Summary of the Data Privacy Year 2020
Administrative fines for security breaches
In the course of 2020 the data protection authorities within the EU/EEA have notified intentions to impose administrative fines amounting to approximately 170 million EUR. The most prominent types of violations are (i) insufficient legal basis for data processing; (ii) insufficient technical and organizational measures to ensure sufficient information security; and (iii) non-compliance with general data processing principles.
In Norway, most of the administrative fines have been imposed against public companies. However, it is expected that the Norwegian Data Protection Authority (the “DPA”) will have an increased focus on the private sector in the future, due to increased processing activities and complexity by private companies, e.g. use of loyalty clubs, apps and marketing activities in social media aimed at consumers. The largest administrative fine imposed by the DPA as yet was given to Bergen municipality (NOK 3,000,000) based on insufficient security in the communication system between school and home relating to personal information. The DPA has further notified their intention to impose administrative fines to the Norwegian Public Roads Administration (NOK 4,000,000) and the Norwegian Sports Confederation (NOK 2,500,000).
The data privacy year of 2020 also saw the top three individual fines imposed to date; Google Inc. (EUR 50,000,000)[1], H&M (approx. EUR 35,000,000) and Italian telecommunications provider TIM (approx. EUR 28,000,000). All fines were given due to insufficient legal basis for data processing.
Brexit
UK is no longer part of the EU and will therefore be considered a third country in the GDPR context. As a general rule, it is not permitted to transfer personal data to third countries, i.e. countries outside the EEA. A number of strict conditions must be complied with before such transfers can take place. In the EU-UK Trade and Cooperation Agreement concluded 24 December 2020, the parties have agreed that UK will not be considered a third country for an interim period. The interim period will last for a minimum period of four months and maximum six months after the agreement entered into force. The Norwegian government has adopted a temporary regulation following up on this agreement. Thus, for the time being, personal data can be transferred to UK in the same way as to EEA countries.
The European Commission is currently considering whether UK should be given an adequacy decision, which indicates that the country has an adequate level of data protection from an EEA perspective. If an adequacy decision is made, transfers of personal data to UK will be permitted in the same way as within the EEA also after the interim period.
Rulings from the Court of Justice of the European Union (CJEU)
The most talked about event of the data privacy year 2020 was without doubt the CJEU’s Schrems II decision where the Court concluded that Privacy Shield is an insufficient legal basis for transfer of personal data to USA in light of the GDPR. You can read our newsletter on the decision here (in Norwegian). Further, the Court stipulated stricter requirements for the use of EU Standard Contractual Clauses as a basis for transfer of personal data from the EEA to third countries. The European Data Protection Board (EDPB) has later adopted guidelines on “supplementary measures” to be implemented for international transfers. You can read our newsletter on the guidelines here (in Norwegian).
The CJEU also made two decisions (Privacy International (C-623/17) and La Quadrature du Net and Others (C-511/18)) which conclude that mass collection of telecommunications data is a breach of the e-Privacy Directive. The e-Privacy Directive complements the GDPR and sets out more specific privacy rights on electronic communications. In consequence, the entering into force of the chapters on “digital border defence” in the newly adopted Norwegian Intelligence Service Act has been postponed. These provisions impose a duty on providers of electronic communications services and internet-based communication and messaging services, to facilitate access to cross-border electronic communication, including the acquisition and storage of metadata. Such metadata include inter alia name, date, time, location and IP-address. This duty has been heavily criticized by the DPA and the Government is currently assessing whether the CJEU decisions necessitates any amendments.
The COVID-19 pandemic and the GDPR
The Covid-19 pandemic has led to a special need for companies to establish measures to protect the employees and reduce transmission of the virus in the population in general. This has raised a number of questions related to data protection, especially with regard to what personal information that can be collected from the employees and on what grounds, and for how long this information may be stored. You can read our newsletter on some of these issues here (in Norwegian).
At the outset of the pandemic, the Norwegian Institute of Public Health (NIPH) developed a contact tracing mobile app (“Smittesporing”). During the summer, the DPA decided to temporarily ban the processing of personal data using the app as the app did not represent a proportionate intervention in the user’s fundamental right to data protection. The DPA further concluded that NIPH did not adhere to the principle of data minimization as NIPH had not sufficiently established the necessity of using location data from GPS in contact tracing.
This case illustrates necessity and proportionality as key principles in the GDPR and that only personal data which is adequate and relevant for the purposes of the processing may be collected and processed. A new version of the app was launched in December. The DPA has accepted this version which has one purpose only (namely contact tracing) and which is exclusively based on consent from each data subject. The new version also uses Bluetooth technology which is less intrusive than GPS. For instance, the app will not store your location and it will not be able to see where or when you were in contact with an infected person.
BAHR comments
The amount of reactions we have seen in 2020 by the supervisory authorities, illustrates that all companies processing personal data must continue to carefully consider its processing activities. A pandemic is no green light to intervene in the data subject’s fundamental right to data protection, and the companies should establish written routines to ensure that personal data collected due to the Covid-19 pandemic are deleted when they are no longer required.
Many businesses have changed their services in response to the pandemic. Extensive restrictions have resulted in a growing use of new sub processors. Data controllers and data processors should undertake due diligence of such companies and assess whether they could be trusted to receive and process the relevant data. Some of the key issues are related to technical and organizational measures to achieve an adequate level of security, distribution of responsibility and international transfers.
2020 has provided important guidance on international transfers. The EDPB imposes extensive responsibilities on the data exporters and it must be expected that both data exporters within the EEA and service providers in countries outside the EEA must revise their business to ensure compliance with the GDPR requirements. Activities from the Norwegian DPA also indicate that international transfers are a prioritised area of concern due to the ruling in the Schrems II case last summer. Companies within the EEA should therefore map its direct or indirect transfers to countries outside the EEA and carefully review the basis for these transfers to ensure that they comply with the new requirements.