In Perspective: Important and recent enforcement cases across Europe
UK data protection regulator fines company for sending spam texts during the pandemic
- H&L Business Consulting Limited have recently been fined £80,000 for sending thousands of text messages to people who had not consented to receive them.
- The contents of the text messages related to the offer to have debt written off during the lockdown (which was imposed on people during the Covid-19 pandemic).
- The messages also stated that the debt management scheme was government-backed – this was untrue.
- Despite numerous attempts to evade regulatory action, the ICO fined the business for noncompliance of data protection law.
Why it matters
- Direct marketing rules fall within a set of obligations placed on businesses that are contained within the Privacy and Electronic Communications Regulations 2003 (PECR).
- PECR states that for most forms of direct digital marketing involving customers (e.g. the sending of texts that advertise goods or services) – prior informed consent is required from the recipient.
- H&L Business Consulting Limited did not do this and additionally used the pandemic as a way to convince individuals to sign up to their debt management scheme.
Airport fined in Belgium for unlawfully carrying out temperature checks on passengers
- The Belgium data protection regulator has recently fined an airport €100,000 for unlawfully conducting temperature checks using thermal imaging cameras on passengers.
- Thermal imaging cameras were in force between June 2020 and March 2021. Passengers suspected to be infected by Covid-19 were asked to leave the airport and not allowed to board a plane.
- The Belgium data protection regulator confirmed that there was no specific legal obligation for the airport to be doing these temperature checks and that individuals were not being properly informed that thermal imaging cameras were being used upon entering the airport.
Why it matters
- The completion of a Data Protection Impact Assessment is recommended whenever the business plans to process special categories of personal data on a large scale (such as in cases like these).
- Data Protection by Design and by Default should also be considered so that principles such as transparency and fairness are accounted for from the outset and do not result in the unlawful processing of personal data.
- Given the high-risk nature of remotely recording someone’s body temperature, the airport should have consulted with the Belgian data protection regulator beforehand in order to review the processing activities and any associated remediation.
Icelandic university is reprimanded for not being transparent with students
- The Icelandic data protection regulator has recently reprimanded a university for not providing students with sufficient information regarding the processing of their personal data when remotely monitoring exams taken via the Zoom platform during the Covid-19 pandemic.
- The information that should have been provided to students would include details on the lawful basis for processing, security measures and data subject rights (such as the right to access and rectify one’s personal data).
- The university was reprimanded instead of receiving a fine.
Why it matters
- Transparency is an important principle of data protection law and is inherently linked to fairness.
- Organisations should be clear, open and honest with people about how and why their personal data is being processed.
- This is especially the case when there is an inherent imbalance of power (such as between a student and their teacher).
- If individuals know from the start how their data will be used, they can make a more informed decision on how their personal data should be used.
- In most cases, the principle of transparency is met by publishing a Privacy Notice. However, other approaches are also recommended such as posters on public noticeboards.