The GDPR Two Years On

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR)¹ came into effect, replacing the EU’s 1995 Data Protection Directive.² With the aim of modernizing and harmonizing the patchwork of laws across the European Union, the GDPR strengthened the protection afforded to data that identify individuals under the Data Protection Directive and clarified a number of key principles. Most notably, the GDPR extended the territorial reach of European data privacy law to organizations outside of the EU. For the first time, numerous U.S. companies would be directly subject to European data privacy law and therefore obliged to comply. In addition, the GDPR introduced tough new penalties, threatening organizations with fines of up to €20 million or 4 percent of global revenues for the most serious breaches. This led companies across Europe and the world to focus on bringing themselves into compliance and to build new processes and functions to respond to greater regulatory responsibilities, coupled with an increased awareness among data subjects of their rights under the GDPR.

In its first progress report, published two years after the GDPR took effect,³ the European Commission in June 2020 highlighted a number of improvements brought about by the GDPR, including a level playing field for businesses across Europe, a greater awareness of citizens’ rights, and the GDPR’s flexibility to adapt to new technology. The Report concluded that “the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU.”⁴

This article addresses some of the most significant compliance issues under the GDPR and how these have evolved since the GDPR came into effect, some of the most notable cases applying the GDPR, and practical points that U.S. companies should consider.

The Importance of Consent

The GDPR states that personal data may not be “processed,” such as collecting, storing, and transmitting personal data, unless at least one of six legal bases is met.⁵ One of those legal bases is whether the “data subject,” or individual, “has given consent.”⁶ Consent has drawn a lot of attention over the last couple of years as it was previously a commonly used mechanism to enable the processing of personal data. Obtaining consent under the GDPR is now more challenging in practice due to stricter conditions than those set out in the Data Protection Directive.⁷ The “controller,” which is the entity or organization that decides the purpose and means of processing personal data,⁸ is responsible for compliance with the requirement to ensure personal data are legally processed, along with the other principles relating to the processing of personal data described in Article 5 of the GDPR (and other requirements of the GDPR).

“[C]onsent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment,” according to the European Data Protection Board (EDPB), an independent body, consisting of representatives from each EU country, whose purpose is to ensure the GDPR’s consistent application across Europe.⁹ This is important not least because of the increasing prominence of consent for particular processing activities in the digital age, such as in the areas of new technologies and cookies.

Since the GDPR came into effect, the objective of increased transparency has been strongly emphasized in various guidelines published by European data protection authorities and the EDPB. A prerequisite to obtaining valid consent is that the data subject must be informed about the processing for which consent is being obtained.¹⁰ According to Article 4(11) of the GDPR, the controller must be able to demonstrate that consent of the data subject was freely given, specific, and informed and an unambiguous indication of the wishes of the data subject, in which the data subject, either by a statement or by a clear affirmative action, signifies agreement to his or her personal data being processed. If there is insufficient transparency, the data subject’s consent will not be deemed valid.

The link between transparency and consent has been a pivotal issue in the much noted and discussed ruling by the French data protection authority—Commission Nationale de l’Informatique et des Libertés (CNIL)—against Google LLC.¹¹ In June 2020, France’s highest administrative court, the Conseil d’État, confirmed the ruling.¹² The ruling sanctioned Google with a €50 million fine for failure to comply with the GDPR requirements on transparency, adequate information, and valid consent for ad personalization. As of this article’s publication, this is the largest European fine confirmed as final and not subject to appeal.

In this important ruling, the CNIL referred to Articles 12 and 13 of the GDPR.¹³ These articles require the controller to take appropriate measures to provide specific information to data subjects about the controller’s processing activities “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”¹⁴ The specific information required to be provided is listed in Article 13 of the GDPR and includes the identity of the controller, the purposes of the processing, the legal basis for the processing, the recipients of the personal data, and other information necessary to ensure fair and transparent processing. The CNIL made it clear that the information provided by the controller to data subjects must put individuals in a position to determine in advance the scope and consequences of the processing so that their data are not used in ways that they are not expecting.¹⁵ The CNIL determined that, when providing information to data subjects using a layered approach—such as giving a short initial notice containing key information and then including links to additional layers of information covering more detail—the most relevant information (including the scope and extent of purposes of the data processing) must be provided in the very first layer.¹⁶

A related and important issue arising in the context of online advertising was noted by the Conseil d’État. It found that in order to obtain a valid consent for personalized ads, Articles 4(11), 6, and 7 of the GDPR—articles covering the definition of consent, the lawful bases of processing, and the conditions for consent, respectively—prohibit collection of the data subject’s consent by way of a pre-checked checkbox.¹⁷ It also noted that for the consent to be deemed valid the data subject must be provided with all adequate and sufficient information, and that the main information must be made available to the data subject up front, in the first layer of information.¹⁸ Furthermore, the Conseil d’État found it improper to seek consent as part of the overall acceptance of general terms and conditions for using a service because the request for consent is not clearly distinguished from the overall acceptance of the general terms and conditions, as required by Article 7(2) of the GDPR.¹⁹

When the GDPR came into effect, one of the initial challenges to assessing whether consent was valid arose because certain processing activities fell under both the GDPR and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (ePrivacy Directive)—a 2002 EU directive on data protection and privacy in the digital age. However, in October 2019, the Court of Justice for the European Union (CJEU)—the European Union’s highest court—handed down an important decision concerning how consent to process personal data and use cookies may be obtained on the internet.²⁰ The CJEU ruled that consent is invalid under the ePrivacy Directive if it is given by means of opt-out boxes that users must uncheck in order to refuse consent.²¹ The CJEU also pointed out that user consent, as required by the ePrivacy Directive, should be interpreted and read in conjunction with the definition of consent in the GDPR,²² which also means that active consent from the user is required.²³ In addition, the CJEU ruled that the aforementioned interpretation of consent should be applied regardless of whether or not the data being stored or accessed from a user’s equipment are personal data.²⁴

This ruling had a significant impact on the use of cookies by companies, and their marketing strategies had to be revised. The CNIL in France has worked with several marketing and advertising firms to find solutions to standardize the vocabulary in cookie banners. Also, the UK data protection authority, the Information Commissioner’s Office, has made clear that it will take a risk-based approach to the requirement of GDPR-level consent for cookies under its enforcement policy.²⁵ Businesses should therefore take particular care in obtaining consent for privacy-intrusive cookies such as those used for behavioral advertising or sensitive personal data collection.

From a practical perspective, the implications of both the aforementioned judgments as well as guidance published by European data protection authorities for controllers are as follows:

• It is critical that controllers assess their level of transparency from the standpoint of complying with data subjects’ needs, rather than from the perspective of how well it serves the controller’s business;
• Data privacy statements should be reviewed regularly to ensure that they provide the level of transparency now expected by data protection authorities and data subjects;
• Controllers should carefully assess all of the legal bases described in Article 6 of the GDPR that could be available to ensure that consent is the most appropriate basis for processing and check that the basis on which a controller has been processing personal data in previous years is still accurate, as sometimes this may have changed. Moving from one basis to another presents challenges that are beyond the scope of this article;
• If consent is considered the most appropriate basis for processing, then the entire mechanism for obtaining consent, including the information provided to data subjects through layered notices and policies, must be properly reviewed; and
• For accountability purposes, controllers should ensure that they adequately record what consents have been provided and to what processing activities and purposes they relate.

The Evolving Concept of Accountability

While largely building on existing principles, the GDPR introduced a new concept of “accountability”—the principle that the controller “shall be responsible for, and able to show compliance with,” the GDPR’s subject matter and objectives.²⁶ This principle requires that, if requested, organizations can demonstrate the steps they took to comply with the GDPR and the effectiveness of those steps. The GDPR therefore requires organizations to not only take responsibility for everything they do with personal data but also actually document how they comply with all obligations enshrined in the GDPR.

In its Report, the EC commended the GDPR, saying that “The GDPR … ensures that all those that handle personal data under its scope of application are more accountable and responsible.”²⁷ Unfortunately, the GDPR does not further specify which measures are necessary to fulfill the accountability requirement. In the course of assessing and then implementing the relevant measures to ensure that GDPR requirements are met, organizations have often interpreted accountability to mean technical and organizational measures, which are already required under the GDPR, including specific measures such as keeping a register of processing activities, making data protection impact assessments, and providing data protection notices. However, as a result of published guidance by European data protection authorities, it has become clear that more documentation is needed than originally thought when companies were initially preparing for the GDPR.

For larger organizations, a new best practice has emerged: adoption of an overall data protection management framework, embedding processes that ensure systematic and demonstrable compliance across the entire organization. Typical measures include:

• Robust program controls relating to the material obligations under the GDPR;
• Mapping of the organization’s processing operations— and maintenance of an inventory of them—that is regularly reviewed;
• Bespoke allocation of data protection responsibilities and implementation of reporting structures;
• Appointment of a Data Protection Officer²⁸ when processing is carried out by a public authority or body, the core activities of a controller or processor involve regular and systematic monitoring of data subjects on a large scale, or there is processing on a large scale of special categories of personal data²⁹ or personal data relating to criminal convictions;
• Written documentation of internal checks and assessments, including appropriate data protection policies; and
• Audit and evaluation processes.

The latter two points are important in practice. European data protection authorities expect that companies can prove that they completed relevant assessments and that these assessments are performed regularly. For example, companies should carry out and thoroughly document an assessment of the circumstances in which they consider that they can lawfully process personal data on the basis that it is in their legitimate interests to do so,³⁰ especially since many European data protection authorities have requested these assessments in administrative proceedings. There have been cases where data protection authorities have sanctioned companies for breaching the accountability obligation, which demonstrates the importance of these process requirements. For example, in its decision dated July 30, 2019, the Greek data protection authority based its €150,000 fine against PwC on a breach of the accountability principle, because the controller allegedly was not able to demonstrate that they had collected valid consents for a certain processing activity.³¹

Against this background, organizations should reassess whether they have appropriate documentation in place and whether they have implemented a system of regular checks and audits of their data handling practices in order to keep up with stricter accountability interpretation and enforcement by data protection authorities.

Joint Controller Responsibilities

The most significant development in terms of which parties are subject to the GDPR is that of “joint controllers.”³² Guidance from European data protection authorities demonstrates that there are many more circumstances in which the relationship between two parties is likely to be deemed that of joint controllers—rather than a controller and a “processor” or two independent controllers—than many practitioners and commentators anticipated. The importance of this distinction lies in the way that the GDPR places primary responsibility for compliance on the controller—the entity that determines the purposes and means of processing of personal data. The GDPR also allows for a scenario in which two or more controllers jointly determine the purpose and means of processing. Where this is the case, they are classified as joint controllers.

A number of legal obligations flow from the concept of joint controllers, including the requirement for the joint controllers to determine their respective responsibilities for compliance and the obligation to ensure that this arrangement is transparent and that key aspects are made available to the data subjects whose data are being processed.

In addition to guidance, there are also several CJEU cases signalling that more relationships will fall under the joint controller category than once anticipated.

The first was the Fan Page case,³³ in which the court found in June 2018 that the operator of a fan page and a social network, Facebook, were both joint controllers with respect to the processing of the personal data of visitors to a fan page hosted on Facebook. The court noted that visitors to the fan page were not warned that Facebook was collecting their personal data with cookies. One takeaway from this case was that a joint controller relationship was possible even if one of the parties—the administrator of the fan page—did not have access to the data that the other party—Facebook—was collecting. The court found the fact that both parties were determining the parameters for data analysis was sufficient for them to be deemed joint controllers.

In the Jehovah’s Witnesses case,³⁴ the court found in July 2018 that a religious community, such as the Jehovah’s Witnesses, is a controller jointly with its members who engage in preaching for the processing of personal data carried out by its members in their door-to-door preaching. The court noted that an entity that exerts influence over the processing of personal data for its own purposes and that participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller. As with the Fan Page case, joint responsibility did not require access to the data on the part of both controllers.

Finally, in the Fashion ID case,³⁵ the court found in July 2019 that website operators that incorporate a third-party plug-in—a piece of software that acts as an add-on—on their sites can become joint controllers in the collection and sharing of personal data with that third party. One takeaway from this case was that joint control does not need to span the entire processing cycle for the parties to be joint controllers; it could be limited to certain processing steps.

These cases demonstrate that the CJEU applies a very low threshold for the required level of influence on data processing to categorize companies as joint controllers. Unfortunately, there is still a lack of clear and unambiguous criteria for assessing when a joint controller relationship may exist. In practice, companies should check that key intra-group and vendor relationships are properly assessed to ensure that any joint controller relationships have been identified and responsibilities documented that accurately reflect the processing activities being carried out. They should also review privacy notices to ensure they provide adequate disclosures of any joint controller arrangements.

