Greetings from Brussels!
If you thought it was going to be a quiet summer in the world of privacy, think again. There were some significant enforcement fines handed down recently which may have surprised many in the field. Clearly the regulatory community remains hard at work despite the seasonal summer distractions.
Unless you’ve been on intergalactic travel, the Luxembourg data protection authority — the CNPD — imposed a record-breaking fine of 746 million euros on Amazon Europe for alleged violations of the GDPR. Specifically, the fine relates to Amazon’s use of customer data for targeted advertising purposes. To be fair, this case has some cross-border history. The sanction finds its origins in a 2018 complaint by French privacy rights group La Quadrature du Net, initially filed with France's DPA, the CNIL. Owing to the cooperation mechanisms provided by EU data protection law, the CNPD served as the lead authority on the investigation. The CNIL in turn worked closely with the CNPD throughout the procedure, assisting with checks and analysis of the evidence obtained, and during examination of the draft decision under the one-stop shop procedure.
Interestingly, the CNPD’s decision is not publicly available, nor has there been a press release. The CNIL did release a statement reminding us they also imposed a first sanction against Amazon Europe for noncompliance with cookie legislation in December of 2020 to the more modest tune of 35 million euros.
Amazon strongly disputed the Luxembourg decision, and intends to vigorously contest and appeal the sanction, citing “subjective and untested interpretations of EU privacy law” as the basis of the regulatory decision. We don’t know much more at this stage as the decision is closed to public scrutiny: Neither party has disclosed details of the enforcement action. Why? In short, Luxembourg’s professional secrecy laws prevent public disclosure until an appeal process has been exhausted. One is reminded of other GDPR fines across the EU that were slashed on appeal. The lesson learned here is regulators need watertight cases as well as sound legal basis and interpretation to see fines through to actualization.
In other recent news, the Netherlands' DPA issued a fine of 750,000 euros against TikTok for failing to abide by the GDPR’s transparency obligations towards data subjects: more specifically, for violating the privacy of young children. In this instance, the company is accused of failing to provide a privacy statement in Dutch for its younger users in the Netherlands. The Dutch DPA said in a July statement that by not offering their privacy statement, in full and in Dutch, “TikTok failed to provide an adequate explanation of how apps collect, process, and use personal data” for younger children to readily and easily understand. For the record, the social media service has 3.5 million users in the Netherlands, presumably the majority of which are of tender age. TikTok lodged an objection to the fine.
The Dutch DPA further added a detailed investigation commenced prior to TikTok establishing a European HQ in Ireland. The concluding investigation was limited to the company’s privacy notice only as it impacted the Dutch territory and the violation had ended. The DPA has now transferred several elements of its investigatory findings to their regulatory counterparts at the Data Protection Commission in Ireland to finish the investigation and issue a final ruling on other possible privacy violations. It seems there may well be more regulatory work to be done here.
It’s a busy time for regulators and tech firms in particular — lots of complex legal wrangling ahead.