First GDPR fines – what we know so far
January 29, 2019
Eight months have just passed since the GDPR entered into force. Corporate governance teams across Europe and overseas invested substantial time and resources preparing for the new regulation.
The financial repercussions for mishandling data are now much higher than ever before. For instance, in the UK, the previous maximum penalty available to the Information Commissioner’s Office (ICO) for was £500,000. Now, businesses might be fined with €20 million or 4% of their revenue, whichever is higher.
As the first GDPR fines are coming through, here is the overview of penalties that regulators imposed/are looking to impose on organizations that have allegedly breached the regulation:
- Germany – Knuddels.de (€20,000)
The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first German data protection authority to impose a fine under the GDPR. Personal data of approximately 330,000 users of a chat platform were compromised and then made publicly available by hackers in September 2018. As part of the data breach notification, the provider disclosed that the users’ passwords were stored in an unencrypted form (as a plain text). The authority considered this a violation of the obligation to implement adequate security measures (Article 32 GDPR) and imposed the rather modest fine of EUR 20,000. According to the LfDI, the very strong cooperation and willingness of the company to implement the guidelines and recommendations of the LfDI were viewed favorably when calculating the relatively low fine.
- Austria – retail entrepreneur (€4,800)
The entrepreneur installed a CCTV camera in front of his outlet that recorded a large part of the side walk outside. The Austrian Data Protection Authority (DSB) claimed that large-scale surveillance of public spaces contravenes GDPR rules, as no legitimate interests of companies (or entrepreneurs) to put public spaces under CCTV surveillance was recognized. Moreover, the video surveillance was not sufficiently marked, violating the transparency obligation under the GDPR. Taking into account the annual income of the entrepreneur, the Austrian DPA imposed a fine of EUR 4,800 for illegal video surveillance activities.
- Portugal – Central Hospital of Barreiro Montijo (€400,000)
After carrying out an inspection at a Portuguese hospital, the Portuguese Data Protection Authority (CNPD) fined the hospital for allowing too many employees to access patient records. The health facility has less than 300 doctors, yet 985 active accounts had the same level of access to sensitive data as medical practitioners. Doctors also allegedly had unrestricted privileges to view all patient files regardless of their specialty. Media reports suggested the hospital was appealing the fine under the argument that it was not responsible for these deficiencies because it used the IT system provided to public hospitals by the Portuguese Health Ministry. However, the Portuguese DPA still decided that it was the hospital’s responsibility to ensure that adequate security measures were implemented and imposed a fine of EUR 400,000 on the hospital.
- UK – Marriott International (TBC)
Earlier this month, Marriott International revealed hackers gained access to approximately 500 million guest accounts. Nearly two-thirds of those affected may have had passport numbers, emails, dates of birth and mailing addresses stolen. The hotel giant has also been unable to rule out the possibility that credit card data was leaked as well. Marriott has informed the ICO of the incident, which could fall under the most serious category of breaches. The company reported $22.9 billion of turnover in 2017, meaning a 4% fine would cost $916 million.
- France – Google (€50,000,000)
The French agency, CNIL, ruled that Google had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalization. Acting on a complaint from NOYB and French group La Quadrature du Net, the authority said it had investigated the process for setting up a Google account from an Android device and concluded that Google had breached the General Data Protection Regulation in two ways: by failing to meet transparency and information requirements and failing to obtain a legal basis for processing. As a result, CNIL ordered Google to hand over €50m, due to “the severity of the infringements. […] The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
The financial repercussions for mishandling data are now much higher than ever before
The first fines under the GDPR reveal a moderate approach to the GDPR’s enforcement. Rather than imposing a great number of fines for non-compliance with new GDPR requirements, the data protection authorities focused on a small number of cases where basic requirements were not satisfied. We will certainly see more fines imposed in 2019 and organizations will likely need to reevaluate their GDPR compliance levels.