The Polish data protection authority’s first post-General Data Protection Regulation-era decision, and its first fine, raise questions about the GDPR's retroactive applicability, transparency, procedural justice and legal competence.
Business transparency versus privacy
The first two widely discussed GDPR decisions by the Polish DPA, the Prezes Urzędu Ochrony Danych Osobowych, concerns the data processed in or derived from Poland’s public registers, the National Court Registry (Krajowy Rejestr Sądowy) and Central Registration and Information on Business (Centralna Ewidencja i Informacja o Działalności Gospodarczej).
While both government-run registers contain data on businesses, there are many differences between the two. Most importantly, KRS contains mainly (though not exclusively) data concerning legal persons, like the company name, address and information on board and supervisory board members, while CEIDG shows data of so-called sole traders, people who conduct business under their own name, like plumbers, lawyers or doctors. CEIDG contains, among other information, the individual’s name and business address (which usually is their home address), and it may also include additional contact details, like email address and telephone number; owners, however, have the option to conceal that part of the register. What is more, sole traders are not legal entities under Polish civil law. There is a legal duality when it comes to sole traders, as they should be treated as businesses while conducting business activities, but they never lose their status as individuals.
What also makes this matter especially complex is that the transparency principle is at the heart of KRS and CEIDG data and is paramount to the system’s safety and stability, so, for example, when making a deal or signing a contract, you can quickly verify your partner, their power of attorney, etcetera (see another case concerning this issue).
Crunching the numbers
The first of the two decisions concerns the e-State Foundation, the entity processing KRS data. This ended up being a win for the data controller as PUODO stated there was no need to provide individual privacy notices to concerned individuals serving in any role for the legal entities.
This decision still left some privacy professionals baffled as to why PUODO did not verify GDPR’s applicability and consequently its own jurisdiction over the matter — Recital 14 of the GDPR states that these records are not to be granted the regulation’s protection at all.
The other case (of a business information agency) concerns a company providing business verification services. It relies heavily on the data from publicly accessible records. As the PUODO’s decision states, the controller holds more than 7.5 million records, which had been gathered for the last 25 years. The amount of the inflicted fine was $220,000 euros, approximately 1 million PLN.
The main reason for the punitive action was the failure to provide privacy notices described in Article 14 of the GDPR for most of the business owners. The controller decided only to send privacy notices to those who disclosed their email address (approximately 500,000 individuals). The controller also included information on its operations on the official website.
For those who disclosed only their phone number and all other sole traders (with only address available), the controller decided not to fulfill the obligation stemming from Article 14 of the GDPR via traditional post or phone, on the basis of that constituting a disproportionate effort, as described in Article 14(5b) of the GDPR.
During the proceedings, the company provided a fee estimate for the postal services — approximately 33 million PLN — which is close to its entire annual revenue. PUODO argued the estimate was flawed because the controller only verified the cost of a “premium” service that includes notice of receipt, deeming it unnecessary. Even so, a rough calculation would show that the standard letter would still cost at least 70 to 80% of the original price (my own calculation, as this was not even considered by PUODO).
There was also very little explanation as to why the effort to provide 6.5 million people with an individual privacy notice would not have been disproportionate and how to mitigate the alleged damage. Many regard this as a technical error sufficient enough to have the decision overruled. This is, however, not the desired result for academics, as not diving into the core issues will bring us back to square one; the court overruling the decision based solely on procedural arguments would simply order a re-examination of the case by PUODO.
Days of future past
Many of my Polish peers may remember that the level of protection granted to CEIDG data during the last 20 years was unstable, to say the least. The data protection case law was ever changing, and at one point, the Parliament added a provision to the Commercial Activity Act specifically stating the Polish Data Protection Act of 1997 was not applicable for the protection of CEIDG individual’s data.
In a 2013 landmark ruling, the Polish Supreme Administrative Court declared there was no obligation to provide the KRS individuals with privacy notices. As mentioned earlier, KRS does not contain contact details, which would have to be additionally gathered elsewhere. The court argued that a further invasion of privacy for the sake of delivering privacy notices is ill-advised given the goal of the data protection regulation. Many companies followed that ruling for most data derived from public registers. As these cases are not entirely similar, PUODO ignored any comparison.
It is, however, most interesting, in my view, that PUODO decided once more not to comment on the central issue — the GDPR's applicability, both materially and in time. Interestingly enough, both Recital 171 of the GDPR and the transparency guidelines endorsed by the EDPB dance around the subject with no straight answerer. And while PUODO hosted many seminars and issued few of its own guidelines, it refused to comment officially on how to treat the pre-GDPR processing operations. This resulted in constitutional concerns and the data subjects being flooded with the privacy notices in May. Many controllers decided not to take any chances with this ambiguity in the business information agency's case.
Procedural justice: A tale of two cities
What is also interesting is some EU DPAs' emerging practice of providing very little reasoning or calculation for the fine amounts in its decisions. When Google raised an issue with France's DPA, the CNIL, of there being no deliberations on the calculation, the CNIL replied that while it has to take Article 83 of the GDPR and its criteria into consideration, there is simply no need to rule on each one and write it all down. Both PUODO and the CNIL did not explain why exactly a fine in the amount of 1/30 or 1/1800 of the revenue or turnover is appropriate.
In Poland, writing things down is an issue of basic procedural justice, particularly as not doing so may hurt the ability to appeal. There is no place for a guessing game with a public authority.
Final arguments
When discussing the issue of disproportionate effort, some lawyers assert that the unbearable cost itself is no excuse for not fulfilling one of the top-priority obligations; meaning, that if you don’t have the necessary capital to adhere to the legal system in its entirety, there is no place for your business in it.
Others argue that the notion of disproportionate effort should not be based solely upon the cost, but upon the cost to potential adverse effect analysis. Therefore, one would treat the same economic parameters differently if, for example, sensitive data were involved, as the potential infringement would have been greater.
I believe there is some argument to be made regarding the need to revise privacy notices and even bring data subject’s attention to the new rights GDPR creates (Transparency guidelines, p. 5). This does not automatically translate to the DPA’s competence in terms of punitive action. It is worth remembering that while administrative sanctions differ greatly from the criminal ones, the basic theoretical standards are actually similar, with the nulla poena sine lege principle applicable for both (elegantly described by the Council of Europe here).
So, the issue of disproportionate punishment, alongside the question of PUODO’s competence to act, may be among the most prominent in this case.
Photo by Kamil Gliwiński on Unsplash