Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe.

By Fiona Maclean, Tim Wybitul, Joachim Grittmann, Wolf Böhm, Isabelle Brams, and Amy Smyth

A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated into its Google Assistant product. More specifically, the Hamburg supervisory authority opened proceedings with the intention to “prohibit Google from carrying out corresponding evaluations by employees or third parties for a period of three months. This is intended to protect the personal rights of those concerned for the time being.

This blog post analyzes the procedure against Google in Germany, in the context of recent trends elsewhere in Europe to transfer cases to lead authorities, and the impact for other companies regulated by a lead supervisory authority. The proceedings against Google might be resolved amicably, but still raise substantial questions over the powers of supervisory authorities under the cooperation and consistency mechanism of the GDPR.

The closure of four cases involving targeted advertising provides lessons for navigating compliance standards under the GDPR.

By Myria Saarinen and Elise Auvray

Four French advertising technology companies that received a warning in 2018 from the French Data Protection Authority (CNIL) have all implemented the regulator’s required changes. The recent closure of the cases highlights opportunities for businesses at all layers of the adtech value chain to address emerging compliance challenges.

The companies — Fidzup, Teemo, Singlespot, and Vectaury — collect geolocation data for targeted advertising purposes via third-party apps. Initially, the French regulator found that they had failed to obtain an informed, freely given, and specific consent from app users, since:

  • The information provided was insufficient, as it was unclear, used complex terms, and was difficult to access.
  • The consent was not based on an affirmative declaration, as the options were pre-ticked.
  • Users were not asked to consent to the processing of their geolocation data specifically.

European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data.

By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev

In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR), which: (1) confirms that consent under the GDPR and CTR are different concepts; and (2) sets out the EDPB’s recommendations on the appropriate legal basis required for processing personal data in connection with clinical trials conducted in the EEA (which is unlikely to be consent).

Practical Takeaways

While the Opinion brings some much-needed certainty to the area of consent and other legal grounds for clinical trials, challenges remain. Outlined below are the key challenges and the steps that sponsors of clinical trials in the EEA (Sponsors) should take when designing their research activities:

Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices.

By Fiona M. Maclean and Jane Bentham

Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event of a “no deal” Brexit:

  • A general note on the various data transfer mechanisms (and exceptions) under the GDPR
  • A specific note on the Information Commissioner’s Office (ICO), the UK regulator, as a Lead Supervisory Authority for Binding Corporate Rules

The UK government has also issued a paper titled “Implications for Business and Trade of a no Deal Exit on 29 March 2019,” including a small section on data transfers. The paper states that the government’s primary aim is to ensure that the UK leaves the EU on 29 March 2019 (the Exit Date) with an agreed and approved Withdrawal Agreement and Political Declaration (the Proposed Deal). Of course it is possible that Brexit may be delayed by extending Article 50 to give the UK more negotiating time with the EU.

EU data protection authorities are imposing increased penalties under the GDPR, with more proceedings forecast for 2019.

By Tim Wybitul, Prof. Dr. Thomas Grützner, Dr. Wolf-Tassilo Böhm, and Dr. Isabelle Brams

The General Data Protection Regulation (GDPR) has been in effect since May 2018. Although the French data protection authority (CNIL) has imposed the highest fine to date — €50 million on 21 January 2019 — German federal data protection authorities have already imposed fines for GDPR infringements in 41 cases nationwide and say that they have “very many” additional fine proceedings in progress. This first wave of fines has come from five German authorities, with 11 authorities having not yet imposed any fines under the GDPR.

Under the former German data protection law, companies faced a maximum penalty of €300,000 for violations. However, the GDPR provides authorities with different disciplinary options and they can now impose fines of up to €20 million or more. The maximum fine may amount to up to 4% of the worldwide annual turnover. Hence, corporates with an annual revenue of more than €500 million may face fines exceeding the €20 million threshold.

Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal.

By Gail E. Crawford and Jane Bentham

“No Deal” Brexit

Unless the UK can agree on a deal with the EU that meets the approval of the majority of the UK Parliament, withdraws its Article 50 notice, or can negotiate with the EU an extension to the 29 March 2019 departure (Exit Date), the UK will leave the EU without a ratified Withdrawal Agreement or an agreed Political Declaration (together, the Deal). The political uncertainties around the different scenarios warrant that businesses prepare for a “No Deal” Brexit in all areas, including in relation to the processing of personal data.

Under a “No Deal” Brexit scenario, the General Data Protection Regulation (GDPR) will form part of UK domestic law as “retained EU law” as a result of the EU (Withdrawal) Act 2018 (EUWA), with certain amendments made to it and also to the Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 under the (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Privacy Exit Regulations), which is intended to come into force on the Exit Date. This is collectively being referred to as the “UK GDPR”.

Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them.

By Gail Crawford and Frances Stocks Allen

Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU through clinical research organisations (CROs) and/or clinical sites do not themselves need to comply with the General Data Protection Regulation (GDPR). Sponsors believe the GDPR does not apply to them as they do not conduct the research directly but only receive results in key-coded form, and only their CROs and/or clinical sites will have access to the raw data and/or the key that connects the key-coded data to individual patients. However, sponsors need to reconsider this presumption in light of current guidelines and the Breyer case. Similar issues arise in other fields, for example, data and market research, in which only key-coded data is received by the organisation commissioning the research. But following the GDPR and the Breyer decision these organisations may still be subject to the requirements of the GDPR.

Is Key-Coded Data Personal Data?

The GDPR defines “personal data” broadly to include any information relating to an identified or identifiable natural person. For this purpose, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) GDPR).