On May 25, 2018, The General Data Protection Regulation was enforced as the strictest and most encompassing data protection law ever to be passed. Its scope reaches far beyond the borders of the EU, in so far as it applies to all organizations and all websites globally, that process data of EU citizens.
Furthermore, the GDPR has set a high standard for data protection, that is being followed as an example for other data protection authorities in the world, as they update their legislations to correspond to the demands of a digital and data driven society.
Up to the enforcement deadline, the million-dollar question was how (and whether, even) the GDPR would actually be enforced in practice. Now, six months later, various national data protection authorities and supervisory authorities as well as privacy activists and offended parties have taken action.
Read about GDPR convictions, fines, investigations, complaints and warnings below. Find out what to be especially aware of and how to avoid trouble in our checklist at the end of the article.
Timeline: What GDPR related actions have taken place since May 25, 2018?
The cases that have attained public attention are only the tip of the iceberg.
As a rule of thumb, cases are only made public if one of the involved parties for some reason choose to do so, e.g. to gain momentum, as in the case of Privacy International, to set an example and a warning, as in the warnings by the CNIL and the fined Portuguese hospital, or if the convicted company wishes to dispute the conviction.
At the time of writing, an estimated 30 to 60 cases are being investigated by the data protection authorities of the different EU member states.
The number of complaints is way higher. For example, four months into the enforcement, the French supervisory authority CNIL had received 742 notifications of violations.
All in all, 6 months after the enforcement, the European DPA's had received an estimated 57.000 complaints!
The cases that for one reason or another have made it to the public or have received media attention can leave no doubt as to if the GDPR is taken seriously.
Quite the contrary, the cases prove how important it is to have a proper consent mechanism with clear, transparent and accurate information, to ensure that the consent is obtained prior to the initial processing, and to have an adequate documentation of consents, amongst other things.
The GDPR is very much to be reckoned with, and has been adopted by national authorities, privacy activists and offended parties alike as a potent instrument to improve transparency and ensure the enforcement and respect of privacy rights.
CNIL issues formal warnings for lack of prior consent and inadequate informationOn June 25, 2018, just a month into the enforcement of the GDPR, the French supervisory authority CNIL (acronym for Commission Nationale de l'Informatique et des Libertés) issued a formal warning to the two French mobile app companies Fidzup and Teemo for lack of consent, for inadequate information about the duration of the data storage, and for lack of free choice.
Geodata targeted advertising is advertising based on the person’s specific geographical location, often discovered by means of apps installed on their smartphone.
The two companies specialize in geo-targeted advertising. They make use of a technology called “SDK”, that is integrated into the mobile app codes of their partners, usually advertisers and shops. SDK enables the localization of the device and therefore to track personal geodata.
Geodata can be transmitted even when the app is not in use, - in the case of Teemo every 5 minutes - and constitutes precious information for advertisers, especially when coupled with other user profiling data, enabling for very precisely targeted ad campaigns based on the user’s profile and location.
Let’s say your user profile suggests you are a man in your mid-thirties living in a lasting relationship, you might be targeted with ads for engagement rings on your phone while you are in the proximity of a jewelry store.
See also the infographic made by the CNIL explaining how targeted advertising based on smart phone geolocation works (in French).
The CNIL issued its warnings due to faulty consent: In the case of Teemo, CNIL found that the user was not informed about the geodata collecting SDK when downloading the apps. During their controls, CNIL revealed that when Fidzup’s partners’ apps were downloaded, the user was not informed about the purpose of the tracking or about the identity of the tracker. Furthermore, the general terms and conditions were provided after the download of the app was completed, hence after the initial data collection had taken place, thereby infringing the requirement for prior consent. The data was kept for too long, infringing the GDPR requirement that data that is no longer needed for the original and declared purpose be deleted.
Finally, in the case of both companies, the consent was not freely given, as it was not possible to download the app without the SDK. Therefore, downloading the apps in question automatically meant that the user data was transmitted to the companies.
The CNIL issued a formal warning based on the following infractions of the GDPR:
- Transmission of data without prior consent
- Inadequate information about the purpose of the tracking, identity of the tracker and the destination of the data
- Excess data collection and data kept for too long
- Consent bundled and therefore not freely given
See the official warnings issued by the CNIL here (in French):
Dutch Supervisory Authority investigates corporations’ GDPR compliance
Autoriteit Persoongegevens (AP), the Dutch supervisory authority, announced their GDPR compliance review of thirty randomly selected Dutch corporations from different economic sectors.
On July 17, 2018, the Dutch Supervisory Authority, Autoriteit Persoongegevens, announced that it would review the records of processing activities from thirty corporations, randomly selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.
According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the EU data protection rules.
Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities. These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used. Small organizations with less than 250 employees are generally exempted from this rule, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.
Portugal GDPR fine of 400,000 euro to hospital for breach
Too many people had access to patient data, and the hospital was not able to document compliant processes for the handling of the data. Centro Hospitalar Barreiro Montijo got the dubious honor of being the first recipient of a large GDPR fine, thereby definitely proving the validity of the new regulation.
