Data Protection Authorities as enforcers and educators

Data Protection Authorities’ many roles include education and enforcement, as we saw in Session 3 at PL&B’s 34th Annual International Conference last month.

Luxembourg DPA as Enforcer

The most dramatic example of the enforcement end of the spectrum came when Amazon revealed last week that it had been fined €746 million by Luxembourg’s DPA (p.23). The first time the 16 July decision became widely known was when Amazon itself made the fine public in its quarterly filing to the US Securities and Exchange Commission. (See p.13 in the filing)

As of 3 August, there was no mention of the fine on the website of Luxembourg’s DPA, the CNPD. The reason is that decisions of the National Commission for Data Protection are published anonymously, unless it decides otherwise. Article 52 of the Luxembourg data protection law states that “the CNPD may order, at the expense of the person sanctioned, the full publication or extracts of its decisions ….. provided that: the means of appeal against the decision are exhausted; and the publication is not likely to cause disproportionate prejudice to the parties involved.” As Amazon has declared it will appeal, I expect we will learn little from the CNPD in the short term.

What is known is that the decision is in response to a complaint from Paris-based La Quadrature du Net which took the initiative in 2018 to organise collective action of 10,065 people against Facebook, Google Search, Gmail, Youtube, iOS, Amazon and LinkedIn under Art. 80 of the GDPR. The claim (see p.9) alleges that Amazon processes personal data without a proper legal basis: “the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller.”

An Amazon spokesperson responded with two statements reported on the same day, 30 July:

  1. “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law” (Politico) and
  2. “There has been no data breach, and no customer data has been exposed to any third party,” (Bloomberg) – a surprising statement considering that this was not the point at the heart of the collective action.

Bastien Le Querrec, a member of La Quadrature’s litigation team gave his view: “It’s a first step to see a fine that’s dissuasive, but we need to remain vigilant and see if the decision also includes an injunction to correct the infringing behaviour.”

Italy’s DPA as both Enforcer and Educator

A sharp contrast to the Luxembourg case is a fine on the Italian company, Foodinho, announced by the Garante, Italy’s Data Protection Authority, resulting from a joint investigation with Spain’s DPA, the AEPD, with a full explanation of the rationale for its action and an official English summary.

The order explains several infringements of GPDR provisions. As a result, the Garante ordered several corrective measures and imposed an administrative fine. Foodinho uses Artificial Intelligence to monitor the performance of riders who deliver food. The explanation covers:

  1. information provided by Foodinho to riders
  2. information regarding storage periods
  3. configuration of the systems relied upon by the company
  4. security measures in place
  5. the need for a Data Protection Impact Assessment
  6. automated processing, including profiling
  7. timing of the communication of the DPO’s contact details to the Garante
  8. records of processing activities
  9. lawfulness of the processing
  10. how the riders’ personal data were processed by the company as part of the relevant employer-employee relations in breach of the applicable employment laws regulating remote surveillance of employees, as well as of the provisions protecting labour on digital platforms, and partly in the light of the relevant Italian case law.

The Garante then listed several corrective actions, with their legal basis in the GDPR, which the company must perform under each of the above headings. Some were to be expected, such as requiring data minimisation and the need to state storage periods.

But one area stands out, as it deals with the Artificial Intelligence aspects. It states that the company must adopt suitable measures to regularly check fairness and accuracy of the results of algorithmic systems. This is to ensure that the risk of errors is minimised and also to comply with the prohibition against discrimination in access to and exclusion from the platform.

In short, the Garante provides a very helpful rationale for the fine, and a guide to other organisations on what to do and what to avoid.

British Columbia’s DPA as Educator and Innovator

British Columbia’s Information and Privacy Commissioner (IPC) has shown its role as both educator and innovator in its pioneering work in Canada in applying its private sector privacy law to the legal sale of recreational cannabis across the province (p.19). The IPC prepared by publishing its guidance, in non-technical language, to retailers and consumers on the day before the new law entered into force. It has followed up by researching how retailers are working with the guidance, and it will soon publish a revised version. The guidance refers to related law and rules published by the licensing authority, so retailers can understand how they should collect and process personal information with the prospect of enforcement by other agencies.

The British Columbia Information and Privacy Commissioner has taken the lead in Canada. It also provides inspiration to other countries that are in the process of relaxing their laws on the sale of recreational cannabis and working out how to best apply national privacy laws to the sale of a controversial product, now symbolic of an ongoing cultural shift.


Stewart Dresner, Publisher


International Report 172

Lead stories:

The meaning of ‘adequacy’: Implications of the draft Korea decision

Graham Greenleaf analyses what the EU is effectively looking for – it appears that the absence of some of the GDPR elements does not stand in the way of a positive finding.

EU Commission works to promote free and safe flows

The EU will use all of the GDPR tools. The expectation is that existing adequacy decisions are reviewed by the end of the year, while new ones are being negotiated. By Laura Linkomies.

Click for full contents list