Since the EU General Data Protection Regulation (GDPR) became effective on May 25, 2018 companies have been concerned with the potential size of fines that could be issued. Now that the first fines have been issued, we can begin to assess what the enforcement landscape will look like going forward.
Article 83 of the GDPR authorizes data protection authorities (DPA) in EU member states to impose administrative fines of €20 million or 2% of a company’s worldwide revenues, or for more serious violations, €40 million or 4% of a company’s worldwide revenues, whichever is larger. Notwithstanding that potential, Article 83 requires fines in each case to be “effective, proportionate and dissuasive.” While DPAs across the EU have tried to assure the public that they are not anxious to impose large fines, companies have been anxiously awaiting what DPAs would do in practice.
In an interview published on October 9, 2018 European Data Protection Supervisor Giovanni Buttarelli predicted that DPAs would issue fines before the end of the year. He was absolutely right. Over the past three months we’ve seen the first fines issued under the GDPR. So far it looks like DPAs are being true to their words.
The first fine was imposed in Austria before Mr. Buttarelli made his comments. It is a good illustration of the reach of the GDPR.
In September 2018 the Austrian Data Protection Authority fined the owner of a betting shop because the shop’s camera trained on the entrance also captured the sidewalk in front. The Austrian DPA determined that this violated the GDPR because such monitoring of public space is not allowed. The amount of the fine was €4,800 plus legal costs. The Austrian DPA acknowledged that the GDPR allows larger fines to be imposed, but noted that fines must be “proportionate.”
The largest fine I’m aware of was issued against a hospital in Portugal. On October 22, 2018 the Centro Hospitalar Barreiro Montijo near Lisbon stated that it would challenge a €400,000 fine imposed for two violations of the GDPR. Portugal’s National Data Protection Commission determined that patient information was inappropriately accessible by non-medical staff. That violation drew a €300,000 fine. The second violation, for which the hospital was fined €100,000, concerned its inability to “ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services.”
Most recently, the German chat platform Knuddels.de was fined €20,000 in connection with the breach of user passwords in July 2018. Knuddels unfortunately stored user information and passwords in unencrypted plain text. This allowed hackers to obtain as many as 808,000 user email addresses and 1,872,000 user pseudonyms and passwords. 330,000 were subsequently published on the Internet.
Knuddels’ handling of the event appears to have affected the amount of the fine. The Baden-Württemberg Data Protection Authority noted the company’s swift and comprehensive communication to its users and its transparency and cooperation with the DPA. Those facts, combined with improvements in data handling, led the DPA to impose a fine less harsh than it might otherwise have been. The DPA stated that it “is not interested in entering into a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users.”
The fines issued so far begin to tell us about how DPAs will enforce the GDPR.
DPAs have made it clear that they intend to enforce every aspect of the GDPR. The Austrian DPA’s focus on a camera covering too much of the sidewalk sends a strong message that all businesses need to be aware of their obligations under the regulation, and that non-compliance with any part can be costly.
The Austrian fine also demonstrates that DPAs are concerned with violations by businesses of all sizes. While one might expect DPAs to focus their attention on larger companies, they obviously are looking at all businesses regardless of size.
Conscientious responses to data compromise events will be rewarded by DPAs. The Baden-Württemberg DPA’s complimentary comments about Knuddels and statement about the purpose of enforcement being to improve privacy and data security strongly suggest that DPAs intend to use fines to guide companies’ conduct and to penalize them only to the extent necessary.
DPAs take seriously the requirement that fines be proportionate. Depending on the size of the Austrian betting shop’s business, the €4,800 fine issued by the Austrian DPA arguably is relatively modest, and seems to reflect the relatively minor violation committed by the shop. If we use the Austrian fine as an informal benchmark, given the size of the Knuddels breach one might have expected the fine to have been much greater than €20,000. The limited fine suggests that DPAs won’t focus solely on what happened, and that they will also look at a company’s actions after a cyber event to determine proportionality. While I don’t have information about how the fines against Centro Hospitalar Barreiro Montijo were calculated, it isn’t difficult to imagine that the Portuguese National Data Protection Commission believed that indiscriminate access to patient health records required a stiff response.
Looking forward, the number of fines is certain to grow in the coming months. EU DPAs are receiving significant numbers of complaints. The UK has received the largest number of complaints, and it may be the jurisdiction to watch in the short term.
Although no fine has been issued yet, the UK Information Commissioner’s Office (ICO) notified AggregateIQ Data Services, Ltd. (AIQ) on July 6, 2018 that the company’s handling of UK voter information violated the GDPR. Pro-Brexit groups retained AIQ to profile and target voters in connection with the 2016 Brexit referendum. (AIQ has also been linked to Cambridge Analytica which gained notoriety for its misuse of Facebook data and work for Donald Trump’s presidential campaign.) In May 2018 the Canadian company confirmed to the ICO that it continues to hold information on UK citizens and that the information has previously been accessed by a third party without authorization. The ICO’s notice states that it may impose a fine of €20 million or 4% of AIQ’s worldwide revenues, whichever is larger. AIQ is challenging the ICO’s determination, so it remains to be seen what fine (if any) will ultimately be imposed.
The well-publicized data breach at British Airways will be an excellent test case. The breach of more than 550,000 passenger records and payment cards is a significant event. The airline has been diligent about notifying affected individuals and has notified the ICO as required by the GDPR. If the ICO shares the views of others that British Airways has responded well to the event, it will be very interesting to see whether any fine issued is broadly consistent with the €20,000 assessed against Knuddels.
I would be remiss if I ended this post without touching on whether GDPR fines are insurable. Unfortunately there is no clear answer. As one of my colleagues noted in an earlier article, there are a number of factors that will be taken into account when answering the question. While one report expresses the view that GDPR fines are insurable in Finland and Norway (Finland’s Financial Supervisory Authority recently reached a different conclusion), I share my colleague’s view that until insurability has been expressly addressed in a jurisdiction, it is safest to assume that the fines are not insurable.
Should GDPR fines prove to be insurable, there will likely be no shortage of insurance solutions to cover them.