The cases that have attained public attention are only the tip of the iceberg.
As a rule of thumb, cases are only made public if one of the involved parties for some reason choose to do so, e.g. to gain momentum, as in the case of Privacy International, to set an example and a warning, as in the warnings by the CNIL and the fined Portuguese hospital, or if the convicted company wishes to dispute the conviction.
At the time of writing, an estimated 30 to 60 cases are being investigated by the data protection authorities of the different EU member states.
The number of complaints is way higher. For example, four months into the enforcement, the French supervisory authority CNIL had received 742 notifications of violations.
All in all, 6 months after the enforcement, the European DPA's had received an estimated 57.000 complaints!
The cases that for one reason or another have made it to the public or have received media attention can leave no doubt as to if the GDPR is taken seriously.
Quite the contrary, the cases prove how important it is to have a proper consent mechanism with clear, transparent and accurate information, to ensure that the consent is obtained prior to the initial processing, and to have an adequate documentation of consents, amongst other things.
The GDPR is very much to be reckoned with, and has been adopted by national authorities, privacy activists and offended parties alike as a potent instrument to improve transparency and ensure the enforcement and respect of privacy rights.
Geodata targeted advertising is advertising based on the person’s specific geographical location, often discovered by means of apps installed on their smartphone.
The two companies specialize in geo-targeted advertising. They make use of a technology called “SDK”, that is integrated into the mobile app codes of their partners, usually advertisers and shops. SDK enables the localization of the device and therefore to track personal geodata.
Geodata can be transmitted even when the app is not in use, - in the case of Teemo every 5 minutes - and constitutes precious information for advertisers, especially when coupled with other user profiling data, enabling for very precisely targeted ad campaigns based on the user’s profile and location.
Let’s say your user profile suggests you are a man in your mid-thirties living in a lasting relationship, you might be targeted with ads for engagement rings on your phone while you are in the proximity of a jewelry store.
See also the infographic made by the CNIL explaining how targeted advertising based on smart phone geolocation works (in French).
The CNIL issued its warnings due to faulty consent: In the case of Teemo, CNIL found that the user was not informed about the geodata collecting SDK when downloading the apps. During their controls, CNIL revealed that when Fidzup’s partners’ apps were downloaded, the user was not informed about the purpose of the tracking or about the identity of the tracker. Furthermore, the general terms and conditions were provided after the download of the app was completed, hence after the initial data collection had taken place, thereby infringing the requirement for prior consent. The data was kept for too long, infringing the GDPR requirement that data that is no longer needed for the original and declared purpose be deleted.
Finally, in the case of both companies, the consent was not freely given, as it was not possible to download the app without the SDK. Therefore, downloading the apps in question automatically meant that the user data was transmitted to the companies.
The CNIL issued a formal warning based on the following infractions of the GDPR:
See the official warnings issued by the CNIL here (in French):
Autoriteit Persoongegevens (AP), the Dutch supervisory authority, announced their GDPR compliance review of thirty randomly selected Dutch corporations from different economic sectors.
On July 17, 2018, the Dutch Supervisory Authority, Autoriteit Persoongegevens, announced that it would review the records of processing activities from thirty corporations, randomly selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.
According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the EU data protection rules.
Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities. These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used. Small organizations with less than 250 employees are generally exempted from this rule, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.
Too many people had access to patient data, and the hospital was not able to document compliant processes for the handling of the data. Centro Hospitalar Barreiro Montijo got the dubious honor of being the first recipient of a large GDPR fine, thereby definitely proving the validity of the new regulation.
On October 22, 2018, the Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) announced that Centro Hospitalar Barreiro Montijo (CHBM) was fined for two violations of the GDPR:
The fine was disclosed following an inspection carried out by CNPD, after an alert issued by the Medical Association.
The UK based charity, Privacy International, advocates for transparency and for strong legal and technological protection of personal privacy.
On November 8, 2018, Privacy International (PI) filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.
The UK based charity urged the data protection authorities to investigate these companies and to protect individuals from the mass exploitation of their data.
In their complaints, PI stated that the seven companies Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast, and Tapad, are not compliant with Data Protection Principles, namely the principles of “transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy”.
They claimed that all of the above companies systematically process personal data in an unlawful manner, referring in particular to their extensive practice of profiling. They claim that they do not have a legal basis for the way they use people's data, and underline that neither consent nor legitimate interest are satisfactory conditions for the kind of processing taking place.
“Where they claim that consent is a valid basis for processing, they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous,” says PI in its press release, and continues:
“Where they rely on legitimate interest, they have molded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”
Privacy International also state that there are obstacles to individuals exercising their data subject rights under GDPR against these companies, including:
The French supervisory authority CNIL has proven to be very proactive when it comes to GDPR enforcement. On November 9, they issued their third formal warning to a private company for lack of valid consent in spite of there being implemented a consent solution from the IAB-framework.
On November 9, 2018, the CNIL issued a formal warning to the advertising network Vectaury, giving the company three months to change its consent experience for customers and to purge all data collected on the basis of invalid consent previously obtained. If they fail to do so, they will be fined.
As in the cases of the companies Teemo and Fizdup described above, the warned company Vectaury used SDK technology in order to collect geolocation data of the users.
It is worth noting that Vectaury did have a consent mechanism in place and participated in the IAB Europe transparency & consent framework (TCF). The consent dialog consisted of a short message describing the data collection and offering three options: to accept, to refuse, and to customize the preferences.
