k8·凯发天生赢家·一触即发(中国区)官方网站

k8凯发天生赢家·一触即发探索

由谷歌受到5000万欧元GDPR罚款所引发的思考

2019-3-01


由于谷歌违反了欧盟《通用数据保护条例》的多项规定,2019年1月21日,法国国家信息与自由委员会(CNIL)向其开出了五千万欧元的罚单。这是迄今为止根据《通用数据保护条例》开出的最大罚单。


On 21 January 2019, the French data protection authority, CNIL, imposed a fine on Google of €50 million for various breaches of the GDPR, and the first fine imposed by CNIL.This was to biggest fine to-date by far imposed by any DPA pursuant to the GDPR.  


The CNIL found that Google had committed several GDPR infringements. Among other things:  


●Google did not provide sufficient accessibility to its search engine users of certain vital information, including the legal basis for the processing of their personal data and how long it was being stored;

●Google did not make it sufficiently clear to users that their consent was the purported legal basis for processing their personal data for targeted advertising purposes; 

●This consent (even if it constituted a valid legal basis for processing) was not validly obtained because users were not clearly informed of what they were consenting to.  


The principal takeaway from the Google decision concerns fines under the GDPR. The Google fine was imposed some 8 months after the GDPR went into force.  The levelof fines going into 2020 are likely to be much higher.  Chinese firm sat risk really shouldn’t wait much longer to become compliant, not when complex compliance projects may last up to a year even longer.


A second takeaway from the Google case is that the use of high-powered lawyers and IT people to confuse and mislead data subjects in order to limit their client’s responsibilities under GDPR is not a clever strategy and will not betolerated. When external lawyers are engaged in GDPR compliance activities, they must take into account the interests of the datasubjects, as they are the class of people protected by the GDPR, not the companies collecting the personal data.  


There are several other developments worth reporting.


The Austrian entrepreneur


In October 2018, the Austrian DPA imposed a fine of €4,800 on a retailer for excessive surveillance of his establishment—his security camera apparently captured the images of people on his sidewalk which were unnecessary for security purposes. While this decision may appear small-minded,one must consider that the GDPR addresses the monitoring ofindividuals’ behavior, whether it is in form of surveillance cameras, Internet browsing habits, cell phone usage etc.


Many Chinese companies have been hesitant to implement the GDPR because they think that GDPR only applies to Internet companies. The Austrian case pretty much destroys that line of thinking.  Imagine a major Chinese manufacturer, bank or insurer with a large presence in Europe which routinely monitors their facilities and offices, both inside and out, not only for security reasons, but also to check on what their employees are doing(e.g. to maximize productivity or to ensure that they are not breaking the law). They have surveillance cameras on the grounds, in the parking lots, in the hallways etc.


The Austrian decision makes clear that all such monitoring and surveillance must meet the standards of the GDPR. And, in the case of a much broader surveillance activity that involves hundreds if not thousands of employees, clients and other individuals, it is clear that thepotential fine would be much larger than €4,800.


German social media app


Another development is theNovember 2018 decision by the DPA for the German State of Baden-Wurttemberg (LfDI) in the case of Knuddels.de.  In this case,Knuddels.de, a small German chat app, was hacked, resulting in the theft of almost 2 million user names and passwords and more than 800,000 email addresses. The LfDI concluded that Knuddels.de had breached Article 32 of the GDPR (security of processing) principally by storing passwords in plain text (i.e. they were not encrypted). Because Knuddels.de quickly reported the hack to its home DPA, it was spared a much higher fine for having failed to report the data breach within 72 hours of its discovery.    


Knuddels.de was only fined €20,000 because it is a small app with limited sales income. If the company investigated were, for example, a large Chinese app, bank orInternet platform, the fine may well have been in the millions of Euros.


Warning signs


All three of the above cases demonstrate how pervasively GDPR can apply to a typical Chinese company that has activities in the EU, as well as the extent to which national DPAs will go to address infringements.  If they are will to investigate small businesses, then they will not hesitate to go after large Chinese companies, even if they are under the radar in Europe.And it should be kept in mind that there is no requirement under the GDPR that the Chinese company have an EU presence.  After all, they are able to collect the data of EU residents from anywhere…..


微信图片_201903041540501.png



Dr. Frank Fine

     

 

k8凯发天生赢家·一触即发布鲁塞尔办公室

国际反垄断业务主管



中国国际反垄断和投资研究中心担任执行主任,中国政法大学法学院国际反垄断与投资研究所访问教授。(拥有英格兰、威尔士、加利福尼亚和哥伦比亚地区执业资格。)   

E-mail:frank.fine@cqhaolun.com


Disclaimer:

This article was written by the lawyer of DeHeng Law Offices. It represents only the opinions of the authors and should not in any way be considered as formal legal opinions or advice given by  DeHeng Law Offices or its lawyers. If any part of these articles is reproduced or quoted, please indicate the source.

相关律师

  • Frank FINE

    顾问

    电话:+32 02 735 0880

    邮箱:frank.fine@cqhaolun.com

相关搜索

手机扫一扫

手机扫一扫
分享给我的朋友

友情链接: