A start to the summer marked by record sanctions and new support measures.

Legal Watch – July-August 2019.

The start of summer sees rising temperatures, but also the amount of fines for breaching privacy rules.

In particular, the ICO, the British supervisory authority, announced its intention to impose two sanctions ('notice of intention to fine') totalling over 280 million pounds, against the Marriot International hotel group for the equivalent of 111 million euros, and British Airways for an amount of over 200 million euros.

In both cases, the GDPR violations involved hacks made possible by data security failures that exposed the data of hundreds of thousands of customers.

The ICO also fined a London estate agent £80 million on July 19 for failing to secure more than 18,000 customer records for two years.

It should be noted that most recent sanctions focus on security breaches and illegal access inside and outside companies.

Across the Atlantic, the United States Federal Trade Commission has negotiated a settlement order of five billion dollars with Facebook for violating the privacy of Internet users.

This fine is unprecedented in the history of the FTC, and remains one of the highest ever imposed by the American state.

However, it remains relative compared to Facebook's annual revenue of $55.8 billion. In its July 24 press release, the FTC elaborates on the reasons for its action, which relate to the failure to comply with its 2012 data protection injunctions.

In addition to this fine, the company is being forced to restructure its data protection model, including a more independent oversight committee from its CEO, and stricter rules for managing third-party applications and user data, particularly with regard to facial recognition, password management and data encryption.

While supervisory authorities are making increasing use of their control powers, they are also ensuring that companies' practices are guided by the legal framework.

The CNIL thus communicated on July 18 on the rules applicable to cookies, these tracers installed on users' terminals and which allow in particular advertising targeting.

The CNIL is updating the requirements necessary for obtaining consent from Internet users: this consent can no longer be implicit, and must result from a clear action by the individual.

Cookie walls, which prevent access to a site if you do not accept cookies, are prohibited.

This interpretation of the validity of consent had already been clarified by the European Data Protection Committee in a press release from May 2018.

It is confirmed by the wording of the GDPR, and should be further explained in the future “privacy and electronic communications” regulation, which will replace Directive 2002/58/EC “ePrivacy”.

A new recommendation from the CNIL will clarify the practical arrangements for obtaining consent, and a six-month adaptation period will be given to companies to allow them to comply with the law.

And also:

In Europe:

On July 24, the European Commission published a report taking stock, one year later, of the implementation of the GDPR.

It identifies the actions implemented by the supervisory authorities, the strengthening of their cooperation, as well as the compliance efforts of the private sector.

The Commission announces its intention to support these efforts with various tools such as standard contractual clauses, codes of conduct and certification mechanisms, with particular attention to SMEs.

From an international perspective, South Korea could be the next country to benefit from an adequate level of protection facilitating data transfers. The Commission is considering other types of multilateral agreements to facilitate international data exchange.

In the world:

• UNITED STATES :

There are calls in the US Senate for the adoption of a federal data protection law.

Legislation to this effect was introduced by Senator Ron Wyden in November 2018.

At the state level, California is a pioneer: the CCPA, California Consumer Privacy Act, will come into effect on January 1, 2020, but is currently subject to amendments by the U.S. Senate. Often compared to the GDPR, especially with regard to data subjects' rights to information and objection, it differs in particular in its scope, which focuses on consumer protection.

Asia:

A series of events related to the protection of personal data took place in Singapore during the first half of July, bringing together professionals from the sector in different venues.

 The discussions at the Asia Pacific Forum were summarized by the IAPP.

They emphasize corporate accountability and oversight by regulatory authorities.