More penalties for data breaches emerging under the General Data Protection Regulation (GDPR)

Following the entry into force of the General Data Protection Regulation (GDPR) in May of last year, penalties increased for failure to comply. Slowly but surely, instances of fines and other forms of penalties being imposed for violation of this regulation and related national laws have begun emerging.

Media attention has recently peaked on this topic with the decision by the French Supervisory Authority (CNIL) to impose a fine of EUR 50 million on the internet giant Google for breaches in regards to how consent is collected and the lack of ease and transparency a user has when considering the company’s data collection policies. Here, the authorities placed emphasis on the fact that whilst the breaches may be considered to have occurred on a cross-border basis, and despite Google’s headquarters being located in Dublin, the GDPR empowers data authorities that are considered the leading supervisory authority for the Company in question to impose a fine proportionate to the size of the breach, even if the breach is not isolated to their country. This allows a single fine to be awarded, instead of requiring victims to approach data authorities in multiple countrie

However, penalty awards have not been exclusive to the largest and most well-known organisations. For instance, a large fine was issued in Portugal by the Portugese National Commission Data Protection (NCDP) in 2018, as reported by local news outlets, to a hospital for giving unauthorized staff unnecessary access to confidential patient data. Here, penalties amounting to a sizable EUR 400,000 were imposed on the grounds that the data breach represented a clear and serious violation of the requirements of data protection laws.

Then in November, the Data Protection Authority in Baden-Württemberg, Germany, imposed a fine of EUR 20,000 on the social networking platform Knuddels.de after a hacker gained access to the personal information of hundreds of thousands users of the website. Here, the authorities considered the platform liable as the personal information, including passwords, had been stored in plain text. This was considered to be a violation of Article 32 of the GDPR which requires that organisations which control or process data must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Whilst the breach was considered large, the fact that the platform’s response was deemed particularly cooperative and transparent by the authorities and that the platform proceeded to quickly implement suitably stronger security measures meant that a more moderate fine was imposed.

However, it is also notable that fines are not being issued only for instances of unauthorized data access. The first data protection law violation fine issued by the Austrian Data Protection Authority went to a small business in relation to its video surveillance activities. Here, a video surveillance camera was installed in front of the business establishment that also captured a large portion of public sidewalk, thus violating the rules against unjustified monitoring of a public space. In this instance, the fine came to EUR 4,800, with the Austrian Data Protection Agency citing the small size of the company and the need for proportionality in awarding fines, despite that under the GDPR fines can be up to EUR 20 million or 4% of the organisation’s annual global turnover.

These examples demonstrate that enhanced data protection laws have wide relevance to organisations, requiring reflection on a wide range of issues including employee permissions and activities, external interactions with customers, technical security of data and decisions on the collection and use of information. Furthermore, a range of factors are considered by the authorities when investigating a complaint, and evidence of attempts to comply with data protection requirements and principles, alongside a cooperative attitude and remedial actions, can have a large and positive impact.

Organisations and companies are thus strongly advised to ensure that they have an effective data protection strategy and system in place so as to minimize the risk of data breaches. At MKLaw, we have experience in implementing data protection packages as well as advising on specific instances regarding data protection law. If we can assist your organization in this area, please get in contact with us.