On 25 March 2019, the president of the Personal Data Protection Office announced the imposition of the first-ever fine in Poland for failure to comply with the EU’s General Data Protection Regulation. The fine is quite high (about PLN 1 million) and involves noncompliance with the information obligation by a company that harvested personal data—addresses and telephone numbers of individuals operating businesses—from publicly available sources and then processed the data.
We recently wrote about the relation between data protection regulations and freedom of expression in the context of the right to be forgotten. On 14 February 2019, in Buivids (C-345/17), the Court of Justice of the European Union issued another judgment on the impact of the journalism exception to the obligation to apply the former Data Protection Directive (95/46/EC). Even though the judgment was issued under the law prior to entry into force of the General Data Protection Regulation, it may be helpful in understanding the impact of freedom of expression on data protection under the GDPR.
On 10 January 2019 Advocate General Maciej Szpunar at the Court of Justice of the European Union issued an opinion on the right to be forgotten in the Google search engine, in CNIL (C-136/17). The specific issue is whether, if a data subject requests to be forgotten with respect to sensitive data, Google has an absolute duty to remove the person’s data. The case arose in France before the General Data Protection Regulation entered into force on 25 May 2018, but the conclusions stated in the opinion are also relevant to how the right to be forgotten will be interpreted under the GDPR going forward.
Until now, despite countless warnings before entry into force of the EU’s General Data Protection Regulation in May 2018, administrative authorities have not imposed high fines for violation of regulations on processing of personal data. But this situation seems to be changing, at least in France. On 21 January 2019 the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of EUR 50 million on Google LLC. The CNIL found that Google had not processed personal data transparently, providing data subjects inadequate information on processing and personalising ads without the consent of the persons who were shown the ads.
At the end of 2017, we wrote about the possibility of using artificial intelligence in the financial services sector. We pointed out that AI algorithms can be used by the financial industry to automate customer contacts and issue initial credit decisions. The use of algorithms by government bodies seemed to be less important at the time. However, this issue ignited much controversy at the end of 2018 due to a ruling by the Province Administrative Court in Warsaw on the freezing of a bank account under a recently introduced section of the Tax Ordinance, which also introduced the digital clearinghouse STIR into the Polish legal system.
Apart from potentially very high administrative penalties that national data protection authorities may impose on violators of the EU’s General Data Protection Regulation (as has already occurred, for example, in France), under the GDPR any person who has suffered material or non-material damage has the right to obtain compensation from the controller or processor of his personal data for the damage suffered. This is an instrument that has attracted much less attention than administrative sanctions, but it may have very serious financial consequences.