It has been a year since the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data came into force, attracting attention all over, mainly because of the potential sanctions implied. One year after, it is time to assess whether the worries of many have come true or have proven to be unsubstantiated bogeyman. Next to the sanction amounts awarded, we will focus on the violations leading to the individual sanctions, as well as the attitudes of the European supervisory authorities when imposing the individual sanctions.
Let us begin with some official statistics[1]. 11 EEA member states have imposed sanctions, totalling up to EUR 55 955 871. As many as 31 EEA member states registered 94 622 complaints of persons, 64 684 notifications of violations of personal data protection to the supervisory authorities[2] and 47 020 other findings, totalling up to 206 326 cases of regulation violation.
Here are some interesting decisions[3]:
- Violation of principles of integrity and confidentiality[4] (sanction of EUR 400 000)
As requested by the local association of physicians, the Portuguese personal data protection authority investigated personal data processing by one of the local hospitals. The inspection identified inadequate and insufficient system of managing processes regarding the patients’ data. A total of 985 user accounts of physicians were active, despite only 296 physicians being employed at the time of the inspections. At the same time, the physicians had access to the personal data of the patients, irrespective of their specialization. The decision is not effective, yet.
- Failure to comply with the information duty[5] (sanction of PLN 943 000, i.e. EUR 220 000)
The Polish personal data protection authority imposed a fine to a controller who processed the personal data from publicly available sources for commercial and marketing purposes, as well as for checking the credibility of data subjects. The reason for the fine was its failure to comply with its information duty towards the data subjects, depriving them of their option to execute their rights. Apart from this, it is interesting to note that the authority did not consider it sufficient that the controller had been sending e-mails (to the data subjects of whom it had their e-mail addresses) and publishing the information on its web site as a form of compliance with the information duty under Article 14 GDPR, claiming that sending written information to all the data subjects would be beyond reasonable effort. However, the authority did not accept that. In combination with the sanction amount, this has caused a lot of stir with the public, as it is common practice in the field. The sanction amount was calculated based on the annual turnover of the controller, as well as the fact that the controller had not made any efforts to prevent the violation of the provisions of the GDPR.
- Google[6] (sanction of EUR 50 000 000)
One of the biggest news of the previous year was the decision of the French personal data protection authority regarding the case of the company Google LLC. The record sanction of 50 million euros was imposed for the violation of the transparency principle, based in the information of personal data protection being incomprehensible, and for lack of some aspects thereof. At the same time, the authority assessed that the consents acquired by Google had been invalid, as they had not been informed consents, acquisition of which lacked the clear purpose of personal data protection. The company appealed to the decision and it is not effective, yet.
- Leak of usernames and passwords[7] (sanction of NOK 1.6 million, i.e. EUR 170 000)
There was a leak of 35 000 usernames and passwords of employees and students of two schools from the town computer system in Bergen, Norway. Due to insufficient technical and security systems used, anyone had been able to log in into several information systems of the school, getting access to various categories of personal data related to students and school employees. This happened despite the town warning about insufficient security of the school system at several occasions. The Norwegian personal data protection authority imposed a sanction to the town, calculated based on the number of data subjects, as well as the insufficient security measures. The authority took the aggravating aspect of most of the data subjects being children into account, as well.
- Inadequately long retention period[8] (sanction of DKK 1.2 million, i.e. EUR 160 754)
The Danish personal data protection authority recommended the police to impose a sanction to the local taxi services (in Denmark, the authority is not imposing sanctions directly, but recommends the police to do so instead), as the taxi service as the personal data controller processed the personal data of their customers for an inadequately long time (5 years), while the data were supposed to be deleted as soon as they were no longer necessary for the purpose for which they were collected. The authority based the sanction in the number of data subjects making a total of 9 million orders/drives.
- Failure to report a security incident[9] (sanction of EUR 61 500)
The Lithuanian personal data protection authority imposed a sanction to a company operating in international payment services for violating the Articles 5, 32 and 33 GDPR. Within its personal data protection, there had been an unauthorized access to the personal data and the company as the controller failed to comply with its duty to report the breach. The inspection identified that on 9-10 July 2018, all payment transactions of the clients of the bank had been released. Information on more than 9,000 payment transactions of client of 12 global banks had been public. As part of the inspection, the authority also established the violation of the data minimisation principle, as the company had been processing much more personal data than declared as part of its information duty. At the same time, the company violated the set and declared retention period, retaining the personal data for 216 days instead of 10 minutes. The supervisory authority based the sanctions in the aforementioned violations, as well as insufficient technical security measures and the annual turnover of the company. The decision is not effective, yet.
- Blacklist[10] (sanction of EUR 50 000)
The personal data protection authority in Berlin imposed a sanction for violation of Article 6 GDPR to one of the banks. Based on the available information, the bank had been processing the personal data of its former clients with the purpose to create a blacklist of persons not allowed to open a new bank account with the bank. At the inspection, the bank claimed it merely imposed new measures to fight money laundering. However, the inspection found out that the bank had not blacklisted only persons suspected of money laundering, but all its former clients. The supervisory authority judged the procedure as inadmissible, pointing out that the personal data of the former clients had had to be deleted immediately after their intended purpose. The bank promised to rectify the situation. The proceedings has not been concluded effectively, yet.
- Insufficient security measures[11] (sanction of EUR 50 000)
Several web sited linked to the Italian political party of Movimento 5 Stelle had been operated by a platform which had been criticized for insufficient technical security by the Italian authority for personal data protection, pointing to several cybernetic threats. The proceedings with the controller commenced in 2017, i.e. prior to the GDPR coming to force, but the authority based its sanction already under the GDPR, in particular, due to the fact that the provider failed to implement the necessary changes and security measures properly and in time. Mainly user accounts and passwords were at risk. Due to the aforementioned, the authority imposed the sanction on the platform operator.
- Monitoring of public areas[12] (sanction of EUR 2 200)
The Austrian personal data protection authority imposed a sanction to a Styria businessman who had a CCTV system installed in front of its company, used to monitor the public area up front (the pavement). The reason of the sanction (amount of which based in the annual turnover of the businessman) was failure to label the monitored area and to comply with his information duty.
Based on the overview, it is safe to say that the GDPR is no bogeyman. We should try to learn from the mistakes of others, focus on our weak spots at personal data processing and make our best effort to adopt technical and security measures.
Zuzana Krajčovičová
[1] http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf
[2] Procedure under Article 33 GDPR
[6] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
[7] https://www.datatilsynet.no/en/about-privacy/reports-on-specific-subjects/administrative-fine-of-170.000--imposed-on-bergen-municipality/
[8] https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/mar/datatilsynet-indstiller-taxaselskab-til-boede-paa-1-2-mio-kr/
[9] https://www.ada.lt/go.php/eng/First-significant-fine-was-imposed-for-the-breaches-of-the-general-data-protection-regulation-in-lithuania/1