Breach of cookie rules leads to €100 million and €35 million fines

CNIL in France is very actively handing out fines in impressive amounts. It has imposed two fines on Google for violating the cookies rules which are in sum €100 million and it fined Amazon at €35 million.

Both cases have the same background

  • and placed advertising cookies at users computers without prior consent, and
  • they both did not inform the users and therefore the transparency rules of Art. 13 GDPR are violated.

Link to the press release on Google is here in English language.

Link to the press release on Amazon is here in English language.

Practical tipp:

  • Do not wait until the authority knocks on your door, get it right before.
  • As data privacy and especially the area of cookies, consent on cookies and transparency, is a quickly developing landscape, check the lawfulness of your solution at least once a month or every two months.
  • In the light of Schrems II decision by European Court of Justice it is getting tricky if you use cookies of an origin outside European Union or European Economic Area.
    • In case the information collected by the cookie is send to a location in EU or EEA and not forwarded to a country outside EU and EEA, you should be fine without a safeguard for international data transfer.
    • In case the information collected by the cookie is send to location in EU or EEA and then forwarded to a country outside EU and EEA, then you will need a safeguard in the light of Schrems II judgement.
    • In case the information collected by the cookie is directly send to a location outside the EU or EEA, then you will need to do a decision if you a safeguard for international data transfer is needed or if the provider of that cookie is directly subject to the GDPR under Art. 3 section 2 GDPR and therefore it might that a safeguard for international data transfer is not needed, especially if the website is hosted outside EU or EEA.
  • If you provide a website from outside the EU or EEA and use cookies and one of the criteria of Art. 3 section 2 GDPR applies to you, then GDPR in total applies to you for the actions covered by Art. 3 section 2 GDPR.
    • You will need to implement GDPR to these actions.
    • Depending on the legal, technical and organizational solution you will need or not need to provide for a safeguard for international data transfer.

Contact me if you need help in this, see imprint at the bottom of this page for contact details.

Machine Translation for all 24 official European Union languages

At this URL you can find a machine translation service open to the public. It translates text, text files and websites. Available for official languages in the European Union (24 languages, including English despite BREXIT).

This is relevant for Switzerland, as there is German, French and Italien included, but – unfortunately – no other official Swiss languages. It would be excellent, if the EU could include those languages, too.

The underlying AI technology is a combination of different European providers of such technology. Expect high quality results.

35 Million Euro fine for H&M fashion company in Germany

A group of employees was questioned, e.g. after coming back from holiday or sick leave for details, personal details, religious blieves, family problems, etc. These details were stored on a file server and collected – over the years – 60 GB of data on centralized servers and other information storages were collected. The data was accessible for about 50 people in management and for some hours for all employees in the company, profiles were build together with observations on the efficiency of the workers. All together it had impact on the employees in their forthcoming and the employee employer relationship.

After it came up, the company froze the data and acted together with the authority. The company – without being pushed by authorities or employees – offered Euro 2500 per effected employee as a compensation. Some employees saw this critically as some management people collecting the data also were offered these compensation and they terminated their employment with the company.

Take aways:
(a) Data privacy violations can lead to hefty fines,
(b) employees go,
(c) freely giving compensation and cooperation with authorities lower the fine.

Press release of data protection authority in German language is here.

There is an initiative which asked the authority in Hamburg to disclose the full text with all details of the letter with the fine, here.

It seems that DLA Piper is representing H&M, here.

Standard Contractual Clauses (SCC) are no longer valid transfer mechanism due to Irish data privacy authority

The Wall Street Journal reported September 9th, 2020 on a preliminary order by the Irisch data privacy authority (Data Protection Commission, DPC) towards Facebook (FB) quoting Nick Clegg, Facebooks top policy and communications executive, saying that the regulator has informed Facebook that they can not use Standard Contractual Clauses (SCC) for transferring personal data from EU to USA.

This bold statement is something we all should take serious. It means that the SCC without supplementary measures can’t be used for transfers between EU and US.

It does not mean that SCC with supplementary measures can’t be used. The Court of Justice of European Union (CJEU) in its ruling on Privacy Shield (so called Schrems II judgement) has intensively stated that SCC are still a valid transfer mechanism and has indicated that supplementary measures might have to be taken.