However, based on their controls, the CNIL still found that the obtained consent was not compliant due to the following:
1. The consent was not informed: Due to unclear language and the use of complex terms, and due to faulty accessibility to information, in particular the list of third parties receiving the data.
2. The given consent had insufficient options: At the time of installation of the app, the dialog only gave users the option to consent or to refuse. Users were not asked to specifically consent to the processing of their geolocation data for targeted marketing purposes.
3. The consent was not obtained through an affirmative action: Users selecting “customize my preferences” were directed to a separate pop-up with pre-checked options.
CNIL’s decision to issue a formal warning to Vectaury has provoked vast reactions in the Adtech industry. It is being interpreted as an important first step towards proving that consent frameworks based on contractual passing-on of consents are not valid under the GDPR.
Read the article by TechCrunch for an interesting and enlightening walk-through of the case, the reactions and analysis of its possible consequences for the industry: How a small French privacy ruling could remake adtech for good.
Updated December 3, 2018
Visual overview, updated November 22, 2018
The GDPR was issued by the European Commission in 2016 and came into force on May 25, 2018.
The European Data Protection Board (EDPB), formerly known as the Working Party 29 (WP29), acts as the regulatory body of the GDPR.
EDPB is made up of the presidents of the member states’ data protection authorities. The EDPB issues guidelines and recommendations, and advises the European Commission, ensuring consistency of the application of GDPR.
On a national level, each EU member state has designated a supervisory authority or data protection authority (DPA) to be responsible for monitoring the application of the GDPR and addressing non-compliance.
In most cases, the DPA plays an (often difficult) double role as an institution offering GDPR guidance and advise on the one hand, and as GDPR enforcement authority on the other.
Austria: Österreichische Datenschutzbehörde
Belgium: Data Protection Authority
Bulgaria: Commission for personal data protection
Croatia: Croatian data protection agency
Czech Republic: The office for personal data protection
Italy: Garante privacy
Ireland: Data protection commission
Latvia: Data State Inspectorate
Lithuania: State data protection inspectorate
the Netherlands: Autoriteit Persoongegevens
Poland: Personal data protection office
Portugal: Comissão Nacional de Protecção de Dados
Romania: Data protection
United Kingdom (UK): ICO
Germany: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
NB: in the Federal Republic of Germany, the responsibility for monitoring and supervising the enforcement of the GDPR is distributed amongst the 16 states of the federation. See the list of German data protection supervisory authorities.
The General Data Protection Regulation, a law text of 88 pages and 99 articles is, like any other piece of legislation, a complex document to interpret into the everyday life and reality of an organization.
Many companies and organizations have therefore been biding their time, waiting to see how the regulation would be enforced in practice.
The enforcement is still in its early stages and the different data protection authorities still have to find their stance in between advising companies for compliance and administering fines for infractions.
In terms of take-aways however, these early cases highlighted above show us that especially the following types of GDPR infractions have been struck upon so far:
The cases leave no doubt as to whether the GDPR affects “normal” companies, middle-sized and smaller, startups, as well as public institutions. It is in other words enforced as a regulation that regards us all and not only the tech giants such as Google, Facebook, Amazon and Apple.
In terms of making a conclusion on what to be aware of, one might list the following:
1. “Less is more”: Your mantra when it comes to processing data. Collect as few data as possible, keep them only for as long as they are relevant for the purpose to which they were collected, and give as few people as possible access to the data.
2. Secondly, documentation is essential: Keep registers and clean procedures for all of the data processing taking place.
3. Enable informed consent (and make sure it is prior): One of the trickiest parts of ensuring compliance is cookies and online tracking on your website. It’s difficult to know what is going on “under the hood” of a website, in fact, most website owners don’t even know it themselves!
Most websites have large numbers of cookies and online tracking technologies coming from third parties, most of which do track personal data of the website users.
Social media buttons, embedded content, analytics etc. all can (and usually do) set cookies, that collect personal data and send them off “into the world” where they are processed by whomever they are sent to.
In doubt about what is considered personal data in the GDPR? Read our introduction of the GDPR.
Even so, as the owner of the website, you are the responsible party for the tracking going on on your website, for enabling prior consent to all of the tracking, and to inform about it in a clear and specific manner.
To our best knowledge, Cookiebot is the only consent management solution fully capable of helping you in doing so at this stage.
Read our explanation why below.
The main features of the solution are:
Website scanner: Detects all cookies and tracking in use on a website
Enabled prior consent: All cookies and tracking are effectively held back until consent to them has been given by the user
The consent banner: Displays accurate information about the cookies and tracking and gives the user the possibility to opt in and out
Registry: All received consents are securely stored as documentation that consent has been given
The monthly scan discovers, locates, and identifies all tracking scripts that are active on all sub-pages of your domain — irrespective of its size and complexity.
Think of it as a number of users (7-8 to be more specific) that visit your website simultaneously and perform all the actions possible. The users will go through up to 10,000 subpages, will click all the links, menu points and buttons, move around the cursor, they’ll play embedded videos, look at photos – in other words do everything that it is possible for a real website visitor to do on your website.
While this user simulation is taking place, the scanner collects information about all the cookies and various tracking technology that is being used – i.e. the exact same cookies and trackers that a real website user would encounter – and gathers all this information in the scan report along with a lot of other useful information.
The list of cookies and tracking in operation on the website folds out directly from the consent banner, providing true transparency.
The user can easily opt in and out of the four categories: Necessary, Preferences, Statistics and Marketing.
All received consents are securely stored as documentation and renewed upon the user’s first returning visit once 12 months have elapsed.