Case 1 (Finland): First decision from the Finnish DPA regarding the use of Google Analytics
During 2022 the data protection authorities in several EU countries have published decisions banning the use of Google Analytics (GA). The Austrian data protection authority was the first one to rule against the use of GA in early 2022. The Austrian decision was then followed by similar decisions of the French, Italian and Danish data protection authorities. According to the data protection authorities of the said countries, the use of GA is unlawful since the GA tool transfers personal data to the United States. After the Schrems II decision in July 2020 the transfer of personal data to the United States is in practice not lawful since the laws of the United States do not offer an adequate level of data protection (i.e. a level equivalent to that in the EU). Also, there are limited safeguards that can be put in place in order to ensure that personal data is adequately protected in the United States. For example, as regards Google, the US Foreign Intelligence Surveillance Act (FISA) applies which in practice means that personal data processed by Google can be accessed by US authorities in a manner that is not allowed under the GDPR.
In January 2023 the Finnish Deputy Data Protection Ombudsman (DDPO) gave its first decision in a case involving three libraries in the capital region of Helsinki and their use of GA. Under the DDPO’s decision, the city of Helsinki, Espoo and Kauniainen were given reprimands since, amongst other things, the libraries’ webpage user data had through GA been transferred to the United States without the libraries having implemented appropriate safeguards to protect the transferred data. According to the DDPO’s decision the GA service stores and reads data collected through cookies placed on the user’s browser and the collected data is then transferred to Google servers located in the United States.
It should be noted, however, that the above view has not been shared by all EU data protection authorities. In December 2022 the Spanish data protection authority took a different approach when ruling that the use of GA did not constitute a breach of the GDPR. The respondent (Royal Academy of Spanish Language (Real Academia Española (RAE)) claimed that no such data was obtained through the use of GA that could be regarded to constitute personal data since the only information that could identify website users was a randomised ID that GA assigns to each user and which cannot be used to identify users. Also, RAE did not use any advanced features of the GA but only the free version of it and RAE had stopped using GA immediately after the Schrems II decision in July 2020 (prohibiting transfer of data to the United States without appropriate safeguards).
By the above referred decision the Finnish DDPO clearly takes the same approach to the use of GA as many other EU data protection authorities. While the facts of the case brought before the Spanish data protection authority somewhat differ from the facts of the cases brought before the other EU DPAs it is still worthwhile noting that the use of GA or other comparable tools does not always constitute a breach of the GDPR and that the risks connected to the use of such tools may vary.
The decision of the Deputy Data Protection Ombudsman (in Finnish) can be found here.
Case 2 (Finland): The Finnish DPA fines debt collector agency; biggest administrative fines imposed in Finland since the entry into force of the GDPR
The sanctions board of the Finnish Data Protection Ombudsman has imposed an administrative fine amounting to EUR 750,000 on a debt collection agency for, amongst other things, not having responded to customers’ requests to access their own data in a timely manner. The debt collection agency said, to its defense, that it did no longer process data of one of the complainants who had requested access to his own data. The Finnish Deputy Data Protection Ombudsman however, ruled that the debt collector agency should have responded to the request and informed the complainant that it was no longer processing his data. According to the decision the debt collection agency had also not been willing to co-operate with the Office of the Data Protection Ombudsman nor to familiarize itself with the requirements for data processing set forth in data protection legislation.
The debt collector agency was imposed an administrative fine for the breach of articles 12 and 15 of the GDPR (for which the maximum fines are EUR 20 million or in the case of an undertaking, up to 4 % of the total worldwide annual turnover, whichever is higher). The administrative fine imposed on the debt collector agency amounts to some 0,5% of its global annual turnover.
Aggravating circumstances increasing the amount of the fine include, amongst others, the following:
- The GDPR has been regularly breached (the case at hand did not concern a onetime breach)
- In addition to having breached the data subjects’ right under the GDPR, the said breach also violates the data subjects’ right of access to information under the EU Charter of Fundamental Rights
- Collection of monetary payment claims, including collection costs, can ultimately be enforced through coercive means by relevant authorities. Therefore, and since the processing is highly automated, the regulation relating to the protection of personal data enables the data subjects (debtors) to prepare themselves for any legal claims and threats of such and it is also, therefore, crucial that the data protection regulation and data subjects’ rights are respected.
- The debt collector agency has not undertaken any measures to prevent said beaches from re-occurring and has also not been willing to co-operate
The right of access to one’s personal data is one of the data subjects’ main rights under the GDPR and the EU Charter of Fundamental Rights. Without respecting data subjects’ right to access his/her information a data subject cannot amend inaccurate data or in other ways monitor that his/her data is lawfully processed. This is especially important if data subjects’ data is processed for any such purpose that may impose obligations upon him/her (such as debt collection). The administrative fines imposed by the sanctions board serve as a reminder that controller obligations as well as the co-operation with the data protection authority are to be taken seriously.
As regards the amount of the fine, the decision is well argued with respect to GDPR Article 83 but the calculation method of fines is still left unrevealed. Sanctions imposed for same infringements in other EU countries may obviously be used as a guideline when assessing possible sanctions for GDPR infringements. Under the GDPR the DPAs shall contribute to a consistent application of the GDPR throughout the EU/EEA.
The ruling is still not final and may be appealed.
The decision of the Deputy Data Protection Ombudsman (in Finnish) can be found here.
Case 3 (Finland): ECJ ruling on the right of data subject to know to whom his/her data has been disclosed (Case C-154/21)
This ruling concerns the Austrian post who had not been able to in detail identify to whom it, as a controller, had shared personal data. In response to the data subject’s request to be disclosed the recipients of his personal data, the Austrian post merely stated that it uses personal data in the course of its activities as a publisher of telephone directories and that it offers those personal data to trading partners for marketing purposes. The Austrian Supreme Court was unsure if the GDPR allows a controller to only inform a data subject of categories of recipients of personal data or if the data subject has the right to know the exact identity of the data recipients under GDPR Article 15 and, therefore, submitted this question to the ECJ.
The ECJ states that data subjects need to know the details of the recipients. This because data subjects have, under GDPR Article 15 the right to access their own data. If the name of the recipients of personal data is not disclosed, then data subjects cannot exercise their right to access data or other rights provided under the GDPR (Articles 16-19 and 21 for example). Also, the ECJ states that GDPR Article 19 expressly confers on the data subject the right to be informed of the specific recipients of the data concerning him or her by the controller, in the context of the controller’s obligation to inform all the recipients of the exercise of the data subject’s right to rectify, erase or restrict the processing of his/her personal data.
The right to know the identity of data recipients is, however, limited. According to the ECJ a controller does not have an obligation to give detailed information on the data recipient where it is not (yet) possible to identify those recipients or if the controller can demonstrate that the request is manifestly unfounded or excessive. In these cases, the controller may only indicate the categories of recipients of the personal data. The ECJ did not clarify what is to be regarded as a “manifestly unfounded or excessive request” but since this is clearly an exception to the main rule this will probably be interpreted narrowly.
A practical implication of this ECJ ruling is that organizations should keep records of specific recipients for each data transfer – per data subject or group of data subjects sharing the same recipient list. It remains to be seen what kind of exceptions to the main rule of disclosing the details of the data recipients will be accepted by the EU DPAs.
The ECJ ruling can be found here.