2019. 01. 28.

One year after the entry of the General data protection regulation in to force: fines for violations

After the end of the year, during which the EU General Data Protection Regulation was introduced (hereinafter referred to as the GDPR), it is appropriate to look at the past year to assess how one of the most frequently emphasized elements of the GDPR - the significant increase in fines - has manifested. So far, legal practice remains very limited, as a large part of the supervising institutions have declared their intention to educate and not to punish non-conformities, but individual cases give some impression of what to expect in the future.

Violation of data security

Germany Baden-Württemberg Supervisory Authority (Germ. Die Dienststelle des Landesbeauftragten für den Datenschutz und die Informationsfreiheit Baden-Württemberg , hereinafter - LfDI ) has allocated a fine of 20 000 euro for the chat website and app named Knuddels controller due to data theft, during which 330,000 unique user login information has been leaked and then publicized, including email addresses and passwords, as well as names (approximately 3280 cases) and / or residential addresses (about 2400 cases). More information was made public - about 808 000 e-mails and about 1 872 000 user names and passwords were disclosed, but maybe partly because of the long-lasting (already 19 years) Knuddels operation, the actual number of identified unique victims was lower.

In this case, the appropriate technical security measures were obviously not ensured, since user passwords were stored in a non-encrypted way - as simple text, which allowed hackers free access to the misappropriated data. The company immediately reported to the LfDI regarding the breach of data security, provided detailed information on the circumstances of the breach as well as on the implemented processing of personal data and its shortcomings. Within a few weeks of the hack being detected, the company has implemented measures to improve IT security and has taken further steps to improve security with LfDI. Transparency and exemplary cooperation with LfDI resulted in imposition of a relatively small (while taking in account the scale and seriousness of the infringement) fine.

This situation demonstrates why it is so important to respond to a data breach in a timely and effective manner. Although this does not always guarantee that you will be able to avoid a possible fine or disclosure of the situation, the consequences of the violation may be incomparably worse if you fail to report. 

Illegal video surveillance

The Austrian supervisory authority (Datenschutzbehörde , hereinafter referred to as "DSB" ) somewhat unexpectedly imposed its first fine not on a large corporation, but rather on an entrepreneur, who installed a video surveillance camera in front of his betting parlor. The infringement included two aspects - the camera's observation area covered a considerable area of the sidewalk in front of the company's premises, which was recognized by DSB as a large-scale monitoring of a public space, without a legal basis and accordingly unlawful under GDPR, and also found that the camera had not been properly marked, which led to the failure of implementing the transparency requirement. DSB imposed a fine of EUR 4 800 on the basis of the principle of proportionality, taking into account, among other things, the small annual turnover of the company.

In addition to this, biggest (but considered rather small) fine, DSB has imposed three more smaller fines for illegal video surveillance: a fine of EUR 1800 for a kebab kiosk owner, a fine of EUR 400 for a restaurant and a fine of EUR 300 for a person who illegally used a car video recorder.

The fines imposed by DSB may be relatively small, but are also related to video surveillance that is an especially widespread in practice in Lithuania, and should therefore encourage persons implementing surveillance to assess whether they do so in full compliance with the requirements, responsibly select the image field of their video surveillance, and provide appropriate video surveillance notifications. (consultation on proper informing can be found here ).

Improper technical and organizational security measures

The Portuguese supervisory authority (Port. Comissão Nacional de Proteção de Dados) (hereinafter referred to as "CNPD"), has imposed one of the highest fines in the European Union for the hospital of ( Centro Hospitalar Barreiro Montijo ), equal to EUR 400 000. For the sake of clarity, it should be noted that this amount consists of three fines for three distinct (albeit very closely related) violations.

The first violation, for which a fine of EUR 150 000 was imposed, was providing unrestricted access to personal data to an excessive number of users. An essential element of the violation was that there were 985 active users in the information system assigned to the "doctor's" group, although only 296 doctors were in hospital during the inspection. This situation has taken place both due to the mis-appointment of other employees to this group and the continued upkeep of the accounts of doctors, who no longer worked in the hospital. This is a violation of the fundamental principles of data processing and, in particular, of the principle of minimization.

The second violation, which also resulted in a fine of EUR 150 000, was a breach of integrity and confidentiality taking place due to inadequate technical and organizational measures to prevent unauthorized access to personal data. The key issue was the provision of unrestricted access to personal data for all employees, although these, especially technical staff, should only gain access to data in specific and defined cases.

The third violation, for which a fine of EUR 100 000 was imposed, was the inability of the hospital to ensure the continued confidentiality, integrity, accessibility and resilience of its systems and services, as well as the lack of adequate technical and organizational measures.

The investigation was initiated by the doctor's union (Sindicato dos Médicos da Zona Sul) publicly discussing the question of possibly improperly provided access rights. Initially, doctors tried to draw the attention of the hospital management, but after it has been ignoring the appeal and did not take action, they were forced to publicly disclose the situation and appeal to the concerned institutions. Considering all the circumstances, it can be concluded that not only the sensitivity of personal data was of great importance to the size of the fine, but also that the management of the hospital knew that the use of such an information system was in breach of the law, but still did not take actions to address systemic problems despite warnings from interested parties. The CNPD also considered the circumstance that it had become aware of an offense not from the hospital but through the media, which provided information int its publications, which later was confirmed by the CNPD investigation, to be a very important one.

It is an interesting circumstance, that this hospital is a public and not a private entity. In the context of Lithuania, it should be noted that while the Law on Legal Protection of Personal Data imposes a maximum fine (also taking into account such indicators as the current year budget and the amount of gross annual income received in the previous year) for a public authority or institution of up to EUR 60,000, but this restriction is not applicable to institutions and establishments engaging in commercial economic activities. This case should also encourage Lithuanian health care institutions to assess their situation and the compliance of their systems with legal requirements more carefully, although it is also necessary for legal entities in other areas to assess whether access to personal data is really provided to their employees only to the extent necessary to perform their work functions.

Transparency and consent to personalization of advertisements

The latest, and so far, the highest fine in the European Union, reaching as much as EUR 50 million, was issued by the French supervisory authority (French - La Commission Nationale de l'Informatique et des Libertés , hereafter - CNIL ), which was issued to Google LLC. The fine was imposed by CNIL due to the launch of an investigation into group complaints against Google LLC by associations “La Quadrature du Net" and "None Of Your Business", fighting to protect privacy. In both complaints, the associations criticized Google as having no proper legal basis for processing the personal data of their users, especially for the purpose of personalizing ads.

After the completion of its investigation, CNIL found that the information provided by Google did not meet the transparency requirements. Information provided to the users regarding essential aspects, such as the purposes of data processing, their retention periods and the categories of personal data, used to personalize ads is scattered through different documents. The CNIL has found that it takes several steps to reach all the necessary information, in some cases up to 5 or 6 steps. It has also been found that the information obtained even in this way, is not always clear and understandable, especially given the wide range of services provided by Google, it is too vague and of too generalized. Information on the fact that consent is the basis for the personalization of advertisements, rather than the legitimate interest of the company, was also not provided clear enough. Finally, certain personal data was not specified a retention period at all.

Another circumstance identified by the CNIL, that led to the imposition of a fine is the inappropriate receipt of consumer consent to the personalization of advertising. Firstly, consent is considered to be insufficiently informed because, as mentioned above, the required information is disseminated in different documents and is not sufficiently clear. Secondly, consent is given in a form that makes a user provide only one consent to the processing of all personal data by "Google", although consent is considered to be sufficiently specific only when it is provided separately for specific purposes. 

The amount of the fine for was determined by CNIL by assessing the gravity of the infringement, lack of "Google" compliance with the essential requirements of the GDPR, without ensuring transparency, proper information and consent receipt. It also takes into account the huge data flows, the ability to influence private life and the fact that the violations are continuous rather than one-off or limited. CNIL also pointed out that Google's business model is partly based on personalization of ads, so the company must adhere to the requirements associated with such activities.

Situation in Lithuania and what lies ahead of us this year

So far, the Lithuanian Supervisory authority, the State Data Protection Inspectorate, has remained faithful to its plan to initially orient its activities not towards fines, but to education and assistance to data controllers in their strive to comply with the changed legislation. Accordingly, in Lithuania, as in many other EU countries, there are currently no fines imposed under the GDPR.

The fine allocation cases described above, reveal a number of risks that need to be addressed, but it cannot really be argued that they present a clear and harmonized position on fines and their sizes. Trends, as well as a common supervisory institution practice at EU level will undoubtedly require more time. However, there is no doubt that during this year there will be even more fines found in the European Union countries, which will allow a gradual move in this direction.