DPA regulatory and consumer collective action are complementary incentives to encourage privacy law compliance

PL&B International and UK Reports have covered collective action cases for several years, but now the pace is speeding up.

Looking ahead to 2022, I expect that an issue of growing importance for companies’ risk assessments will be the need to pay attention to Data Protection Authorities (DPAs) taking regulatory action against companies to fix privacy problems, and also the growing trend of consumer groups taking collective action to assert their rights against companies via the courts.

Since national Data Protection Authorities were first established, in Sweden in 1973, individuals have looked to the regulators to defend individuals’ rights. National DPAs have often acted cautiously, wanting to be seen to be balanced, proportionate, dissuasive and realistic in their sanctions. Some companies are willing to amend their policies and practices in response to DPA scrutiny, because it is the right thing to do and as a damage limitation practice to protect their reputation. Others have resisted if they considered their profitability at risk. DPA guidance is not law and there are often grey areas on which to build a case.

An example of effective regulatory action is in the Netherlands where the DPA conducted an investigation and imposed a fine of €750,000 on TikTok for violating the privacy of young children. The DPA stated that Tik Tok should have provided its privacy statement in Dutch and that the company failed to provide an adequate explanation of how the app collects, processes and uses personal data. As a result, the company made several changes to make its app safer for children. Although the DPA’s file has now been transferred to Ireland, as the new location of the country’s European headquarters, TikTok’s management should also expect consumers to exercise their private rights of action in the Netherlands. Current privacy related collective action court cases in the Netherlands include those against Oracle and Salesforce.

The EU Collective Redress Directive, scheduled for implementation at the end of 2022, aims to create a pan-European system of class actions for any breach of European law.

In the UK, the negative result of the Supreme Court Lloyd v. Google case from the perspective of the litigation funders, means that this type of investor is now looking for strategic opportunities for working with consumer organisations in other countries. The legal environment to pursue class actions in the Netherlands is particularly favourable.

Consumer organisations have no doubt gained confidence from the 2 December non-binding Opinion of the Court of Justice of the European Union’s (CJEU) Advocate General. He declared that consumer protection associations may bring collective claims without a mandate for violations of the GDPR. In addition, they may rely on national consumer law provisions even if the claim is made under the GDPR. As this case arises from a claim by a German consumer association against Facebook, this decision, if confirmed by the CJEU, will have an impact across the European Economic Area. Consumer collective actions are not an established feature of the privacy law ecosystem, so there remains plenty of scope for DPA regulatory action.

DPA regulatory action

In France, the CNIL imposed a fine of €400,000 on Monsanto. The legal arguments centred on who was the controller and the processor in a case about a file collected to identify influential lobbyists. The legal arguments deployed would be relevant to any company.

There have been cases this week in which DPAs have exercised their powers to change company policies and practices.

In Canada, Michael McEvoy, Information and Privacy Commissioner, British Columbia, on 14 December, imposed a legally binding order (subject to judicial review) on Clearview, the New-York based facial recognition technology company, to stop its scraping of facial images from the Internet without permission. They must now comply with recommendations resulting from an investigation report by the federal Privacy Commissioner of Canada, and the provincial DPAs in Québec, British Columbia, and Alberta.

The report found Clearview violated federal and provincial privacy laws in the way it utilized the collection, use and disclosure of images and biometric facial arrays collected from individuals in British Columbia without their consent. Not all DPAs in Canada have the same powers but the Alberta and Quebec DPAs do have similar order-making powers.

On 16 December, the CNIL, France’s DPA, took similar action to Canada’s DPAs and ordered Clearview to take several steps including to stop processing personal data because of two breaches of the GDPR: collection and use of biometric data without a legal basis, and failure to give individuals access to their data.

In Norway, on 13 December, the Datatilsynet (DPA), imposed its highest ever fine against US-based Grindr LLC of 65 million Norwegian Kroner (approximately €6.5 million) for not complying with the GDPR rules on consent. Grindr is a location-based social networking app marketed towards LGBTQ+ people. It unlawfully shared personal data with third parties for marketing purposes, including GPS location, IP address, advertising ID, age, gender and the fact that the user in question was on Grindr. Users could be identified through the data shared, and the recipients could potentially further share the data.

The Datatilsynet concluded that consent was the applicable legal basis in this case, but that the purported consents Grindr collected for sharing personal data with advertising partners were not valid. However, the fine was reduced by around a third due to the changes Grindr has made aiming to remedy the deficiencies in the company’s previous consent management platform. The Datatilsynet produced a detailed rationale for its fine in a 68-page document.

Norway exerts a powerful influence in the consumer privacy world, (PL&B International Report October 2018 p.1) partly due to the research of the Norwegian Consumer Council which did much to shine a light on dark design patterns in its research published in 2018 (PL&B International Report December 2018 p.16). The leader of this research, Finn Myrstad, gave evidence to a US Federal Trade Commission hearing earlier this year.

Dark design patterns will also be the subject of Privacy Laws & Business’s first webinar in 2022, on 3rd February, sponsored by Meta (formerly known as Facebook) - an indication that the company is now doing more to engage with its critics.

All of us at Privacy Laws & Business wish you a joyful holiday season and we look forward to meeting you in person next year, including at Winds of Change, our 35th Anniversary International Conference 4-6 July 2022 at St. John’s College, Cambridge.

Best regards,

Stewart Dresner, Publisher


International Report 174

Lead stories:

Germany’s coalition agreement in the digitalisation era

Katharina A. Weimer of Fieldfisher reports on the coalition government’s proposed legislative changes in Germany, including possible changes to the protection of employees’ personal data.

Australia’s Online Privacy Bill targets social media giants

Australia plans higher standards for online organisations under the Privacy Act. Graham Greenleaf and Katharine Kemp argue that comprehensive reform remains elusive.

Click for full contents list