To do:

  • Immediately start investigating where you have SCC in place and check countries of data importer and all sub processors
  • Contact data importer and task it with investigation in its local law as indicated by CJEU in Schrems II judgement
  • See for supplementary measures – see article down below for some ideas – and get them in place if needed due to local law at your data importer or its sub processor jurisdiction.

Accountability Framework by ICO

The UK ICO has published a „beta“ accountability framework, which is an excellent and broad start to check on your GDPR implementation!

You might use it to:

  • check on your GDPR implementation either in total or in regard to curtain aspects
  • demonstrate compliance towards business partners or authorities
  • use it as some sort of checklist

ICO has some more ideas what the framework can be used to.

The framework has 10 chapters:

  • Leadership and oversight
  • Policies and procedures
  • Training and awareness
  • Individual rights
  • Transparency
  • Records of processing and lawful basis
  • Contracts and data sharing
  • Risks and Data Protection Impact Assessment (DPIA)
  • Records management and security
  • Breach response and monitoring

Each of the chapters has different sub-chapters which are short, precise and mostly in form of bullet lists and three questions at the end to check yourself.

For example in transparency sub-chapter “Tools supporting transparency and control” the questions are:

  • “Would the public say that your policies are clear, easy to find and access?
  • Do they feel appropriately supported in accessing, determining and managing how their data is used?
  • Would children say the same?”

Now let’s think about the last three transparency documents you have written or read, the privacy policy or cookie banner of some websites. Do the hold up to these questions? I’d say no, and they don’t offer tools to manage the users personal data at all, especially after they have been clicking away that cookie banner big overlay window.

ICO says it is “beta” and open to comment. Yes, it is indeed, but it already is very far reaching and good. It does not mean that you do not need to think for yourself to the actual situation, but is already very powerful collection of topics to watch for.

Websites collecting laws, directives and regulations

There are two websites I do use regular to search for laws in Germany and in EU, which I can highly recommend:

German law:
This is in German language only, but the best source I know of. Very quick search engine, historical development per paragraph and so on. Very helpful.

If you need English wording:
Where’s a translation to English (by far not to all laws) there is an UK flag in one of the top rows to switch to the English wording of the respective law. The menus and everything else stays in German.

EU law:
Functionality similar to buzer but dedicated to EU law. Very helpful, too.

If you need other languages, there is always a link to EUR-LEX, the official website of EU directly to the directive or regulation to choose whichever EU language you might need.

Supplementary measures to Standard Contractual Clauses proposed by supervisory authority

The supervisory authority of Baden-Wuerttemberg, Germany has published a guideline with examples for supplementary measures to add to Standard Contractual Clauses (SCC). This applies to all data transfer from a country in European Union (EU) or European Economic Area (EEA) to a country outside EU / EEA – so called third country and is not limited to the transfer to USA. For example, it also applies to the transfer of personal data from EU to UK.

Requirements to use SCC for transfer of personal data to USA and countries with similar laws:

  • Encryption
    • Only data exporter in EU shall have the key, and
    • encryption in a way which can’t be broken by US authorities, or
  • Anonymization or pseudomization where only the data exporter in EU can link the data to an individual.
  • Additionally, you might add clauses to your contract that
    • data shall only be hosted where GDPR applies (see Art. 3 section 2 GDPR, this can be more than EU and EEA, but essentially, they are saying: keep it in EU / EEA) and
    • that there is no data transfer to USA.

USA and SCC: the authority is of the opinion that the SCC can only be used for transfer to US in seldom cases due to the criteria set by the Court of Justice of European Union (CJEU).

The same will apply to export of personal data to all other countries in the world where the individuals do not have similar rights as in EU in regard to data privacy or – probably easier to test – which have similar laws for authorities in place as US has.