On October 22, 2018, the Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) announced that Centro Hospitalar Barreiro Montijo (CHBM) was fined for two violations of the GDPR:
- Firstly, the hospital was fined for non-compliant access to privacy data, as too many people had access to patient information, an infraction which has imposed a fine of 300,000 euro.
- Secondly, the hospital was unable to document that they can "ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services" which led to a fine of another 100,000 euro.
The fine was disclosed following an inspection carried out by CNPD, after an alert issued by the Medical Association.
Privacy International accuses data brokers and credit scorers of GDPR breaches
The UK based charity, Privacy International, advocates for transparency and for strong legal and technological protection of personal privacy.
On November 8, 2018, Privacy International (PI) filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.
The UK based charity urged the data protection authorities to investigate these companies and to protect individuals from the mass exploitation of their data.
In their complaints, PI stated that the seven companies Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast, and Tapad, are not compliant with Data Protection Principles, namely the principles of “transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy”.
They claimed that all of the above companies systematically process personal data in an unlawful manner, referring in particular to their extensive practice of profiling. They claim that they do not have a legal basis for the way they use people's data, and underline that neither consent nor legitimate interest are satisfactory conditions for the kind of processing taking place.
“Where they claim that consent is a valid basis for processing, they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous,” says PI in its press release, and continues:
“Where they rely on legitimate interest, they have molded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”
Privacy International also state that there are obstacles to individuals exercising their data subject rights under GDPR against these companies, including:
- the rights to information (Article 13 and 14 of GDPR)
- to access (Article 15)
- to erasure (Article 17),
- and in relation to automated decision-making, including profiling (Article 22 GDPR)
Formal warning from the CNIL IAB Framework-implemented consent
The French supervisory authority CNIL has proven to be very proactive when it comes to GDPR enforcement. On November 9, they issued their third formal warning to a private company for lack of valid consent in spite of there being implemented a consent solution from the IAB-framework.
On November 9, 2018, the CNIL issued a formal warning to the advertising network Vectaury, giving the company three months to change its consent experience for customers and to purge all data collected on the basis of invalid consent previously obtained. If they fail to do so, they will be fined.
As in the cases of the companies Teemo and Fizdup described above, the warned company Vectaury used SDK technology in order to collect geolocation data of the users.
It is worth noting that Vectaury did have a consent mechanism in place and participated in the IAB Europe transparency & consent framework (TCF). The consent dialog consisted of a short message describing the data collection and offering three options: to accept, to refuse, and to customize the preferences.
However, based on their controls, the CNIL still found that the obtained consent was not compliant due to the following:
1. The consent was not informed: Due to unclear language and the use of complex terms, and due to faulty accessibility to information, in particular the list of third parties receiving the data.
2. The given consent had insufficient options: At the time of installation of the app, the dialog only gave users the option to consent or to refuse. Users were not asked to specifically consent to the processing of their geolocation data for targeted marketing purposes.
3. The consent was not obtained through an affirmative action: Users selecting “customize my preferences” were directed to a separate pop-up with pre-checked options.
CNIL’s decision to issue a formal warning to Vectaury has provoked vast reactions in the Adtech industry. It is being interpreted as an important first step towards proving that consent frameworks based on contractual passing-on of consents are not valid under the GDPR.
Read the article by TechCrunch for an interesting and enlightening walk-through of the case, the reactions and analysis of its possible consequences for the industry: How a small French privacy ruling could remake adtech for good.
Overview: Public attention to GDPR fines, warnings, complaints and investigations in the EU so far
Updated December 3, 2018
- June 25, 2018: Formal warning by the CNIL (FR) to Teemo & Fidzup for Lack of prior consent, inadequate information, Excess data collection, data kept for too long, consent not freely given
- July 17, 2018: Investigation by Autoriteit Persoongegevens (NL) of 30 randomly selected Dutch companies checking (in)correct maintenance of records of processing activities
- October 22, 2018: Fine of 400,000 € administered by Comissão Nacional de Protecção de Dados (PO) to Centro Hospitalar Barreiro Montijo for violation of the principle of data integrity and confidentiality, violation of the principle of data minimization that should prevent indiscriminate access to clinical data, inability to ensure the confidentiality and integrity of the data
- October 23, 2018: Formal warning given by CNIL (FR) to SingleSpot for lack of consent for data tracking and incomplete information
- November 8, 2018: Filed complaints by Privacy International (to UK, FR & IE) about Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, Experian for lack of lawful basis for data tracking and profiling and lack of valid, informed and transparent consent.
- November 9, 2018: Formal warning issued by CNIL (FR) to Vectaury for inadequate information and invalid consent.
- November 22, 2018: Fine of 20.000 € administered by the German DPA of Baden-Wüttemberg to the "cuddly" german chat app Knuddels.de for user passwords saved in plain text
- November 29, 2018: Formal complaint by Forbrukerrådet (NO) and 7 other European Consumer Organizations to DPA's in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia, and Sweden against Google for user tracking in massive scale without free, specific, informed and unambiguous consent to the collection and use of location data
Visual overview, updated November 22, 2018
Who is enforcing the GDPR?
