I sent two IT webshop companies an erasure request. I also informed them of a security vulnerability in the way they processed my invoices and I objected to them processing my invoice data in this way. The companies repeatedly refused to act on my GDPR requests and they failed to acknowledge the vulnerability. So I took them both to court.
This post is about two cases I brought regarding GDPR data subject requests against two fairly large Dutch IT webshop companies.
I had sent both companies an erasure request by email. While going through my old emails, I had also found that both companies used an inherently unsafe way of processing my – and likely other customers’ – invoices: these were made accessible through the companies’ websites using a link with two unique ID URL parameters and no proper access control. Despite having an account with both companies, I was not required to log in to access the invoice pages and my associated personal data. This effectively allowed unlimited, unauthorised access to my personal data: all a potential attacker needed was to enter the correct URL parameters, which could easily be found e.g. through a brute-force attack, snooping on public wireless networks or simply accessing the browser history. While I will likely never find out if an attacker actually exploited this vulnerability, it is clear that the security measures taken by the company to protect my invoices and personal data were insufficient. In my view, this constitutes a contravention of Article 5(1)(f) of the GDPR, which I informed both companies of in my emails.
For this reason, I also sent both companies a restriction request for my invoices, which they are legally obliged to store for tax purposes, and I objected to these invoices being processed in any way other than to securely store them for this purpose. This objection, of course, also covered any transmission of these invoices through the companies’ websites.
Both companies refused to act on my GDPR requests, saying they were under a legal obligation to store invoices and referring me to their privacy policy (which only materially adds that they do not act on any erasure requests and supposedly store all personal data ‘securely’). I replied, warning them that the requirement to store invoices did not allow them to publish the invoices on their website and that this requirement did not have any relevance to the other personal data associated with my website accounts. Both companies then referred me to their initial reply and told me that I would not be receiving any further response from them. They also failed to even acknowledge the vulnerability I had informed them of.
Despite me then sending repeated emails warning them of my intention to complain to the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority (DPA), and to initiate court proceedings against them for a compliance order and compensation pursuant to Article 79 and 82 of the GDPR, neither company sent me a further reply. So I submitted two complaints to the AP and separately proceeded to take both cases to court.
The Dutch court procedures for GDPR subject requests
In the Dutch implementation legislation for the GDPR, legislators have also provided a fairly simple route through which data subjects can specifically challenge non-compliance with their GDPR requests (Articles 15 – 22). Data subjects can challenge rejections of such requests within 6 weeks by submitting a petition to their district court, setting out the basic facts of the case and enclosing a copy of their GDPR request and the data controller’s response. There may be a formal hearing and, if appropriate, the court is then able to order the data controller to comply with the request pursuant to Article 79 of the GDPR. However, as part of this procedure, it seems that the court is not able to order the data controller to pay compensation; ordinary court proceedings would have to be started separately to obtain compensation.
Thus, I duly submitted two petitions (one for each data controller) to the court and paid the court fee of €309 for each. The hearing date was set for approximately 3 months after I submitted the petitions. My plan was to await the outcome of these two simple GDPR procedures with the aim of launching further court proceedings for compensation if I won.
Following my submissions to the court, I did not hear anything for two-and-a-half months. It was two-and-a-half weeks before the hearing when I received an email on behalf of both companies, which turned out to be affiliated. They acknowledged that they were, in fact, legally obliged to act on my requests and stated that they had now done so. They stated that they disagreed with my view that the invoices were inadequately protected and accessible to anybody with the relevant URL, but that they had nevertheless made it a requirement to be logged in to view invoices to add an extra layer of security. To me, this seems rather contradictory. Finally, they stated that they were happy to pay some of my court costs to settle the case. However, despite some negotiation attempts, they did not agree to pay my full court costs nor did they agree to pay me compensation for the distress they had caused me. So I let the cases proceed to the hearing.
