Article 5.1.(e), which states personal data should only be retained long enough for the purpose for which it was collected. The GDPR’s Recital 39 further requires that data storage be “limited to a strict minimum” and notes that “time limits should be established by the controller for erasure or for a periodic review.”Domestically, this is mirrored somewhat in the text of the CCPA (as amended and expanded by the California Privacy Rights Act (CPRA)), which provides, under § 1798.100, that subject organizations must disclose how long the organization “intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period.” The current CPRA/CCPA regulations also consider record retention limitations, beginning with § 7001(o), where “Information Practices” includes the retention of personal information, and § 7002(a) and
§ 7002(d) both address how that retention “shall be reasonably necessary and proportionate.”
Why does it matter that the CPRA/CCPA seems to adopt GDPR sensibilities? There is a growing expectation that the CPPA, the enforcement body for the CPRA/CCPA, will evaluate these requirements according to how the GDPR’s similar requirements were enforced. Recent 2022 European fines and enforcement actions tell a compelling tale and should warn U.S. organizations accordingly. Among those actions, the following related to information governance and retention:
- The Hungarian Supervisory Authority imposed a fine of approximately €248,000 on internet and broadcasting service providers for the creation and lack of immediate deletion of a database test.
- The French CNIL imposed a €600,000 fine against an electric utility in France for, among other issues, retention compliance problems.
- The French CNIL imposed an €800,000 fine against a French VOIP company for retention compliance problems.
- The Italian Supervisory Authority imposed a €2 million fine on a social media network in part for retention compliance issues.
- The UK Supervisory Authority (ICO) imposed a fine of more than £7.5 million on a facial recognition company for, among other issues, lack of clear data retention policy documentation.
- The French CNIL fined the Trade and Companies Register €250,000 for issues relating in part to retention of data longer than applicable retention periods.
- The French CNIL fined a short-term vehicle rental company €175,000 in part for a lack of implemented proportionate data retention periods.