A decision from the British Information Commissioner’s Office (the ICO) against the parent company of the former Cambridge Analytica, SCL Elections, determines that the GDPR also protects citizens outside the EU if their data is processed within the EU.
American Professor David Carroll had requested access to his data, and when SCL Elections only provided him with selected data, Professor Carroll complained to the ISO, which issued an enforcement notice ordering the company to submit the remaining information no later than by 4 May 2018. When Professor Carroll subsequently still did not receive all his data, SCL Elections was fined GBP 15,000 by the Hendon Magistrate’s Court and in addition hereto GBP 6,000 in legal costs and a victim surcharge to Professor Carroll of GBP 170.
Please see the ICO news letter about the decision here: data protection news report about the decision here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/01/scl-elections-prosecuted-for-failing-to-comply-with-enforcement-notice/
The French DPA (the CNIL) imposed a financial penalty on Google for lacking information, transparency and grounds for processing, thereby raising a historical milestone in penalty level for breaching the GDPR. So far the greatest fine was GBP 500,000, corresponding to EUR 573,000; hence, the amount was raised by entire 8.626%.
The decision is particularly interesting as the CNIL i.a. justifies the fine and the publication of the decision with the fact that processing of personal data is of crucial importance for Google’s economic model. It is thereby implied, that the more important the personal data is in relation to the company’s economic model, the higher responsibility the company will have for complying with the rules.
Please see our detailed news letter on the decision here: https://www.holst-law.com/forretningsomr%C3%A5der/persondata/nyhedsarkiv/google-f%C3%A5r-b%C3%B8de-p%C3%A5-50-millioner-euro.aspx
In 2014, the European Court of Justice ruled that the right to be forgotten not only comprises the right to have data deleted on various websites, but also to have search engine results deleted on e.g. Google, if such data is imprecise, inadequate, irrelevant or excessive in relation to the purpose of processing the data. Since then, more than three million have exercised this right. One of them - a Dutch surgeon - won an important case on the subject.
Initially, the surgeon had her registration to operate suspended, however, later this was changed to a conditional suspension allowing her to continue to practise. Nevertheless, her name appeared on an unofficial blacklist on the internet, appearing as a first result when searching the doctor’s name. She requested this search result removed.
Google and the Dutch DPA were of the opinion that the public’s interest in this search result was of higher importance than the doctor’s and therefore rejected her request about removing the search results.
However, the District Court of Amsterdam ruled the opposite arguing that the derogatory in appearing on the blacklist indicated that she contrary to the truth was unfit to operate, and that her first and unconditional - later conditional - suspension appeared from the public register www.bigregister.nl. Therefore, the surgeon’s interest in not appearing on the blacklist in the first search results was of higher importance than the public’s interest.
The decision was made in July but only recently made public. If website owners and a particular search engine are regarded as mutual data controllers in line with e.g. facebook page owners and facebook, the owner of such website must ensure that data upon justified request not only is deleted from one’s own website, however, also that the data no longer appears in any search results referring or linking to their website.