, which have been published by the CNIL at the end of 2018 according to the new ability for the CNIL to issue such standards and approve the bodies responsible for issuing this certification. The two standards relate to: (i) the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO; and (ii) the criteria applicable to organizations wishing to be authorized by the CNIL to certify the skills of DPOs.
• The “PIA tool”, which is an open source software facilitating the conduct and formalisation of data protection impact assessments as provided for in the GDPR.
• The GDPR Guide for developers, which has been elaborated by the CNIL to provide a first approach to the main principles of the GDPR and the different points of attention to consider when deploying applications that respect user privacy.

Germany

The German data protection authorities have issued numerous guidelines and opinions relating to the interpretation of the GDPR. In addition to guidelines issued by the German Data Protection Conference, comprising the 16 German State Data Protection Authorities and the Federal Data Protection Authority, the various State Data Protection Authorities have also issued their own guidelines which sometimes contradict guidelines issued by other German State Data Protection Authorities. Of these, the following in particular are worth highlighting:

• COVID-19: During the COVID-19 crisis the German Data Protection Authorities have issued various guidelines and statements relating to the collection of health data, temperature checks, home working and data disclosures to prevent the further spread of the disease. You can find a summary of the various guidelines here. Interestingly, some German Data Protection Authorities consider temperature checks permissible in certain circumstances, whereas other German Data Protection Authorities consider them unsuitable to fight the disease and therefore impermissible.
• Enforcement: In November 2019, the Berlin DPA issued the first fine over a million Euros of €14,500,000 for a violation of the GDPR. A summary of the case can be found here.  Shortly before, in June 2019, the German Data Protection Conference published its concept for setting administrative fines for a violation of the GDPR, taking at every level the annual worldwide turnover into account. According to the press release of the German Data Protection Conference, the concept was discussed on a pan-European level and may be amended or revised once Europe-wide guidelines are released by the EDPB. You can read our summary of the concept here.
• Information Society Services and Cookies: In the wake of the uncertainty caused be the still pending E-Privacy Regulation, the German Data Protection Conference issued guidance for information society service providers which can be found here, in particular on how to lawfully collect and process data via cookies.
• Audits: German Data Protection Authorities have also been carrying out random audits. The Bavarian Data Protection Authority has published information on the areas that were and are going to be audited, including questionnaires used (see here). Audits relate to general topics such as accountability concepts and implementation of the GDPR (see questionnaire here), but also more targeted audits relating to transparency during recruiting, security vulnerabilities with certain IT systems, procedure for handling security breaches and data deletion concepts.

Italy

The Italian Data Protection Authority (the Garante) has been fairly active over the past months in both enforcement actions as well as providing guidance for specific data processing activities, of course lately with particular focus on data protection issues triggered by the COVID-19 health emergency.

We have summarised some of the key developments in Italy, as well as key enforcement actions from the Garante.

Enforcement actions

In terms of enforcement, the inspection plan of the Garante for the first half of 2020 (until June 2020) is focused, among others, on: the pharma and life science industry, use of whistleblowing systems, the banking sector, electronic invoicing, marketing and call centre activities, profiling activities (especially in relation to loyalty programs), the food delivery sector, reputational databases and data breaches. On the radar of the Garante there are also compliance audits in relation to: conditions for a lawful data processing, consent as legal basis for processing, information provided to data subjects and data retention.  In addition, specific audits may be triggered by claims filed with the Garante by data subjects.

To date, the most significant enforcement action in Italy consists of two fines totalling more than EUR 11 million imposed on the same company, within the same audit proceeding.

In addition, it is worth remembering that the Italian GDPR alignment law also provides for criminal penalties in specific cases, such as unlawful processing of special categories of data, of network traffic data, location data, for unsolicited communications, unlawful sharing or acquisition of data on a large scale, illegal data transfers and failure to comply with the Garante’s orders.

The Garante has issued an internal regulation detailing the rules applying to investigations. Indeed, the Garante has the authority to ask for information and copies of documents relevant to the investigation and may also ask to be given access to databases and archives. The investigated entity may be assisted by advisers during the audit and may reserve the right to produce further documentation and to provide further information after the audit, as applicable.

The current Committee of the Garante ended its term in June 2019. A new election has been launched, but due also to the COVID-19 health emergency, the process has been postponed. It has been established that the current Committee will continue to serve as the new one is elected and in any case within 60 days as of the end of the emergency status – which is set on July 31, 2020 – but extension is possible. The current Committee may carry out the ordinary activities as well as these which are urgent and cannot be postponed.

Guidance from the Garante

The Garante regularly publishes guidance on key topics under the GDPR, such as DPOs, data breaches, DPIAs, and general guidance on GDPR application, which addresses in details the basic principles for a lawful data processing, data subjects’ rights, general obligations of data controllers, measures to manage risks in data processing and transfer of data to third countries.

The Italian GDPR alignment law expressly requires the Garante to issue guidelines for specific sectors, as well as in order to validate or, as necessary, to amend the pre-GDPR national legislative framework. In this regard, the Garante has issued: (i) rules of conduct for the processing of data for purposes of statistics or scientific research performed within the national statystic system; (ii) rules of conduct for the processing of data for purposes of statistics or scientific research; (iii) measures applying to the processing of special categories of data, including measures for the processing of data for purposes of scientific research and for the processing of genetic data. In relation to specific data security measures, which stems from a pre-GDPR general Provision of the Garante, it is confirmed the discipline applying to ‘system administrators’.

In relation to Big Data, the Garante has worked together with the Italian Competition Authority and the Authority for Communications Guarantees for the release of new guidelines and policy recommendations, based on a survey performed to better understand the implications for privacy, regulation, and protection of personal data with a particular focus on big data. The Guidelines are composed of 11 recommendations to legislators, regulators and market operators; among others: transparency and effectiveness of how information is provided to individuals, also to avoid information asymmetries between users and digital operators; data portability and mobility through interoperable standards; strengthening international cooperation; increase of the competent authorities’ enforcement powers and increase of the maximum applicable sanctions in order to deter noncompliance and a call to establish a permanent coordination between the three agencies.

The Garante also issued an opinion on the guidelines of the Italian Digital Agency (AgID) on the Guidelines on the formation, management and storage of electronic documents. The Garante has made different comments, among other the need to update to GDPR the provisions on security measures and higher attention to the role and obligations of the data processor.

The position of the Garante in relation to cookies is essentially aligned with that of other European authorities and the EDPB, for example in relation to the need of consent for non-technical cookies.

The Garante also actively collaborates with other EU authorities, for example in the drafting of Guidelines for the use of AI and in the participation to the Privacy Sweep Day 2019, organized by the Global Privacy Enforcement Network – GPEN, this year focused on the management and response to data breaches. The results of this investigation have been published on March 2020 (https://www.privacy.org.nz/assets/GPEN-Sweep-2019-International-report-FINAL-January-2020.pdf) and report that 84% of the interviewed have set up a dedicated team for data breaches, while more than 30% do not have in place either self-assessment or internal audit programs. In light of the output of the survey, these authorities are now expected to determine the appropriate actions to enhance the level of control that individuals have on the processing of their personal data.

COVID-19 related initiatives

The Garante has been one of the first European data protection authorities to provide guidance on collection and use of personal data in relation to the public health emergency.

Given that the situation is changing rapidly and is very much conditional upon the applicable legal framework, so the initial guidance of the Garante, which prevented employers to deliver questionnaires and take temperatures to employee’s before entrance has since been  overridden by subsequent regulations issued by the Government. Generally speaking, the Garante’s stance is to avoid “do-it-yourself” initiatives and instead to leave the handling of the crisis to the competent government and health authorities.

The Garante has provided clarifications and guidance for public and private bodies on different kinds of data processing activities which are more impacted by the COVID-19 outbreak, among others schools, employers, health care, research, local authorities – in English, available here.

