25 May 2020 marks the 2nd anniversary since the EU's General Data Protection Regulation (GDPR) came into effect. What has changed in the area of privacy and compliance over the past couple of years? In our article, we will provide you with a summary of the most relevant milestones.
1. The first record fines for violating of the GDPR
In June 2019, the British Data Protection Authority (ICO) announced its intention to impose two large fines for breaches of Article 32 of the GDPR (insufficient technical and organizational measures).
Marriott International, Inc. The proposed fine in the amount of EUR 110,390,200 for the personal data breach of approximately 339 million guests (approximately 30 million of European Economic Area residents) as a result of a cyberattack. According to the ICO investigation, the controller had failed to undertake sufficient due diligence when it acquired another hotel chain (Starwood) and should have ensured better IT systems security.
British Airways. The proposed fine in the amount of EUR 204,600,000 for the leakage of personal data of approximately half a million customers. The incident took place after users of British Airways' website were diverted to a fraudulent site where personal data were harvested by attackers.
The amount of the fines is not final yet. During the Covid-19 pandemic, the ICO adopted the Regulatory Manual (15 April 2020), according to which the economic impacts associated with the pandemic will be also taken into account when imposing fines.
2. Guidelines for the correct setting of cookies
The issues regarding the correct setting of cookies have been discussed for a longer time. In the last year, several guidelines have been developed in the EU (Great Britain, France, Germany, Spain, etc.), from which we have selected the following two:
ICO Guidance. In 2019, the UK ICO issued guidance distinguishing between cookies that are essential for the functioning of the website and consent to its processing is not required, and non-essential cookies, for which such consent of the data subject is always required (e.g. analytic cookies). The guideline also deals with the scope of the privacy policy, cookie walls, cookies banners, and other practical issues. In practice, you can also check and test the correct setting of cookies on the official ICO website.
CNIL Guideline. In 2019, the French Personal Data Protection Authority (CNIL) issued its own guideline. In contrast to the ICO guidance, in the CNIL guidelines, cookie walls were completely banned. On the other hand, CNIL sees a room for exceptions when it comes to the obligation to obtain consent to the use of analytical cookies if other conditions are fulfilled (e.g. Google Analytics cookies do not fall under the exception). The guideline is currently being revised. The public discussion on its content has ended on 25.2.2020. The final text was expected during April 2020, but due to the Covid-19 pandemic, this date has been postponed.
Both DPAs excluded the so-called "presumed consent" that should be expressed by scrolling the website. To compare other similar/different features, we recommend visiting the official IAPP website, where you can find complex comparisons of the guidelines (including German and Spain guidelines).
3. CJEU and its view to the consent with the use of cookies
In 2019 we witnessed another breakthrough in the use of cookies, based on the Court of Justice of the European Union judgment in case C-673/17. The judgment reached the following practical conclusions:
- Consent to cookies is not legal if expressed through opt-out box;
- Consent must be informed (e.g. including the period of its storage and accessibility by third parties).
4. New EDPB guidelines on consent under the GDPR
On 4 May 2020, the EDPB approved a new guideline specifying the conditions for validly granted free consent. This guideline excluded cookie walls and adopted a similar conclusion to scrolling, as it is practically impossible to differentiate it from standard internet use.
The second year of GDPR was very active and brought several practical and useful conclusions. If you are interested in the development of the GDPR in Slovakia, feel free to read our second article.