Ongoing Focus on Security

Security of data processing may not be a new concern in itself, but it has become a major focus area for data protection authorities and therefore a key area of risk for controllers and processors. The introduction of more specific data breach notification duties and other onerous obligations on controllers and processors to implement organizational and technical security measures under the GDPR means that data protection authorities may investigate thoroughly and question organizations’ operations and internal processes. Experience shows that European data protection authorities have started making effective use of their new powers under the GDPR. In fact, there has been a significant number of investigations opened, and fines issued, as a result of an organization notifying a data breach to the data protection authority. In the months following the GDPR’s implementation, data protection authorities reported a sharp increase in data breach notifications received. For example, the Dutch data protection authority, Autoriteit Persoonsgegevens, declared more than 20,000 notifications in 2018 alone. As society increasingly digitizes, security issues are a trend that seems here to stay.

Certain high-profile cases have also hit the press, with the Information Commissioner’s Officer in October 2020 fining Marriott International more than €20 million,³⁶ and in October 2020 fining British Airways more than €22 million,³⁷ in both cases as a result of major data breaches and failure to fulfil data security requirements. There are many other ongoing cases all showing the willingness of data protection authorities to take a more critical view of organizations’ approach to security and to require the application of a genuine information management and classification policy.

The GDPR adopts a technology-neutral approach to data security but stresses the importance of addressing the actual risks in an appropriate manner, by implementing a set of measures ranging from organizational and contractual preparedness, to technical protection and safeguards, logging and documenting incidents, training staff, and raising awareness. For instance, in a recent German case, a health insurance organization that collected data from raffle participants implemented internal guidelines and training to ensure that only those who consented would be contacted for marketing.³⁸ In spite of these measures, data of individuals who had not consented was used for marketing purposes, and the organization’s security measures were found to be insufficient. The German data protection authority wanted to highlight the need to implement better security measures in order to achieve the sought-after result and to turn good intentions into reality. This example shows how far reaching the implications of the security obligations under the GDPR can be, well beyond the straightforward situations of passwords or individuals’ credentials that leak online. Generally speaking, on the enforcement front, the EC’s Report describes the approach as “balanced.” Data protection authorities are making use of a range of their powers and taking into account mitigating factors—such as an organization’s willingness to acknowledge its failures and to work with authorities to fix and remedy breaches—when weighing appropriate enforcement action.

In addressing the ongoing and increased threat to all businesses from sophisticated physical and cyber security attacks, companies should ensure that they implement best-practice security measures and continually review them, together with keeping internal records of policies and procedures. Having well-rehearsed and documented incident management protocols is also essential to identifying and mitigating the impact of any security events. Companies should also carefully scrutinize existing and potential vendors and ensure that they have robust contractual protections in place dealing with ongoing security measures, incident response, and liability.

Enhanced Data Subject Rights

One of the main objectives of the GDPR is to give data subjects control over their own personal data. Since the GDPR came into effect, data subjects have become well aware of their rights through data protection authority awareness campaigns, high-profile data breaches, and numerous email updates to marketing consents and privacy policies. This has ultimately led to an increased number of data subject requests to controllers and complaints to national data protection authorities. According to a recent survey by the EU Fundamental Rights Agency, 69 percent of the population over the age of 16 in the European Union have heard about the GDPR and 71 percent have heard about their national data protection authority.³⁹ Public recognition of data privacy means that companies have suddenly faced an urgent need to implement a more efficient process to address and respond to the exercise of rights by data subjects within the GDPR’s mandated timeframes, which require controllers to respond to requests without undue delay and within one month of receipt of the request.⁴⁰ Having a streamlined response process not only supports compliance but can also improve customer service, which could give a competitive advantage.

