Data Protection and Privacy | Summary of the data privacy year 2019
Administrative fines for security breaches
Both everyday life and work life has increasingly become digital and dependent on personal data. The potential consequences of data breaches have therefore increased significantly. This imposes a special responsibility on companies processing data when it comes to implementing appropriate measures to ensure secure processing of personal data. This responsibility became apparent in 2019.
Most administrative fines given by supervisory authorities during 2019 where given wholly or partly based on data security incidents, which are breaches of both the security principle in article 5 and the obligation to ensure information security in article 32 of the GDPR. Compared to administrative fines imposed for other types of violations, the highest fines in 2019 were also given due to breach of the aforementioned provisions (e.g. the notices of intention to fine Marriott International Inc. approx. GBP 100,000,000 and British Airways approx. GBP 180,000,000).
Focus on privacy by design
The European Data Protection Board’s (EDPB) work with a guideline on “data protection by design and by default” was led by the Norwegian Data Protection Authority. This guideline provides an interpretation of the requirements set out in GDPR article 25. The core obligation of article 25 is the requirement to implement standard mechanisms for all solutions and services processing personal data in a way that effectively safeguards the privacy principles and the rights of the data subjects. The guideline was approved by EDBP in November 2019 which means that all European supervisory authorities support the guideline. The guideline was open for public consultation until mid of January 2020.
In 2019, the Norwegian Data Protection Authority also issued a separate Norwegian guideline on the subject, however primarily intended for software developers and architectures. In addition, a contest regarding privacy by design has been held for the public. Its decision to fine Oslo municipality for security breach in a school application also cited the lack of privacy by design to fulfil the principle of data minimisation. The final fine issued to Oslo municipality for this breach was in the amount of approx. NOK 1,200,000 (approx. EUR 118.000). The particular interest in privacy by design by Norwegian Data Protection Authority may also affect their focus area in 2020.
The first court ruling on GDPR in Norway
On December 17th 2019, Oslo District Court published the first court ruling pursuant to the GDPR (Legelisten-dommen). The court upheld the decision by the Norwegian Privacy Appeal Board stating that the website Legelisten.no had legal grounds for collecting and publishing subjective opinions of medical personnel based on its legitimate interest, cf. GDPR article 6 (1) (f), even without giving the medical personnel the option to refuse to be listed on the website.
The decision gives a thorough presentation of the balancing test that must be applied when using “legitimate interest” as a legal ground for processing personal data, and can give useful guidance when performing such balancing acts for other processing activities.
Rulings from the CJEU
In continuation with the Court of Justice of the European Union’s (CJEU) previous decisions in 2018 regarding joint controllership under GDPR (the Wirtschaftsakademie-case and the Jehovah’s Witnesses-case), the CJEU concluded in 2019 in the Fashion ID-case that website operators can be deemed joint controllers under the GDPR together with social media providers for using plugins. In the new ruling the CJEU held that a German online clothing store (Fashion ID) was a joint controller with Facebook for the data collection done through the implementation of a plug-in with a “like”-button on their website. This latest decision continues the trend of taking a wide view on what constitutes a joint controllership.
Companies should therefore, especially in complex data processing operations, ensure to appropriately assess the responsibility of the entities involved in processing activities to establish correct responsibility under the GDPR.
The Planet 49-case is another decision by the CJEU in 2019. In this case CJEU ruled that the consent which a website user must give to the storage of and access to cookies on his or her equipment must be a GDPR valid consent. This is regardless of whether or not the information stored or accessed on the user’s equipment is personal data. This recent statement by the CJEU confirms that the GDPR has had an effect on the requirements for consent under the ePrivacy Directive (implemented in the Norwegian Electronic Communication Act, Nw: Ekomloven) for EEA countries, and it is thus likely that it will also have an impact on the work with new ePrivacy Regulation. The ePrivacy Directive complements the GDPR and sets out more specific privacy rights on electronic communications.
The amount of security breaches and the reactions we have seen in 2019 by the supervisory authorities for insufficient data security, illustrates the importance of a risk-based approach to the GDPR requirements. The GDPR does not define or specify the security measures you should have in place. It moreover requires the company to have a level of security which is “appropriate” to the risks presented by the company’s processing. This must be considered in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of the processing. This reflects both the GDPR’s risk-based approach, and that there is no “one size fits all” solution to information security.
Effective implementation of data protection by design and default in solutions and services processing personal data can also reduce the risk associated with the processing and thus constitute a necessary safeguard in order to meet the security requirements of the GDPR.
2019 has provided some more guidance on certain requirements of the GDPR, but there are still many uncertainties and a need for further clarifications from the supervisory authorities, EDPB, the national courts and the CJEU. It must be expected that additional clarifications and guidance will come from the authorities in 2020 as we are moving into a new year with the GDPR.
You can also read our summary of the first year with the GDPR here (in Norwegian)