The Italian Government has decided to adopt a nation-wide App for contact tracing, named Immuni, to be launched in few weeks. The Garante has been advising on the main features and technical structure of the same, while an assessment will be performed once the design of the App is finalized.

Within the COVID-19 related initiatives, the Garante also addressed the issue of data security and published some guidelines to raise awareness against possible attacks, especially ransomware, which are increasing during the health emergency which leads to a sharp increase of the time spent online, for work or personal reasons. The Garante outlines that paying the ransom may appear the easiest way out, but it presents economic and also other negative side effects, like being “listed” as a payer and thus being exposed to further attacks, paying and not receiving the un-blocking codes.

The solution suggested is to revert to IT specialists and also to report the case to the Postal Police (the entity in charge of cyber-attacks) and also to the Garante to report personal data breaches such as theft of identity, of personal data, of content, etc.

Netherlands

Since the introduction of the GDPR, the Dutch data protection authority (DDPA) has been concentrating on promotion and monitoring of compliance with the new regulation, and has being applying a risk-based supervision approach. After a year of awareness raising, the DDPA announced in mid-2019 that it will start to increase its enforcement activities. Since then, the DDPA has issued a number of fines for non-compliance with the GDPR.

In practice, the DDPA has focused its enforcement efforts on the healthcare sector, data trading, data breaches and the digitalisation of public authorities. Recently, the DDPA announced it will continue that focus for at least another three years and explicitly added Artificial Intelligence as another important focus area.

The DDPA has published additional guidance on a number of data privacy topics, including data protection impact assessments, the application of the “legitimate interest” criterion, direct marketing, the privacy implications of using video call apps, and promoted the public consultation on draft guidance of the EDPB.

Poland

Since the entry into force of the GDPR, Poland has implemented a number of legal acts to align with the GDPR’s requirements. The Polish parliament has adopted a brand new Act on Protection of Personal Data, as well as amendments to numerous specific sectoral laws, among many others the Labour Code, the Act on Banking Law, the Act on Provision of Electronic Services, and the Act on Telecommunications.

The changes covered not only the legislation but also the supervising authority itself. The previous office of the Inspector General for Data Protection (GIODO) was renamed the President of the Office for Personal Data Protection (UODO) and was reorganized (for example, a new  Complaints Department was set up) and equipped with additional powers. In April 2019 the Parliament elected a new President of the UODO – Mr. Jan Nowak.

In the course of its activities, UODO has adopted a number of guidelines. These are intended to clarify some matters and to help controllers to fulfil their obligations in accordance with the GDPR.  

The topics covered in the guidelines were among others video surveillance and protection of personal data in the workplace. UODO has also issued a number of statements on various issues, for example on the use of biometric data for working time recording, making copies of ID documents or sharing medical records during the COVID-19 pandemic. Some of the statements signaled the need for amendments in the law, e.g. on the issue of employee alcohol use testing. 

In the course of its enforcement actions UODO has conducted many proceedings against entrepreneurs and local government authorities. Some of them resulted in imposing penalties. Fines were imposed, for example, for failure to comply with the information obligation, hindering the data subjects’ rights to withdraw their consent for data processing, processing of biometric data in school or failure to conclude a data processing agreement. The highest penalty of €660,000 was imposed on an online shop for the lack of appropriate technical measures to protect personal data, which led to a leak of the personal data of 2.2 million customers.

According to the UODO Sectoral Audit Plan 2020,inspections are to be expected in the near future for the following controllers: banks, in relation to the copying of IDs; for entities using intelligent metering; and for authorities processing personal data in the Schengen Information System and Visa Information System. The authority also wants to place particular emphasis on looking into the telemarketing services sector and investigating the proper handling of data breaches.

Spain

In Spain, the Spanish Data Protection Authority (SDPA, known in Spain as AEPD – “Agencia Española de Protección de Datos“) has remained very active over the past two years both in relation to new guidance, but also in terms of enforcement. Key areas of new guidance included cookies, PIAs, AI and anonymization procedures. In addition, the SDPA has been particularly focused on the healthcare and retail / e-commerce sectors and has developed various guidance on different technical matters.

We have summarised some of the key developments in Spain, as well as key enforcement from the SDPA to have a better understanding on where we stand and what we can expect in the future.

Data Protection Impact Assessment

The SDPA has been quite active in the issuing of guidance regarding data protection impact assessments (“DPIAs“). Months before the coming into force of the GDPR, the SDPA issued its Practical Guidelines for Data Protection Impact Assessments under the GDPR. Even though data controllers are free to choose their own method for conducting DPIAs (in compliance with the GDPR), the SDPA provided practical recommendations and suggestions on certain methods controllers could use to comply with this legal requirement. Two years later, the SDPA also issued a Template Report for Data Protection Impact Assessments. As for the Guidelines, controllers remain free to use this template or not, as it only aims to assist controllers with compliance with the GDPR.

In application of the powers granted by the GDPR to supervisory authorities (Art. 35(4) and (5) of the GDPR), the SDPA has also published lists of data processing activities that, respectively, require a DPIA or not. Both lists are the List of processing operations for which an impact assessment is mandatory and the List of processing operations for which an impact assessment is not required. Both documents are binding and provide further clarity to controllers by developing the requirements set forth in the GDPR.

Data Breaches

The SDPA has stated several times that compliance with the obligation to communicate data breaches is crucial to ensure the protection of the personal data. Therefore, in order to facilitate compliance with this obligation, right after the coming into force of the GDPR, the SDPA published the Guidelines for the Management and Notification of Data Breaches. This set of guidelines helps controllers not only in complying with the notification obligation, but also in managing prospective data breaches that may take place in their organizations.

Cookies

With the E-Privacy Regulation still pending, the SDPA tried to add some clarity to the regime of the use of cookies under the GDPR. On November 2019 the SDPA issued the Guidelines on the Use of Cookies developing the regime set forth in the current Information Society Services and e-Commerce Act in line with the provision of the GDPR. The set of guidelines provides interesting insights. For example, it clarifies that the cookies legal regime would also be applicable to techniques that achieve a similar effect without installing pieces of information in the devices of the user (e.g. fingerprinting).

Regarding the consent of the user, controllers may still collect it through unambiguous affirmative actions, such as browsing or clicking on a link. However, users must be allowed to reject the installation of all cookies before the website proceeds to their installation. Users should also be able to manage their consent to cookies category by category (e.g., advertisement cookies, behavioural cookies, etc.). The SDPA recommends enabling a “control panel” for users to decide which cookies they want to permit. The guidelines also promotes the use of consent management platforms (CMP) as solutions for the complex technical and regulatory reality of the use of cookies.

Artificial Intelligence

The Spanish authorities are very committed to the development of artificial intelligence solutions. Recently, the Government has even established the Secretariat of State for Digitalisation and Artificial Intelligence. In line with these general actions, the SDPA has prepared a set of guidelines for the Alignment to the RGPD of Processing Operations that Rely on Artificial Intelligence. The guidelines analyse the life cycle of AI solutions and provide guidance from a personal data perspective for each of the identified stages. They provide detailed insight on the different data protection roles of the parties that participate in their development, on the exercise of rights by the affected data subjects and on possible legal grounds for the processing operations and on the management of the related risks.

Technical opinions and guidance issued by the SDPA

The SPDA has been very active since the GDPR entered into force in relation to publishing of technical notes or guidance by its technical team, who have been analysing  different technologies and current issues from a data protection perspective. In particular, the SDPA has published guidelines or notes on the following topics: anonymization procedures, cloud computing service providers, device fingerprinting, risks of information flows, access to apps through the screens or user’s control of the personalization of advertisements, data protection implications of drones, k-anonymity as a privacy measure, privacy in the DNS (domain name system), introduction to the hash as pseudonymization technique and introduction to the 5G technology and its privacy risks.

Enforcement

The SDPA has been, as usual over the past years, very active since 25 May 2018 in terms of enforcement.

However, it is worth mentioning that, because of the GDPR, the cooperation between the SDPA and the DPOs has proven a crucial mechanism that has positively impacted on the sanctioning proceedings, particularly on the resolution timings and outcomes of the proceedings. In numbers, the SDPA has issued in 2019, the first year in which the GDPR was fully applicable, 338 sanctioning resolutions. Despite this number being high, this represent a significant decrease in the sanctioning resolutions in comparison with previous years and confirms the trend initially observed in the second half of 2018, when the GDPR was in force. While the number of claims before the SDPA remains very high, in line with the high degree of consciousness of the Spanish individuals on personal data protection matters (only in 2019 11,590 claims were made before the SDPA), the number of claims that have finalized in sanctioning proceedings has decreased as a result of the mechanism mentioned above.

For 2019, from the sanctioning resolutions, 112 of them finalized with the imposition of a penalty and the total amount of the fines imposed was 6,295,923 Euros. Most of the penalties were imposed for infringements on six main activity sectors: directories (contact books/lists), telecommunications, fraudulent contracts, data breaches, water / energy and delinquency files (default files). 

Another relevant area worth highlighting in the enforcement area is in relation to data breach notifications. Since the entering into force of the GDPR and the introduction of this new obligation for controllers, the number of data breach notifications in Spain has increased and in 2019 it was almost three times higher than in 2018. From the data breach notifications made, approximately 5% of them result in an investigation process.

COVID-19

The health crisis caused by COVID-19 has raised many questions related with the management of personal data, particularly with the management of health data in a context in which the public interest plays a big role. The SDPA responded to this situation with the publication of several reports, recommendations and analysis related with the COVID-19, which tried to solve the major doubts of controllers and of the general audience.

At first, the SDPA issued a report analysing in general the processing of data related with COVID-19, their legal bases and their relation with the public interest, the Report on the processing of data in relation to COVID-19. Afterwards it published two communications in relation to two particular processing operations: the use of self-evaluation apps and websites for the diagnosis of COVID-19 and the implementation of systems to measure the temperature of individuals in different environments.

In May 2020, the SDPA published a comprehensive analysis of a set of processing operations related with COVID-19, The Use of Technologies for the Fight of COVID-19, an Analysis of Benefits and Costs. The technologies analysed by the report are: mobile-phone geolocation by telecom operators, mobile-phone geolocation through social networks, self-evaluation apps, webs and chatbots, voluntary declaration apps, contact tracing apps, immunity passports and use of infrared cameras to large-scale check body temperature.

To assist individuals in the situations of confinement caused by COVID-19 the SDPA issued several sets of recommendations. In particular, the most interesting sets were the Recommendations for the Protection of Minors in the Internet and the Recommendations to Protect Personal Data in Mobility and Remote-Working Situations. Instead of having a soft-law nature, these sets of recommendations tried to help individuals avoid unnecessary risks in the health crisis context.

Looking forward

Longer term we expect a continued focus on the main issues so far and the publication of expected guidelines such as the ones foreseen for later in 2020 on employment relationships and on the personal data processing by healthcare professionals.

Sweden

The Swedish Data Protection Authority (Sw: Datainspektionen “DPA”)), has nearly doubled in size since 2017 and it currently has about 95 employees. Since the GDPR entered into force, there has been some enforcement activity, covering both the public and the private sector.

Guidance from the DPA has included  when to conduct a data protection impact assessment, camera surveillance, patient data, personal data breaches and data subject rights.

We have summarised the enforcement action and the current and future focus areas of the DPA.

Enforcement

Shortly after the GDPR entered into force in 2018, the DPA audited whether approximately 360 companies and authorities that they deemed were obliged to appoint data protection officers had done so and, if they also have reported this. The DPA issued 57 reprimands and two orders. The reason for not imposing fines was that the GDPR was new legislation at the time, but the DPA has stated that administrative fines will be on the table for future shortcomings with respect to appointing data protection officers.

In August 2019, the first administrative fine of 200,000 SEK (approximately 20,000 EUR) was imposed on a municipality for using facial recognition technology to monitor the attendance of students in school. In Sweden, public authorities can receive a maximum fine of 10 million SEK (approximately €1 million ). The school had based the processing on consent, but the Swedish DPA considered that consent was not a valid legal basis given the clear imbalance between the data subjects and the controller. The DPA hence found that the school had processed sensitive/biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.

In December 2019, the DPA imposed a fine of 75 million SEK (approximately €7 million) in relation to delisting of search results.

Also in December 2019, the Swedish DPA issued an administrative fine of €35,000 against a website operator that published personal data relating to e.g. credit information and home addresses of all Swedes above the age of 16. In total, the database contained personal data of more than 8 million people. The DPA found that the operator had infringed the Credit Information Act and the GDPR. Most of the information published on the website was covered by a publishing certificate that provided it constitutional protection, meaning that the GDPR did not apply.

The website did however publish information on whether individuals had a record of non-payment. Information about payment defaults is considered to be credit information and for the publishing of such information the Credit Information Act applied, including its references to the GDPR. The website also published information about records of criminal convictions. The DPA found that such information was regulated under the GDPR and may not be published under the Credit Information Act without prior authorization from the Swedish DPA. The DPA had not issued any such authorization for this website.

In April 2020, the DPA imposed a fine of 200,000 SEK (approximately €18,700) on the National Government Service Centre (“NGSC”) for failing to notify other authorites using the IT system for salary administration provided by the NGSC, as well as the DPA about a personal data breach in due time. The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification. The personal data breach entailed an error that enabled unauthorised access to personal data of both personnel of authorities using the system and of personnel of the NGSC. In addition, the documentation of the breach, as required under the GDPR, was also found incomplete.

In its decision, the DPA ordered the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are abided by.

COVID-19

In relation to COVID-19, the DPA has launched an information page, mainly focusing on the employment context. The DPA stresses that the GDPR does not hinder necessary measures taken in order to slow down the spread of the coronavirus. It is, however, important that individuals’ right to privacy and protection of their personal data are safeguarded under these special circumstances. This means that an employer may only process personal data that is necessary for the purpose at hand and that access to such personal data shall be limited to those that need such access. Only necessary information shall be disclosed. The DPA states that e.g. conducting temperature checks or whether employees can or cannot work from home are not GDPR issues, but rather employment law issues. The DPA does however state that employers should refrain from systematic collection of personal data relating to health.

Contact tracing

The Swedish government has not launched a contact tracing app. A digital website tool has however been prepared in collaboration between the Civil Contingencies Agency (Sw. Myndigheten för samhällsskydd och beredskap), the National Board of Health and Welfare (Sw. Socialstyrelsen), and the Public Health Agency (Sw. Folkhälsomyndigheten). The tool enables individuals, on a voluntary basis, to record symptoms and receive information about the virus. By analyzing anonymized data, the information should contribute to understanding and predicting how the virus is progressing in different regions. The launch of the digital tool is however currently put on hold. 

The Swedish DPA has stated that it will prioritize queries or requests for a prior consultation on the matter if asked to do so, but this has not yet been the case.

Current and future focus areas

The DPA’s current audit plan covers 2019-2020 and states that the DPA will focus on inter alia use of consent as a legal basis, the healthcare sector, schools, controller-processor distinction, mobile location data and retail.

There are also ongoing audits of eight caregivers relating to protection of patient data and audits related to voice call data on Sweden’s medical assistance phone 1177. The voice call data was stored on a web server that was neither encrypted nor password protected.

Further Information

If you would like more information on enforcement by EU data protection authorities, please see our GDPR Enforcement Tracker here.

You can also find more information on data privacy aspects in relation to COVID 19, and related guidance from data protection authorities in our COVID-19 Data Privacy & Security Survey here, which covers 39 jurisdictions.

You can also access the 2020 Global Data Privacy & Security Handbook here, which includes detailed overviews of data privacy and security standards in over 50 countries.

---