In Spain, the Spanish Data Protection Act⁴¹ goes one step further than the GDPR by enshrining additional digital rights under national law to supplement the GDPR. The act includes the express recognition of the right to be forgotten in search engines, social networks, and other similar services (based on the CJEU’s ruling in the Google Spain case⁴²). Following this theme, the EDPB also published recent guidance on the exercise of the right to be forgotten in search engines.⁴³

Companies can take steps to preemptively minimize requests from data subjects, and thus mitigate any costs of resolving those requests, by being fully transparent and providing comprehensive details about their personal data processing activities. It should be noted that companies are usually more exposed to requests and complaints from data subjects (especially in relation to the exercise of the data subject access right) if they include scarce, or the bare minimum of, information about the relevant data processing.

Because the exercise of data subject rights is essentially free of charge under the GDPR (a change for some jurisdictions), there are numerous examples of cases where individuals took advantage of those rights in bad faith to put pressure on a controller in connection with a separate and unrelated dispute. This is a developing trend. In any event, if a particular request is manifestly unfounded or excessive, the controller may (1) charge a reasonable fee (based on the administrative costs of providing the information, communicating, and responding to the request) or (2) refuse to act on the request, albeit guidance from data protection authorities suggests this concept is likely to be narrowly construed. The GDPR clarifies that fees may be charged, in particular, where requests are repetitive. One example is that the GDPR expressly confers on controllers the ability to charge a reasonable fee for any further copies requested by data subjects in the exercise of their data subject access rights.

With respect to the manner in which data subjects may exercise their data protection rights, the GDPR recommends that controllers implement an electronic means of facilitating the exercise of those rights (especially in cases where personal data are also processed by electronic means). In this sense, making standard forms available for data subjects could make the handling and resolution of these requests easier for controllers. However, since data subjects cannot be forced to use any specific form in order to exercise their rights, companies may still need to invest in dedicated teams to handle data subject requests (whatever their form may be) and to ensure GDPR compliance. The creation of dedicated teams has also proven to be favored when dealing with data breaches.

The Current Status of International Data Transfers

As for international data transfers—namely, transfers to a jurisdiction outside the European Union—the GDPR provides for some continuity with the previous regime in terms of legal tools and legal bases for a transfer. The GDPR provides that in the absence of an adequacy decision of the European Commission (and such decisions so far have been given to few jurisdictions, the most relevant of which are Argentina, Canada, Israel, Japan, and Switzerland), companies should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject, unless a specific (but limited) derogation applies. Such safeguards may consist of making use of binding corporate rules, standard contractual clauses adopted by the EC, standard data protection clauses adopted by a data protection authority, or contractual clauses authorized by a data protection authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union. These include the availability of enforceable data subject rights and effective legal remedies, including the right to obtain effective administrative or judicial redress and to claim compensation in the European Union or a third country.

Standard contractual clauses (or model clauses) approved by the European Commission are the most commonly adopted legal instrument to carry out international data transfers. Basically, there are two different contractual types that address the transfer from a European controller (known as the data exporter) to a non-European controller or processor (in both cases, known as data importers).⁴⁴

European businesses exporting personal data to the United Stated once relied on the EU-U.S. Privacy Shield Framework.⁴⁵ This was a legal framework designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

Then, the CJEU invalidated the Privacy Shield in the July 2020 case of Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II case).⁴⁶ The CJEU examined the adequacy of the protection provided by the Privacy Shield, holding that (1) the requirements of U.S. law, and in particular certain programs enabling U.S. authorities to access personal data transferred from the European Union to the United States for national security purposes, result in limitations on personal data protections that are not circumscribed in a way that satisfies EU law requirements; and (2) such U.S. law does not grant data subjects actionable rights before the courts against the U.S. authorities.

Additionally, the CJEU examined the validity of the EC’s Decision 2010/87/EC, which had approved the use of a set of standard contractual clauses for the transfer of personal data to processors in third countries.⁴⁷ Although the CJEU found that these clauses remain valid, it noted that validity depends on whether such clauses are able, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed within the European Union by the GDPR or, if not, transfers of personal data pursuant to such clauses are suspended or prohibited. The CJEU pointed out that the above-mentioned decision imposes an obligation on European companies acting as data exporters and on the data importers in third countries to verify, prior to any transfer—and taking into account the circumstances of the transfer—whether that level of protection is respected in the country concerned. Furthermore, the decision requires the data importer to inform the data exporter of any inability to comply with the standard contractual clauses, and where necessary, with additional safeguards that the parties included to supplement those measures already included in those clauses. As a consequence of such notification, the European data exporter is then obliged to suspend the transfer of data or terminate the clause with the data importer.

The Schrems II case is having a major impact on international data transfers because, in one fell swoop, the Privacy Shield that many businesses relied on for their data transfers was declared invalid while standard contractual clauses now need additional assessments and possible supplementary measures (not specifically identified by the court or any other body, so far).

Any possible approval of additional sets of standard contractual clauses by the European Commission or by the individual national data protection authorities is unlikely in the short term and will require time. Furthermore, it is unlikely that individual data protection authorities will decide to act alone and outside a common framework agreed at the European level.

Companies might look into seeking the approval of European data protection authorities for use of binding corporate rules, which are data protection policies written and adhered to by companies established in the European Union for transfers of personal data outside the European Union within a group of undertakings or enterprises. But this is a procedure that takes time and is costly, and therefore it is not an immediate solution for companies that may be seeking to implement a solution in the next few months in response the Schrems II case. Furthermore, even the use of binding corporate rules must be assessed on a case-by-case basis by companies using them. Companies must make an assessment taking into account the circumstances of the transfers and supplementary measures (as referred to above in connection with standard contractual clauses) put in place to ensure that U.S. law does not impact the adequate level of protection that the binding corporate rules guarantee.

The invalidation of the Privacy Shield and broader impact of the Schrems II case on other data transfer mechanisms as described above is serious, not least because the alternative limited derogations for international transfers under the GDPR only apply in specific situations and because no grace period has been given for organizations to implement alternative data transfer mechanisms. Furthermore, the data protection authorities have begun to receive complaints about international data transfers allegedly in breach of the Schrems II case. Companies are therefore strongly advised to promptly review their international data flows and start taking appropriate action, especially if the data importer is located in the United States.

Finally, many aspects of the Schrems II Case and the issues examined by the CJEU are particularly relevant for the future of data transfers from the European Union to the United Kingdom after the end of the Brexit transition period on December 31, 2020. After this date, the current status quo for data transfers will no longer apply and the United Kingdom will be a third country according to the GDPR. Companies are therefore tracking closely the outcome of the UK’s pending application to the European Commission for adequacy status.

Conclusion

Going forward, we expect to see more enforcement action, the further overlaying of national legislation supplementing the GDPR on specific data privacy topics, and additional guidance from European data protection authorities. While the stated aim of the European Commission in its Report is to support the harmonized and consistent implementation and enforcement of the GDPR across the European Union, there are likely to be challenges to this objective.

Key issues on the horizon include:

• Much-anticipated guidance around international data transfers in light of the recent invalidation of the EU-U.S. Privacy Shield and additional measures required in connection with the use of standard contractual clauses;
• The scope of the final draft ePrivacy Regulation, which will replace the existing ePrivacy Directive, governing the use of personal data and other information in marketing as well as the use of cookies and how this practice intersects with the GDPR, particularly as to when GDPR-level consent will be required;
• The outcome of the adequacy assessment currently being carried out by the European Commission with respect to the United Kingdom in accordance with the Political Declaration on the Future Relationship; and
• The application of the GDPR to new technologies, such as artificial intelligence and machine learning.

Companies will need to consider these external issues and also closely monitor their internal data collection and use in order to ensure that their data privacy compliance approach remains in step with the GDPR as it evolves in the coming years.

Antitrust, Vol. 35, No. 1, Fall 2020. © 2020 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

¹ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 [hereinafter GDPR].

² Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 [hereinafter Data Protection Directive].

³ Eur. Comm’n, Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition—Two Years of Application of the General Data Protection Regulation, COM (2020) 264 final (Jun. 24, 2020) [hereinafter Report].

⁴ Id. at 4.

⁵ GDPR, art. 6(1). Additional conditions apply when special categories of personal data are being processed. See id. art. 9.

⁶ Id. art. 6(1)(a). The GDPR defines “data subject” as “an identified or identifiable natural person.” Id. art. 4(1). It defines “consent” as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Id. art. 4(11).

⁷ See id. art. 7.

⁸ Id. art. 4(7) defines “controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In the context of the internet, the term often refers to companies that operate websites.

⁹ Eur. Data Prot. Bd., Guidelines 05/2020 on Consent Under Regulation 2016/679 ver. 1.1 ¶ 3, at 5 (May 4, 2020), https://edpb .europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en.

¹⁰ GDPR, art. 4(11).

¹¹ CNIL, Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 Pronouncing a Financial Sanction Against Google LLC (2019), https://www.cnil.fr/sites/default/files/atoms/files/san-2019-001.pdf.

¹² Conseil d’État, Sanction infligée à Google par la CNIL, Décision 19 Juin 2020, https://www.conseil-etat.fr/ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-19-juin-2020-sanction-infligee-a-google-par-la-cnil.

¹³ See, e.g., CNIL, supra note 12, ¶¶ 86–89, at 11–12. Article 12, in particular, is cited throughout the opinion.

¹⁴ Id. ¶ 86 (quoting GDPR, art. 12(1)).

¹⁵ Id. ¶ 96, at 13.

¹⁶ Id. ¶ 116, at 17.

¹⁷ Conseil d’État, supra note 12, ¶ 21.

¹⁸ Id. ¶ 23.

¹⁹ Id.

²⁰ Case C-673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände––Verbraucherzentrale Bundesverband eV v. Planet49 GmbH, ECLI:EU:C:2019:801 (Oct. 1, 2019).

²¹ Id. ¶¶ 52–55.

²² Id. ¶¶ 50.

²³ Id. ¶¶ 62.

²⁴ Id. ¶¶ 71.

²⁵ Info. Comm’r’s Office, Guidance: Privacy and Electronic Communications: Guidance on the Use of Cookies and Similar Technologies 47 (July 3, 2019); https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf.

²⁶ GDPR, art. 5(2).

²⁷ See Report, supra note 3, at 1.

²⁸ See GDPR, art. 37.

²⁹ Id. art. 9(1) (defining special categories of data as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”).

³⁰ The controller’s legitimate interest is one of the six legal bases for processing personal data. Id. art. 6(1)(f).

³¹ Decision 26/2019 of the Hellenic Data Protection Authority, https://www .dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF.

³² See id. art. 26.

³³ Case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, ECLI:EU:C:2018:388 (June 5, 2018).

³⁴ Case C-25/17, Tietosuojavaltuutettu v. Jehovan todistajat––uskonnollinen yhdyskunta, ECLI:EU:C:2018:551 (July 10, 2018).

³⁵ Case C-40/17, Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629 (July 29, 2019).

³⁶ Press Release, Info. Comm’r’s Office, ICO Fines Marriott International Inc £8.4 Million for Failing to Keep Customers’ Personal Data Secure (Oct. 30, 2020), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.

³⁷ Press Release, Info. Comm’r’s Office, ICO Fines British Airways £20m for Data Breach Affecting More than 400,000 Customers (Oct. 16, 2020), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers/.

³⁸ Commissioner for Data Protection and Freedom of Information Baden-Wurttemberg, decision of 26 June 2020 re. AOK Baden Wuerttemberg.

³⁹ Eur. Union Agency for Fundamental Rights, Your Rights Matter: Data Protect ion and Privacy (2020).

⁴⁰ GDPR, art. 12(3). The period of one month may be extended by two further months where necessary, taking into account the complexity and number of requests. Id.

⁴¹ Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales, 2018 B.O.E. 119788.

⁴² Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (AEPD), ECLI:EU:C:2014:317 (May 13, 2014).

⁴³ Eur. Data Prot. Bd., Guidelines 5/2019 on the Criteria of the Right To Be Forgotten in the Search Engines Cases Under the GDPR (Part 1) (Dec. 2, 2019), https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201905_rtbfsearchengines_forpublicconsultation.pdf.

⁴⁴ There are currently two different types of standard contractual clauses for use, depending on whether the EU-based data exporter is transferring personal data to a controller, in which case one of the two sets of the European Commission approved controller-to-controller clauses should be used, or the data exporter is transferring personal data to a processor, when the European Commission approved controller-to-processor clauses are used.

⁴⁵ Comm’n Implementing Decision 2016/1250, 2016 O.J. (L 207) 1 (EU).

⁴⁶ Case C-311/18, Data Protection Comm’r v. Facebook Ir. Ltd., ECLI:EU :C:2020:559 (July 16, 2020).

⁴⁷ Comm’n Decision 2010/87, 2010 O.J. (L 39) 5 (EU).