United States: Non-Profit Activists' Strategic Pursuit Of Alleged GDPR Violations Spurs Compliance Developments

Key Points

  • Non-profit organizations are testing companies' GDPR compliance through targeted requests for information and other means and are filing complaints against allegedly non-compliant companies.
  • Main areas for non-profit activism to date include allegations of companies' deficient responses to data subjects' requests for information, opaque methods of sharing information on processing activities, and invalid forms of obtaining data subject consent for processing data.
  • Companies subject to the GDPR should evaluate their internal systems for tracking and responding to data subject requests, the way in which they provide information to data subjects, and the manner in which they obtain and track data subject consent.

This alert discusses two recent developments in relation to compliance with the European Union's General Data Protection Regulation (GDPR) that came about as a result of complaints filed by NOYB – European Center for Digital Rights (NOYB), an Austria-based, non-profit organization founded by Max Schrems, a well-known privacy activist. Schrems is best known for filing the case that led to the demise of the U.S.-EU Safe Harbor data-sharing agreement in 2015.

First, on January 18, NOYB filed a series of strategic complaints with the Austrian Data Protection Authority against eight companies (on behalf of 10 users), including Apple Music, Amazon Prime, YouTube, Netflix, Spotify and others (collectively, the "Companies"), for violations of the GDPR. Second, on January 21, the French Data Protection Authority (Commission Nationale de l'informatique et des Libertés or CNIL) fined Google €50 million (about $57 million) for GDPR violations. (NOYB May 2018 Complaints.) The CNIL's fine arose out of an investigation initiated in response to complaints filed by NOYB and a French digital rights group. Below, we provide a brief overview of the claims alleged in the recent NOYB complaints and in the CNIL/Google case.

These recent developments suggest that NOYB and other activist non-profit organizations may play an influential role in driving GDPR enforcement moving forward. NOYB's recent complaints indicate that it, and likely other activist non-profit organizations, is strategically testing companies' compliance with different parts of the GDPR.

NOYB's Complaints to the Austrian Data Protection Authority

NOYB's most recent complaints generally allege that the Companies failed to properly respond to consumers' requests for data that the Companies collected about consumers. The complaints demonstrate that activists are proactively testing companies' response systems and may go after noncompliant companies.

Article 15 of the GDPR grants data subjects a "right to access" personal data that has been collected about them, and Recital 63 of the GDPR notes that data subjects must be able to exercise that right easily and at reasonable intervals. Under this framework, data subjects are entitled to a copy of all raw data that a company holds about the data subject, including information about the sources and recipients of the data subject's data, the purpose for which the data is processed, the countries where the data is stored and how long the data is stored.

The recent NOYB complaints allege that, when individual users sought to exercise this right by requesting information from the Companies, each Company provided either a deficient response or no response at all. Accordingly, NOYB filed complaints on behalf of the individuals against each Company for several violations of the GDPR. Under Article 83, the violations could carry a maximum fine of €20 million or 4 percent of the worldwide turnover (whichever is higher)—which NOYB estimates translates into a potential combined maximum penalty of €18.8 billion across the 10 complaints. (NOYB January 2019 Complaints.) To date, none of the fines sought by data protection authorities have reached the statutory maximum.

NOYB argues that the Companies have engaged in a pattern of structural violations by building automated systems that provide deficient responses to data access requests. Specifically, NOYB alleges that each Company's automated responses violate the GDPR by failing to do one or all of the following in response to a data subject's request:

  • Provide information about the exact purpose for which the data subject's personal data is undergoing processing, as required by Article 15(1)(a).
  • Provide information about the recipients of the data subject's personal data, as required by Article 15(1)(c).
  • Provide information about the envisaged personal data retention period, as required by Article 15(1)(d).
  • Provide information about the data subject's right to request rectification or erasure, the right to restrict the processing of personal data, or the right to object to such processing, as required under Article 15(1)(e).
  • Provide information about the data subject's right to lodge a complaint with a supervisory authority, as required under Article 15(1)(f).
  • Provide information about the sources of the data subject's personal data, as required under Article 15(1)(g).
  • Provide information about appropriate safeguards for transfers of data to third countries, as required under Article 15(2).
  • Provide the data subject with raw data in a format that was concise, transparent, intelligible and easily accessible, as required under Article 15(3).

NOYB asked that the Austrian Data Protection Authority (1) investigate each Company; (2) find that the complainants' rights were violated; (3) compel each Company to fully and correctly respond to the complainants' access requests; and (4) impose an "effective, proportionate and dissuasive fine" on each Company of up to 4 percent of their worldwide revenue. It remains to be seen what actions the Austrian Data Protection Authority will take in response.

The cases could be a bellwether for similar noncompliance claims in other EU states, as well as in other jurisdictions that have adopted statutes with similar data subject request obligations. The 2018 California Consumer Privacy Act, for example, also requires companies to provide consumers with certain information in response to verifiable consumer requests.

NOYB's May 2018 Complaints and CNIL's Action Against Google

In May 2018, shortly after the GDPR took effect, NOYB filed a series of complaints against several large tech firms in a number of European jurisdictions. Shortly thereafter, La Quadrature du Net (LQDN), a French advocacy group that promotes digital rights, filed similar complaints against some of the same defendants. (LQDN.) The complaints generally alleged that the large tech companies violated the GDPR by failing to disclose to users how their personal information is collected and processed, by forcing customers to agree to their privacy terms or not use their services, and by not having a valid legal basis to process the personal data of the users of its services (particularly for ads personalization purposes). (NOYB May 2018 Complaints and LQDN Complaints.)

Notably, in response to the complaints NOYB and LQDN filed against Google with the CNIL, the CNIL initiated an investigation. The CNIL's investigation analyzed the browsing pattern of users and the documents that users can access when creating a Google account during the configuration of mobile equipment using the Android operating system. (CNIL Decision.)

On January 21, the CNIL announced that it had fined Google €50 million for failing to disclose to users how their personal information is collected and processed. (CNIL Decision.) The CNIL also found that Google did not properly obtain users' consent for data collection or processing. The CNIL found two violations of the GDPR:

  • Lack of Transparency – Various portions of the GDPR require companies to process personal data in a transparent manner (see Art. 5), provide information to data subjects in a transparent and easily accessible format (see Art. 12), and provide specific information to data subjects when data is collected (see Art. 13). The CNIL found that the information provided by Google to users about its processing activities was not easily accessible for users, nor was it clear and comprehensive because:
    • "Essential information" that should have been provided to users when their data was collected (e.g., the data processing purposes, data retention periods or the categories of personal data used for ad personalization) was disseminated across several documents and accessible only after several steps. (CNIL Decision.)
    • The listed purposes of the processing operations carried out by Google and the categories of data processed for those purposes were "described in a too generic and vague in manner." (CNIL Decision.)
    • The information communicated to users "was not clear enough so that the user could understand that the legal basis of processing operations for ads personalization is the consent, and not the legitimate interest of the company." (CNIL Decision.)
  • Invalidly Obtaining User Consent for Ads Personalization – The GDPR requires companies to have a lawful basis for processing personal data (see Art. 6(1)). One such way to meet this obligation is for a company to obtain a data subject's consent to process his or her data (see Art. 6(1)(a)). The CNIL found that the consent that Google obtained from users was not validly obtained because:
    • Users were not "sufficiently informed" about Google's processing activities because the information that Google provided was diluted in several documents and did not effectively enable a user to be aware of the extent of the processing activities and the "plurality of services, websites and applications involved in [Google's] processing operations." (CNIL Decision.)
    • User consent to Google's processing was not "unambiguous" because users have to click on a "more options" button to access the company's personal ads configuration, and the display of the ads personalization is a pre-ticked box. (CNIL Decision.)
    • User consent was not "specific" because it was not given distinctly for each of the processing operations purposes carried out by Google (i.e., for ads personalization, speech recognition), but rather asked users to tick boxes agreeing to Google's Terms of Service and Privacy Policy when they set up an account, requiring users to give consent in full, for all processing operations. (CNIL Decision.)

Other data protection authorities in EU jurisdictions outside of France are still carrying out investigations related to the complaints filed by NOYB and LQDN.

Google has indicated that it will appeal the CNIL fine. The company has informed media outlets that it "worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing." (Bloomberg Law.)

Conclusion

The recent CNIL fine is indicative of the powerful result that can flow from activists' pursuit of alleged GDPR violations. NOYB's most recent string of complaints indicate that it is monitoring companies' compliance with the GDPR and is actively testing consumer-facing compliance frameworks to find weaknesses. These developments highlight the need for companies to quickly and effectively respond to consumer requests for information and to evaluate how they disseminate information about processing activities and obtain user consent, in particular.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions