Does your CRM comply with EU law?

On August 14th 2020, The Privacy Collective filed a class action lawsuit against Salesforce and Oracle in the UK and the Netherlands for the use of third party tracking technologies such as cookies, in breach of EU rules under the General Data Protection Regulation (2016/679) and the ePrivacy Directive (2002/58/EC). The cases (if successful) would be the largest class action cases ever in the UK and the Netherlands (expected to hit 10 Billion Euros in damages), to date and the first such class action cases under these laws.

The main basis for the claims stems from a judgment by the Court of Justice of the European Union (CJEU) in October 2019 often referred to as the Planet49 case (Case C-673/17) in which the Court clarified that the use of tracking technologies online is only lawful if opt-in consent has been obtained prior to the use of such technologies; which according to The Privacy Collective, is not the case in relation to Salesforce’s use of such technologies.

In another CJEU case from 2017 (Case C-40/17), the Court also ruled that an organisation which embeds third party technologies into their web sites or mobile applications has a joint liability for any unlawful processing of data by those third parties. It is important to note that under the General Data Protection Regulation, a data subject has the right to pursue legal action against any or all parties considered as Joint Controllers.

Further complications arise when considering yet another judgment from the CJEU this summer (known as the Schrems II judgment) in relation to sending personal data to the United States, a country which is deemed not to have an essentially equivalent level of data protection as the EU making it unlawful to transfer personal data relating to EU data subjects to the US or US companies.

Each of these cases illustrate why it is critically important for organisations to conduct thorough due diligence when choosing third party vendors for cloud based services such as a CRM. Failure to meet your legal obligation of due diligence creates very real risks of damage to your brand (in the case of choosing a vendor which is later determined to be processing data unlawfully) and legal liability as a Joint Controller for the actions of these vendors.

In addition to the above risks, the cost of having to move to a new vendor can be incredibly high in a time when budgets are already tight as a result of economic contraction due to the COVID-19 pandemic.

Furthermore, it doesn’t look as though legal actions in this space are likely to slow down in the near future – just last week, the French privacy regulator CNIL issued enforcement notices to Google and Amazon for 100M Euros and 35M Euros respectively for breaches of the same rules Salesforce and Oracle are alleged to have breached in the class action referenced above; this is the same regulator who just two weeks prior fined EU supermarket and bank Carrefour over 3M Euros for similar infringements.

In the experience of this author after working with hundreds of organisations over the last 12 years on privacy and data protection compliance – the most problematic vendors when it comes to compliance are CRM Services and Direct Marketing services which to date seem totally and wilfully ignorant as to their obligations under EU law.

Looking forward to 2021

Looking forward to 2021 it is likely that we will see increased focus on compliance issues both from a regulatory enforcement perspective and private litigation so the time for organisations ensure they review their compliance obligations is now, particularly in relation to the use of third party vendors with regard as to whether or not those vendors have any legal actions either ongoing or pending and whether or not the use of those vendors meet the requirements of EU Case Law – paying attention to the use of US cloud based services which as of the writing of this article, is not currently lawful.


About Alexander Hanff

Alexander is one of the most recognised faces globally when it comes to digital privacy and data ethics and is ranked by Politico as one of the most influential people in the world on the development of privacy and data protection law.

As a global faculty member at the prestigious Singularity University at the NASA Research Park in Silicon Valley and sitting as a regional faculty member at Singularity Nordic in Copenhagen – Alexander delivers dozens of seminars per year to the leaders of industry about the importance of data ethics.

As a lobbyist, Alexander has been instrumental in changes to EU law surrounding Data Protection and Privacy and is an expert advisor to the European Commission and European Parliament. Alexander’s work led to sweeping changes to the ePrivacy Directive in 2009, he was involved at every stage of the development of the General Data Protection Regulation and worked closely with the drafting team at the European Parliament on the upcoming ePrivacy Regulation.

He has a strong relationship with many institutions and regulators including the Federal Trade Commission, European Commission, European Data Protection Supervisor, European Parliament and other regulators across the globe and has given speeches from Beijing to Brazil.

Alexander also sits on a number of advisory boards for private companies and works as a senior consultant at Think Privacy. Clients love Alexander’s frank but clear approach to privacy and data protection issues and with a background in computer science, psychology, sociology and law – there are few with such a broad view or experience.

Twitter: https://twitter.com/alexanderhanff
LinkedIn: https://www.linkedin.com/in/alexanderhanff

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *