Big companies are winning appeals to overturn regulatory decisions that allege they violated European privacy rules, potentially carving out a path for more businesses to challenge similar sanctions.
Courts in the U.K., Spain, Italy and Germany sided with companies including
com Inc. and Italian energy giant
SpA in recent rulings, in some cases striking down multimillion-dollar fines and reaffirming companies’ arguments that their data practices comply with the General Data Protection Regulation.
Companies have appealed GDPR decisions since the expansive privacy law took effect in 2018 in an effort to fight reputational harm and large fines, which can reach up to 4% of a company’s global revenue, or 20 million euros, whichever is higher. Now companies see entire business models at stake. Meta Platforms Inc., for example, said it is appealing fines of €390 million, or $414 million, imposed in Ireland in January over the social-media company’s practices in targeting Instagram and Facebook users with ads.
“We’re starting to see the through line of companies starting to pick their battles and spend the time and effort on the appeals they think they can win and would have an effect on their business models,” said Edward Machin, a lawyer in the London office of law firm Ropes & Gray LLP.
Appeals of major GDPR decisions show a significant amount of “gray area” where privacy lawyers, regulators and courts disagree over what the law allows, said Flora Egea Torrón, a partner at Spanish law firm Legal Army S.L. and former data-protection officer at Banco Bilbao Vizcaya Argentaria SA.
is a multinational financial-services company.
“There’s so much room still to interpret GDPR, so that’s why [companies] have to fight against the decisions” from regulators, she said.
A Spanish court overturned a 2020 fine of €5 million against BBVA related to multiple complaints of the bank processing personal data without consent. The court decision, issued in late December and made public this year, said Spain’s regulator made a broad argument about the bank’s data-protection policy without enough evidence.
Ms. Torrón said she was aware of the appeal while she worked at BBVA but wasn’t involved as an outside counsel after joining Legal Army in February. The regulator said it is considering an appeal. BBVA declined to comment.
An Italian court last month overturned a €26.5 million fine from 2021 against utility Enel Energia over unsolicited marketing calls—a ruling the company said “confirms the correctness” of its behavior. The Italian regulator declined to comment.
Last month, a U.K. court largely sided with Ireland-based credit-rating company Experian in its appeal of a 2020 decision made by Britain’s privacy regulator that would have restricted how it processes data from public sources.
The court said Experian’s data collection can rely on legitimate interest, a legal term in the GDPR allowing companies to gather personal data without asking for explicit consent, for direct marketing. The court rejected the regulator’s argument that collecting personal data to create profiles for marketing purposes intrudes on privacy rights. The court said the regulator had “fundamentally misunderstood” the implications of how Experian used data, and that there were no negative effects for individuals. Britain’s privacy watchdog will apply for permission to appeal the ruling, a spokeswoman for the regulator said.
The court didn’t completely exonerate Experian, agreeing with the regulator that the company didn’t properly notify around five million people about how it acquired their data from public records. Experian must issue those notifications within a year.
Experian said in a statement that it was “very pleased with the outcome.”
Amazon got a win when a court sided with it last month against the data protection regulator in the German state of Lower Saxony, which ruled in 2020 that the company’s use of hand scanners to monitor employee performance in a warehouse was illegal. There was no fine. The regulator said in a statement after the court overturned its decision that lawmakers need to create new protections.
An Amazon spokesman said the company was “pleased” with the ruling. “Warehouse management systems are industry standard, and research shows that these systems have a positive effect on employees’ work experience,” he said.
These recent wins will likely embolden other companies to appeal GDPR violations, said Mr. Machin of Ropes & Gray.
“There’s a strategic element here as companies are learning, just as regulators are learning, what can work, what can’t work and what they think can be challenged,” he said.
Write to Catherine Stupp at email@example.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8