What the Latest GDPR Fines Reveal Regarding Authorities Perspective In spite of the serene starting to the pre-requisite of the European Union General Data Protection Regulation (GDPR), the pace of fines issued under the regulation has drastically increased in recent months. We take a look at some of the European Authorities’ most notable judgment decision and the key takeaways for organizations at risk in those jurisdictions’ purviews. France: Google fined €50 million The French Data Protection Authority (CNIL) fined Google €50 million for an absence of transparency, inadequate information and a lack of valid consent respect to the personalization of adverts on its foundation. The level of CNIL’s fine was determined by the meddling and intrusive nature of Google’s data handling, just as the key idea of the relevant GDPR arrangements. Although Google has appealed the decision to the Conseil d’État (France’s highest public law court), the overall takeaway – especially for tech organizations giving complex online services – is that there is a scarce difference between providing sufficient information to meet the GDPR’s information requirements and not providing excessive or disparate information in a manner which abuses the principle and guidelines of transparency. To meet this balancing act, organizations should guarantee that all reasonable processing information is contained in one archive; specify which processing is based on consent and which is based on real interests; abstain from using pre-ticked boxes; and acquire consent for every specific purpose, rather than choosing for all purposes together. Austria: compensation for immaterial damages A couple of months back, the Regional Court of Feldkirch granted compensation for immaterial damages for a GDPR breach for the first time in Austria, after finding that the Austria Post had violated the regulation by collecting and storing data relating to the “political affinities” of approximately 2.2 million Austrian clients. The court held that compensation was necessary given the highly sensitive nature of the informational data, with harms and damages amounting to €800 in one specific case. Although the decision is not yet final, it serves as a warning to companies that any individual who has suffered material or immaterial damage as a result of a GDPR violation is entitled to receive compensation, and other jurisdictions may follow the perspective on the Austrian court. Greece: PwC fined €150,000 In Greece, the Hellenic DPA has likewise entered the fray, issuing a €150,000 fine against PwC for GDPR breaches in connection to the unauthorized processing of employee data. The authority held that PwC’s choice to process employee’s personal data on the legal basis of consent was inaccurate since, under the GDPR, consent must be freely given, and this is rarely
the case in the context of employment. The Hellenic DPA found that not only was the choice of consent as the legal basis inappropriate, but PwC had been processing the data on a different legal basis undisclosed to its representatives. The noteworthy fine imposed by the Hellenic DPA is an obvious reminder that employers can only process data on one of the legal grounds outlined by the GDPR. In most cases, the basis of consent will not hold up under investigation, as employees are unlikely to be able to exercise free will, given the power imbalance in the employment relationship. Moreover, all the stages of data processing should be transparent to the data subject; therefore, employers must do everything in their power to ensure that the legal grounds for processing data is clarified to employees. Germany: mega-fines under a new calculation model German Data Protection Authorities (DPAs) also seems to be following in the footsteps of the CNIL. A couple of months back the Berlin DPA announced its willingness to impose multimillioneuro fines for data breaches under the GDPR. Although the specific details of the Berlin DPA’s investigation have not been released, public information reveals that the authority based its calculation of the reported fine on a new model, which involves – among other things – multiplying a daily rate (determined by the aggregate global revenue of the company) by the severity of the infringement and its consequences, accounting for mitigating factors such as a swift response to the breach and the company’s willingness to co-operate with the DPA. Taking into that account, until the June month 2019, the 75 fines imposed under the GDPR in Germany amounted to only €449,000 (the largest single fine being €80,000), the Berlin DPA’s decision marks a dramatic increase in the rate of such penalties in the country. As such, companies should be reviewing their data protection processes, as failure to comply with the GDPR may result in more than a slap on the wrist. Sweden: first fine issued to local school A couple of months back, the Swedish DPA issued the nation’s first GDPR fine to local high school for its use of facial recognition technology. The authority held that the technology, which was used to monitor student attendance, was excessively intrusive, while the permission obtained from students did not constitute GDPR-required consent because it was not deliberately given and freely chosen. Additionally, the school had neglected to conduct the necessary documented data protection impact assessment. However, given that the technology innovation was only used for three weeks to monitor 22 students, the DPA held that a modest fine of SKR 200,000 (approximately €19,000) was sufficient for the school – and any onlookers – to learn its lesson. Despite being Sweden’s first GDPR fine, it seems that the DPA may simply have been testing the water. Whether it will need to wade any deeper soon remains to be seen.
United Kingdom: ICO announces the biggest fines to date In sharp differentiation to Sweden’s modest first fine, the United Kingdom has made headlines in the past few months for issuing the biggest fines under the GDPR to the date. In the month of July 2019, the Information of Commissioner’s Office (ICO) announced that its first GDPR monetary penalty would be issued to British Airways (BA), following an investigation into a cyber-incident in which users of the BA website were diverted to a fraudulent website, where their details were harvested by spammers. Given the severity of the breach, which affected around 500,000 BA customers, the ICO announced that the organization would be fined €183.39 million (roughly €204 million) – 1.5% of its worldwide annual turnover – for security failures under the GDPR. Although this is still generously less than the maximum available GDPR fine of 4% worldwide annual turnover, and the exact details of BA’s violation are yet to be released, the ICO’s decision makes a loud statement: the United Kingdom authorities will not be scaling up like other jurisdictions and cybersecurity will be held in high regard. As much, companies should be wary of complacency when it comes to data protection, as an unexpected cyber-attack may have serious financial consequences. To strengthen this point, the ICO released a second statement the following day, announcing that it would also be fining hospitality company Marriott International €99 million (approximately €110.4 million) for similar security failures. In this case, an ICO investigation revealed that the personal data of 30 million Marriott International guests – including their names, post, and email addresses, phone numbers, passport numbers, dates of birth, gender, and encrypted payment card numbers – had been compromised. The ICO’s message, at this point it is clear: companies must guarantee that their information security is in order and review and update this on a regular basis if they want to avoid significant punishments of penalties. In any case, there is a danger that by making an example of two highprofile organizations, the ICO has sent an awkwardly high standard and runs the risk of smaller companies in similar positions falling to report data breaches for fear of uncompromising fines. To comply or not to comply: there is no question Understanding how the ICO calculated these penalties will be key if the UK office is yet to guide the level of fines issued under the GDPR in future. While the exact details of both cases are yet to be released, the United Kingdom seems to be paving the for authorities in other jurisdictions to up the ante when it comes to penalizing companies for GDPR breaches, and the recent ICO decisions may act as a precedent for supervisory authorities in similar cases. However, there has been no significant enforcement concerning businesses outside Europe, it has taken 12 months for European Union authorities to start cracking the whip. As such, companies with a lax compliance plan should not bank on the fact that they have made it unscathed thus far. If the latest mega-fines are anything to go by, the size of the risk is only likely
to increase. Therefore, companies should review their data protection processes regularly and ensure that they have the appropriate technical, organizational and security measures in place to minimize the risks to all forms of security.