The hearings for the two procedures ended up being amalgamated. Two of the companies’ senior executives turned up to represent the companies. The hearing became relatively informal with the judge predominantly taking a mediation role once the companies admitted that they should have complied with my requests. They tried however to put forward arguments to convince the court that it was unreasonable that I had pursued the case in this way. In particular, arguments they put forward included the following.
- The companies argued that I should have sent them a signed-for letter to their registered office address after my email requests were refused. However, the Article 12 of the GDPR states that subject requests should be able to be made electronically and the companies both included email addresses for such purposes on their websites. Furthermore, the companies had replied saying they did not intend to comply with my requests, meaning they were fully aware of them – they had simply failed to take appropriate organisational measures to properly comply with the GDPR.
- The companies argued that it was unfair that I had started two separate court procedures against the individual companies because both companies had the same owner. However, it was clear that the two companies were distinct legal entities with different names and addresses. Furthermore, both companies had their own separate webshop, with each company being the data controller for only their own webshop. The judge immediately interjected to point this out. I did not initially realise that they were affiliated companies, nor would it have made any difference in the legally sound way I had initiated the two procedures if I had.
- The companies argued that they had swiftly investigated and rectified the issues raised in these court procedures, implying that I had acted unreasonably by letting them proceed to a hearing. I argued that this was, of course, not entirely correct. Once they realised they were highly unlikely to win the cases, they tried to settle with me a whole two and a half months after the procedures were started, two and a half weeks before the hearing. They had also refused to cover my full court costs for the two procedures during our negotiations and they had refused to pay me a suitable amount of compensation (which I was of the opinion should be included in any full and final settlement for these cases). Furthermore, both their websites’ privacy policies still stated that they would not act on erasure requests at the time of the hearing (and indeed at the time of writing this post).
At the end of the hearing, it was pretty clear to me that the judge did not believe the companies’ arguments to have much, if any, merit or relevance to the outcome of the cases. The judge asked us if we were willing to reach a settlement agreement on the basis that the companies had complied with my GDPR requests and were to pay my full court costs. The companies stated that they had now complied with my requests and were happy to pay me the full court costs in full and final settlement of both cases. However, if I had agreed to this, it would have meant that I would not have been able to pursue further proceedings for compensation for the non-material damage I had suffered. I said I did not agree to the settlement being a full and final settlement unless further compensation was paid. Alternatively, I said I was willing to withdraw the two court procedures for the compliance orders on the basis that the companies had now complied with my requests and would pay my full court costs so far, in which case I was still able to start further court proceedings for compensation.
The companies opted to also pay compensation so the cases could be fully and finally settled there and then. We agreed on a suitable amount, the court clerk typed up our settlement agreement/consent order and we both signed it, after which the hearing ended. Despite there thus being no formal court ruling and judgment, I believe this outcome was the most favourable. After all, the court was not able to award compensation in these court procedures. By settling the case at this stage, I thus obtained all the remedies I had asked the court for in these procedures and also avoided having to start separate, more time-consuming proceedings for compensation arising out of the same matters.
My complaints to the AP
About two months after submitting the complaints, the AP informed me that they would not investigate one of them as it did not meet their prioritisation policy given I had started a court procedure, despite many of the issues I raised potentially affecting other customers of the company and being outside of the scope of the current court procedure. I immediately appealed against their decision and the outcome of this is pending. I was thus rather surprised for them to later tell me that the other complaint (against the other company) was being investigated, despite this being almost identical in substance. This investigation is still ongoing. Of course, the settlement for my civil cases does not in any way affect my right to complain to the AP or any of their potential investigations, sanctions or other procedures.
As the companies openly remarked during the court hearing, however, they are at most expecting a warning rather than any proper sanction from the AP. Perhaps this remark illustrates why it is important to take such cases to court yourself where appropriate, as all data subjects have a legal right to do. In my experience, some data controllers do not tend to worry much about a DPA investigating and imposing sanctions: they treat GDPR compliance as an inconvenient afterthought as a result. Taking them to court forces them to take notice.