We recently wrote about the first fine for noncompliance with the General Data Protection Regulation imposed by the president of Poland’s Personal Data Protection Office. Data protection authorities in other EU member states are also displaying notable initiative in conducting inspections and imposing fines. A few days ago the Information Commissioner’s Office in the UK imposed a fine of GBP 120,000 on a television production company for failing to provide adequate information to subjects who were filmed and recorded by devices at a healthcare facility, and failing to obtain their consent to film and record them. The case involved occurrences between July and November 2017—before the GDPR entered into force—but may nonetheless prove relevant for interpreting the obligations imposed on data controllers under the GDPR.
On 3 April 2019 the President of Poland signed into law the GDPR Implementation Act (full name: Act Amending Certain Acts to Ensure Application of the General Data Protection Regulation). Among several issues addressed controversially in the GDPR Implementation Act are the requirement to express consent to profiling and the catalogue of types of personal data that may be processed by suppliers of online services. This catalogue is set forth in Art. 18(1) of the Electronic Services Act. The original draft of the GDPR Implementation Act provided for repeal of that section, but during the course of legislative work on the act it was decided to leave the catalogue in place. This solution may conflict with the GDPR.
On 25 March 2019, the president of the Personal Data Protection Office announced the imposition of the first-ever fine in Poland for failure to comply with the EU’s General Data Protection Regulation. The fine is quite high (about PLN 1 million) and involves noncompliance with the information obligation by a company that harvested personal data—addresses and telephone numbers of individuals operating businesses—from publicly available sources and then processed the data.
We recently wrote about the relation between data protection regulations and freedom of expression in the context of the right to be forgotten. On 14 February 2019, in Buivids (C-345/17), the Court of Justice of the European Union issued another judgment on the impact of the journalism exception to the obligation to apply the former Data Protection Directive (95/46/EC). Even though the judgment was issued under the law prior to entry into force of the General Data Protection Regulation, it may be helpful in understanding the impact of freedom of expression on data protection under the GDPR.
On 10 January 2019 Advocate General Maciej Szpunar at the Court of Justice of the European Union issued an opinion on the right to be forgotten in the Google search engine, in CNIL (C-136/17). The specific issue is whether, if a data subject requests to be forgotten with respect to sensitive data, Google has an absolute duty to remove the person’s data. The case arose in France before the General Data Protection Regulation entered into force on 25 May 2018, but the conclusions stated in the opinion are also relevant to how the right to be forgotten will be interpreted under the GDPR going forward.
Until now, despite countless warnings before entry into force of the EU’s General Data Protection Regulation in May 2018, administrative authorities have not imposed high fines for violation of regulations on processing of personal data. But this situation seems to be changing, at least in France. On 21 January 2019 the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of EUR 50 million on Google LLC. The CNIL found that Google had not processed personal data transparently, providing data subjects inadequate information on processing and personalising ads without the consent of the persons who were shown the ads.