The GDPR was issued by the European Commission in 2016 and came into force on May 25, 2018.
The European Data Protection Board (EDPB), formerly known as the Working Party 29 (WP29), acts as the regulatory body of the GDPR.
EDPB is made up of the presidents of the member states’ data protection authorities. The EDPB issues guidelines and recommendations, and advises the European Commission, ensuring consistency of the application of GDPR.
On a national level, each EU member state has designated a supervisory authority or data protection authority (DPA) to be responsible for monitoring the application of the GDPR and addressing non-compliance.
In most cases, the DPA plays an (often difficult) double role as an institution offering GDPR guidance and advise on the one hand, and as GDPR enforcement authority on the other.
List of 28 member states’ Data Protection Authorities (DPA):
Austria: Österreichische Datenschutzbehörde
Belgium: Data Protection Authority
Bulgaria: Commission for personal data protection
Croatia: Croatian data protection agency
Czech Republic: The office for personal data protection
Italy: Garante privacy
Ireland: Data protection commission
Latvia: Data State Inspectorate
Lithuania: State data protection inspectorate
the Netherlands: Autoriteit Persoongegevens
Poland: Personal data protection office
Portugal: Comissão Nacional de Protecção de Dados
Romania: Data protection
United Kingdom (UK): ICO
Germany: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
NB: in the Federal Republic of Germany, the responsibility for monitoring and supervising the enforcement of the GDPR is distributed amongst the 16 states of the federation. See the list of German data protection supervisory authorities.
Checklist of GDPR enforcement and compliance: What conclusions can be drawn so far?
The General Data Protection Regulation, a law text of 88 pages and 99 articles is, like any other piece of legislation, a complex document to interpret into the everyday life and reality of an organization.
Many companies and organizations have therefore been biding their time, waiting to see how the regulation would be enforced in practice.
The enforcement is still in its early stages and the different data protection authorities still have to find their stance in between advising companies for compliance and administering fines for infractions.
In terms of take-aways however, these early cases highlighted above show us that especially the following types of GDPR infractions have been struck upon so far:
- Related to cookies and online data tracking (websites and apps)
- Prior consent: lack of or incomplete implementation
- pre-ticked checkboxes o bundling of consents
- partial, faulty or unclear information
- Data registers:
- incomplete safeguarding of data
- lack of documentation of data handling procedures
- unauthorized persons’ access to data
The cases leave no doubt as to whether the GDPR affects “normal” companies, middle-sized and smaller, startups, as well as public institutions. It is in other words enforced as a regulation that regards us all and not only the tech giants such as Google, Facebook, Amazon and Apple.
In terms of making a conclusion on what to be aware of, one might list the following:
1. “Less is more”: Your mantra when it comes to processing data. Collect as few data as possible, keep them only for as long as they are relevant for the purpose to which they were collected, and give as few people as possible access to the data.
2. Secondly, documentation is essential: Keep registers and clean procedures for all of the data processing taking place.
3. Enable informed consent (and make sure it is prior): One of the trickiest parts of ensuring compliance is cookies and online tracking on your website. It’s difficult to know what is going on “under the hood” of a website, in fact, most website owners don’t even know it themselves!
Most websites have large numbers of cookies and online tracking technologies coming from third parties, most of which do track personal data of the website users.
Social media buttons, embedded content, analytics etc. all can (and usually do) set cookies, that collect personal data and send them off “into the world” where they are processed by whomever they are sent to.
In doubt about what is considered personal data in the GDPR? Read our introduction of the GDPR.
Even so, as the owner of the website, you are the responsible party for the tracking going on on your website, for enabling prior consent to all of the tracking, and to inform about it in a clear and specific manner.
To our best knowledge, Cookiebot is the only consent management solution fully capable of helping you in doing so at this stage.
Read our explanation why below.
How Cookiebot helps
The main features of the solution are:
Website scanner: Detects all cookies and tracking in use on a website
Enabled prior consent: All cookies and tracking are effectively held back until consent to them has been given by the user
The consent banner: Displays accurate information about the cookies and tracking and gives the user the possibility to opt in and out
Registry: All received consents are securely stored as documentation that consent has been given
The website scan
The monthly scan discovers, locates, and identifies all tracking scripts that are active on all sub-pages of your domain — irrespective of its size and complexity.
Think of it as a number of users (7-8 to be more specific) that visit your website simultaneously and perform all the actions possible. The users will go through up to 10,000 subpages, will click all the links, menu points and buttons, move around the cursor, they’ll play embedded videos, look at photos – in other words do everything that it is possible for a real website visitor to do on your website.
While this user simulation is taking place, the scanner collects information about all the cookies and various tracking technology that is being used – i.e. the exact same cookies and trackers that a real website user would encounter – and gathers all this information in the scan report along with a lot of other useful information.
The consent banner
The list of cookies and tracking in operation on the website folds out directly from the consent banner, providing true transparency.
The user can easily opt in and out of the four categories: Necessary, Preferences, Statistics and Marketing.
All received consents are securely stored as documentation and renewed upon the user’s first returning visit once 12 months have elapsed.