They propose to use additional wording in SCC as follows:
▪ Clause 4.(f): change this clause that it applies to all data transfer not only for special categories of personal data
▪ Clause 5.(d).(i): change this clause in a way which obligates the data importer not only to inform the data exporter but also the individual about any actions by authorities to disclose personal data; if this is prohibited by law, the data exporter shall get in contact with its supervisory authority.
⁃ Comment: this must be interpreted as the data importer needs to contact the supervisory authority of the data exporter in such case, as the data importer normally is legally prohibited to inform the data exporter. It would be needed to investigate if the data importer (in a country outside EU) is allowed to inform a supervisory authority in EU and therefore in another country – which is doubtful.
▪ Clause 5.(d): add wording to that clause, that the data importer will challenge any request by authorities to access personal data, not granting access to such data until last instance court decision.
▪ Clause 7.(1): delete subsection (a) and only stay with subsection (b).
▪ Always include the liability clause given in Appendix 2 of the SCC.

Art. 49 GDPR
One of the possible solutions is to use the safeguards in Art. 49 GDPR. The authority says that these can only be used in limited cases. It is an exception clause and can only be used for occasional transfer (see recital 111 GDPR). Section 1 sentence 2 is even narrower than Art. 49 section 1 sentence 1.a) to g) GDPR.
Essentially, they are saying: do not base your regular data transfer to a third country on Art. 49 GDPR, only use it for occasional data transfers.

Comment: That’s a very interesting statement by the authority. One could also read recital 111 sentence one GDPR, where it is said „where the transfer is occasional and necessary in relation to a contract or a legal claim …“ is separate from the beginning of that same sentence dealing with consent. Therefore Art. 49.(1).(a) GDPR dealing with consent is not affected by „occasional“ and can be used. The words „occasional and necessary“ in recital 111 GDPR only apply to Art. 49.(1).(b), (c) and (e) GDPR.

That Art. 49.(1) sentence 2 GDPR is limited is given by its wording, e.g. „Where a transfer could not be based on…“ and „… not repetitive, concerns only a limited number of data subject…“.

The supervisory authority only mentions BCR in a sub-clause but indicates that they can be used instead of other transfer safeguards. They do not (!) say, that BCR have the same issues as SCC have. Most of the data privacy experts in Germany do think that the wording in the Schrems II ruling of the CJEU is quite clear, where it is said that contracts can’t overpower national law. This is also valid for internal code of conducts, like BCR, and therefore it seems that BCR need to be adopted in the same way as SCC.

What to do in case an authority asks for personal data?

The data protection authority of Baden-Wuerttemberg has published a guideline on actions after Schrems II CJEU ruling (in German here). It gives practical tipps which supplementary measures are to take.

Law enforcement, secret service and other authorities
First topic in the guideline: exceptions for administrative authorities (e.g. law enforcement, intelligence services) as in Art. 2 section 2 GDPR only apply to authorities of member states of the European Union.

Further insight
Recital 115 GDPR and Art. 48 GDPR cover this topic. In essence they say that any extraterritorial action by a judgment of a court or tribunal or of an authority of a third country (a country outside European Union) is not directly applicable and is therefore primarily blocked. Transferring personal data to such authority is only possible under the rules of GDPR. Therefore Art. 44 GDPR to Art. 50 GRPR applies. Recital 115 sentence 5 states that a transfer may take place “… where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.”

Therefore: if the controller is located in European Union and the processor is in USA and US authorities try to access personal data processed on behalf of the controller in EU, based on US law, this recital 115 sentence 5 do give us an additional test if a transfer of that personal data to the US authorities might be lawful.
This also applies to authorities to all other countries outside European Unions.

But it nevertheless, needs a manual test and decision. There is no automatism in case of extraterritorial reach of a law of a third country to transfer personal data from EU to that third country.

Additionally Art. 48 GDPR applies and says no different. Under this article a transfer of personal data required by a court judgment, a tribunal decision or an authority decision may only take place in case it is recognized or enforceable under an international treaty, like an international mutual assistance treaty between the respective state and European Union or respective member state of EU. Nevertheless the transfer might also by based on other legal grounds to be found in Art. 44 GDPR to Art. 50 GDPR.

As the data protection authority lays out, exceptions only apply to authorities of member states of EU and if covered by Art. 2 section 2.(a) / (b) / (d) GDPR.

