German ruling on anonymizing regulatory decisions may influence privacy watchdogs

German companies see increased chances of not being publicly named in decisions by data regulators after a recent case where a court told the Federal Network Agency shouldn't have named a company that it fined to prevent reputational damage.

The case started after the agency, known as BNetzA, issued a press release about a fine against a call-center operator for violating telecommunications laws. It named the company, which then filed a complaint saying that this would have a negative effect on its business.

In May, the Higher Administrative Court for North Rhine-Westphalia ruled that BNetzA should not have named the company, adding that this was a violation of fundamental rights.

The move raises the question of whether similar requests for anonymity, in particular in data protection cases, will also be successful.

Several German data protection authorities told MLex that they've noted the North Rhine-Westphalia court decision with interest.

DSK, Germany’s Conference of Independent Data Protection Supervisors of the Federal and State Governments — which comprises the country's 16 regional watchdogs as well as the federal authority — hasn't yet announced a position on this specific case. But MLex understands that the influential body, which issues nationwide guidelines to the country’s authorities, is discussing public warnings related to privacy issues.

Non-publication requests

A stocktaking exercise around Europe shows that regulators often receive anonymization or non-publication requests, although these are generally unsuccessful.

Even with the EU’s General Data Protection Regulation in place, it's up to national laws to say whether companies will be named in data protection authorities' fining decisions.

In the Netherlands, for example, companies occasionally ask the privacy regulator to redact decisions in such a way that the violation can't be traced back to the company, a spokesperson for the Dutch data regulator said.

In principle, the Dutch watchdog publishes all enforcement decisions. But there are exceptions.

Since May 2018, when the GDPR took effect, the Dutch authority has published two sanctions without naming the fined party, out of a total of 12 data protection fines.

In one of the cases — where a company illegally processed the fingerprints of its employees — it was because a judge ordered it to do so. In the other case, it was because the company bears the name of a person; that case involved an orthodontic practice with an insecure website.

“Disclosure is made to account for and publicize the way in which the [data protection authority] carries out its supervisory task. Great importance must therefore be attached to the public interest in disclosure,” a spokesperson for the Dutch watchdog said.

The view of the national regulator in Portugal, where the law says that in some situations a sanction can be made public, differs a little from the Dutch stance.

Disclosing the name is considered an additional penalty for the company when the fine is more than 100,000 euros ($120,000), a spokesperson for the Portuguese data watchdog said. Thus the majority of decisions made public by the authority need to be anonymized since they're below that amount.

“When a specific investigation or infringement is already public knowledge, the situation might be different because the reasons for not disclosing the information are overcome,” the person added.

The Belgian approach is similar to that of Portugal.

“Our policy is that we publish all decisions of the Litigation Chamber, but normally without the names of the parties, unless there are reasons to publish the names; mainly because taking out names would hinder our objective of transparency,” a spokesperson said.

The Belgian watchdog, which “regularly” receives requests for non-publication or anonymization, said that publication of a decision as a means for sanctioning is considered on a case-by-case basis.

“In practice, publication is rarely used as a sanction. The vast majority of our decisions are made public without identification of the parties,” the spokesperson said.

In two cases last year, however, the authority did mistakenly publish decisions that contained information about the company, which made it possible to track them down.

One of those involved a fine for telecom operator Proximus. The other, was a fine for Twoo, a dating website, where the decision obtained by MLex revealed the name of the company's data protection officer.

It remains to be seen whether more companies targeted by privacy watchdogs will take inspiration from the German ruling. But given Germany's pioneering role in data protection issues in Europe, companies elsewhere have nothing to lose if they call for similar anonymization moves.