Reviewing the week in data protection: cookies, employee tracking, and accidental data breaches

There's rarely a quiet week in data protection — and this one was no exception.  Below are three developments from the past seven days that caught my eye.

Story #1: UK ICO clamps down on cookies

In November 2023, the Information Commissioner’s Office wrote to 53 of the UK’s busiest websites to warn them of enforcement action if they didn’t bring their cookie practices into compliance.  The ICO gave the companies running these websites 30 days to address its concerns around (1) placing non-essential cookies before users were given the opportunity to consent, (2) making it harder to reject non-essential cookies than to accept them, and (3) not seeking consent at all for the placement of these cookies. 

In a blog released on its website, the ICO has now provided an update on its cookies crackdown: 38 of the 53 organisations had “changed their cookie banners to be compliant” and a further four had committed to complying within the next month.  The ICO says that it will soon be writing to the next largest 100 websites — and the 100 after that, and so on.  (Its announcement is here.)

Why is this newsworthy?

• The “pay or consent” model for behavioural advertising is currently a hot button issue in the EU, with the EDPB being asked last week to give its opinion on the topic.  Cookies will necessarily be an important feature of that opinion.
• The ICO hasn’t historically enforced cookie-related breaches of PECR and the GDPR.  Contrast this with the picture across the English Channel, where the CNIL in particular has issued multi-million euro fines for cookie non-compliance.  Does the ICO’s recent cookie sweep indicate a more aggressive enforcement approach? Likely yes — but in line with the agency’s enforcement of the UK GDPR, I think we’ll be looking at more carrot than stick (at least initially).
• A post in 2024 wouldn’t be complete without a reference to artificial intelligence — and this one is no different.  The ICO says that it intends to use AI to identify non-compliant cookie banners, but it’s not clear how this will work in practice.  (A “hackathon” is planned in the coming weeks to explore what this might look like.)  For example, scanning for “Accept All” and “Reject All” buttons won’t tell the whole story.  You can have a perfectly worded cookie banner, but it’s mere window dressing if the website places non-essential cookies as soon as the user lands on its page (still a common practice among websites in the UK, EU and globally).
• A couple of years ago, a large number of companies in the UK received letters accusing them of non-compliant cookie practices.  As a result, the authors of these letters suffered what they claimed was distress and other related harms — harms that could be addressed by way of a settlement.  The letters disappeared as quickly as they emerged — likely due in part to unfavourable judgments in relation to proving non-material harm.  But given the ICO’s focus on cookie enforcement, and the threat of flagging non-cooperative companies to a more interested regulator, it wouldn’t surprise me to see some of these individuals try their luck again.

Story #2: the dos and don'ts of tracking employee attendance

Organisations of all shapes and sizes are increasingly using technology to track their employees’ office attendance.  Approaches differ to hybrid working — from encouraging staff to attend the office a couple of days each week, to rolling out formal policies that include a disciplinary component if not followed.

What many of these approaches have in common is that they monitor attendance through badge and entry swipe card data.  This may be supplemented with additional data points (e.g., registered sick and WFH days, business travel, holidays, and so on), but turnstile data is now comprising the backbone of most office attendance monitoring programmes.  Inevitably that raises the spectre of data protection. So, however you are — or are planning to — monitor employee attendance, there are a number of important things to bear in mind.  (I’ve listed four due to space restraints, but don’t overlook considerations around purpose limitation, accuracy and retention, too.)

• Transparency.  Communicate your office attendance requirements, both informally (i.e., through firm- and office-wide, and team-specific, communications) and by updating your privacy notice(s).  Inevitably there will be employees who don’t like the policy, but clearly explaining your requirements in advance will mean that the processing of their personal data should not be unexpected.
• DPIAs.  It is essential to conduct a data protection impact assessment, which sets out (amongst other things) why and how you will collect and use data, as well as the risks to and protections in place for individuals.  This is particularly the case where you may, or will, use information collected from swipe card data to inform your decision to discipline or terminate employees.
• Access.  Limit the number of individuals who have access to the raw (i.e., identifiable) data.  This group will usually include office and firm management, as well as relevant members of legal and HR teams.
• Sharing.  Other than to the individuals described above, or for specific — limited — use cases, data should be shared on an aggregated basis.  In particular, ensure that reporting metrics are sufficiently considered so that individuals are not identified from the data (e.g., reporting team-based statistics on an office-by-office basis, where only one member of that team works in London).

Story #3: CJEU issues sensible judgment on accidental data breaches

Question: if an organisation suffers a breach of security, does it automatically mean that its technical and organisational measures don’t meet the requirements of Articles 24 and 32 of the GDPR?  In a sensible judgment handed down at the end of last week, the European Court of Justice confirms that it does not.  (The link to the judgment is here.)

The Court wrote that “[t]he fact that employees of the controller mistakenly delivered to an unauthorised third party a document containing personal data is not sufficient, in itself, to conclude that the technical and organisational measures implemented by the controller in question were not ‘appropriate’ within the meaning of Articles 24 and 32.”  

This makes good sense.  An organisation can have the best TOMs in the world, but it’s not always possible to account for humans — and humans make mistakes. 

As the Court has recently ruled in other cases, the GDPR is not a strict liability law.  Instead, as is often the case with the GDPR, the analysis is context-dependent. For example:

• In Scenario 1, a company has limited policies and procedures in place for GDPR compliance and does not train employees on security.  An employee accidently sends a personal data file to an unauthorised third party.
• In Scenario 2, the same company has robust policies and procedures in place and trains employees on security (both when they join the business and thereafter on an annual basis).  The same employee mistakenly sends the same file to a third party.

Organisations in the second bucket should feel comfortable in taking the position that their TOMs are sufficient — in this context, at least.  Obviously if you have dozens of unforced errors it will make your position harder to sustain.  And the Court is not saying that a fat-fingered email can *never* indicate that an organisation’s TOMs don’t meet the mark, but rather that this shouldn’t automatically be the conclusion. To compound matters, sending personal data accidently to a third party can be a personal data breach — and a reportable breach, at that — for the purposes of Articles 33 and 34 of the GDPR, so it’s not a case of no foul, no harm.

The Court considered this issue in the context of an individual’s claim for non-material damages under Article 82 of the GDPR — an issue with which has become increasingly common in the past year, including before the Court.  But its analysis should arguably apply more broadly.  So now is as good a time as any to accept what you cannot change (every possible instance of adverse processing), affect the things that you can (systems, policies, procedures and training), and know the difference between the two.

Subscribe to Ropes & Gray Viewpoints by topic here.