In case an authority is asking for personal data, perform the following test:
(1) Am I processor or controller?
If I am processor:
– Am I obligated to inform the controller by contract?
In many cases the answer will be yes.
– Am I allowed to inform the controller by applicable law?
In many cases the answer to this will be “no”.

Act accordingly and in case obligated, support the controller in its actions against the transfer of personal data.

– Which risks I have violating the law and not obligating to the request?
This shall not lead to any violation of any applicable law, but it does give arguments in your organization and towards a controller. Risks can include penalties, reputation loss, imprisonment of acting persons or managers, but are not limited to this.

There are many conflicting laws where a state like to impose extraterritorial jurisdiction which is blocked by laws of the other country. In the moment there is no easy solution to it. It is a case by case decision to take.

(2) Is this from an authority of a member state of EU?
If yes: test the request by Art. 2 section 2 GDPR. If it is allowed under these rules, act accordingly.
If no: push back and check according to recital 115 sentence 5 and (!) Art. 48 GDPR. Do not transfer personal data, before all other steps are fulfilled.

(3) Check on the legal situation in receiving country in accordance to Schrems II ruling by CJEU.

Keep result as an argument in the discussion. The decision is not determined by this result, it is an additional tessera.

Open discussion in the moment: What to do, if transfer to the authority in the requesting country is not possible in the light of Schrems II ruling.

– If covered by a mutual assistance treaty, then Art. 48 GDPR allows such transfer.
– If there is no such mutual assistance treaty, check for other international treaties which cover the situation.
– If there are no such treaties: can you lay legal grounds by Art. 44 GDPR to Art. 50 GDPR?
– Is recital 115 sentence 5 in your specific case an argument?

Practical tip here: get in contact with your supervisory authority and discuss.

Privacy Shiled invalid (Schrems II)

CJEU today has decided that the adequacy decision by EU on Privacy Shield is invalid. Consequentially all transfer of personal data from a country of the European Union to USA based on Privacy Shield immediately needs to be stopped until the legal basis is replaced by a valid mechanism.

CJEU also said that EU Standard Contractual Clauses (SCC) are fine to use, conditional (!) that the parties to such clauses need to investigate, prior to any transfer of personal data, whether the country of the data importer respects the level of data protection given in the SCC or not and the recipient needs to inform the data exporter of any inability to comply with the level of data protection, while the data exporter needs to terminate any transfer of personal data in such case.

Practical consequences:
(a) Each company which transfers personal data from a country in European Union or European Economic Area to USA has to investigate if one or multiple transfers are based on Privacy Shield and needs to replace this mechanism immediately by another – valid – mechanism. As long as this is not the case, any transfer based on Privacy Shield needs to be stopped.
(b) Replacing Privacy Shield with EU Standard Contractual Clauses is not obvious. It needs carful consideration of the actual legal situations of those countries to which the personal data shall be transferred based on EU Standard Contractual Clauses.
(c) As the legal situation evolves, especially in the area of data privacy, regular checks of the situation are necessary. More obligations to regular checks on the legal situations on data importers are to impose and to follow up. This will drive costs up.
(d) The data exporter and the controller need to stop any transfer of personal data immediately if one of the countries to which the personal data shall be transferred, might force the data importer (or recipient) to oblige to applicable law but being in contrary to the EU Standard Contractual Clauses. Otherwise fines by competent authorities will follow. And it is foreseeable that they will be hefty.
(e) As CJEU has given judgment that Privacy Shield is not sufficient as legal basis for transfer to USA it is highly questionable if EU Standard Contractual Clauses will be able to give legal basis for transfer of personal data to USA.
And that’s the real issue behind this decision. It might that we find out that all mechanisms we have at hand in GDPR can‘t ensure similar level of data protection in USA, as of the legal situation there. We are spectators of a clash of data protection philosophies (or regimes), fired by a single person and decided on by CJEU, while EU lawmakers have seen this coming and have not build in respective rules in GDPR. It is therefore also their task to find solutions.

CJEU press release:

CJEU full text:;jsessionid=D8417FCDEE79D6B677A3348C84CAABB6?text=&docid=228677&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=9795676