DLA Piper GDPR fines and data breach survey: January 2021

DLA Piper GDPR fines and data breach survey: January 2021 “Regulators have been testing their new powers this year, issuing EUR158.5m (USD193.4m / GBP142.7m)4 in fines since 28 January 2020. But they haven’t had it all their own way, with some notable successful appeals and large reductions in proposed fines.” 1 This publication has been prepared by DLA Piper. We are grateful to Batliner Wanger Batliner Attorneys at Law Ltd., Glinska & Miskovic, Kamburov & Partners, Kyriakides Georgopoulos, LOGOS, Mamo TCV Advocates, Pamboridis LLC, Schellenberg Wittmer Ltd and Sorainen for their contributions in relation to Liechtenstein, Croatia, Bulgaria, Greece, Iceland, Malta, Cyprus, Switzerland, Estonia, Latvia and Lithuania respectively. 2 The EEA includes all 27 EU Member States plus Norway, Iceland and Liechtenstein. 3 The UK left the EU on 31 January 2020. The UK has implemented GDPR into law in each of the jurisdictions in the UK (England, Northern Ireland, Scotland and Wales), which as at the date of this report is the same in all material respects as GDPR. 4 In this report we have used the following exchange rates: EUR1 = GBP0.9 / USD1.22. 4 #PRACTICALGLOBALPRIVACY DLA PIPER GDPR FINES AND DATA BREACH SURVEY: JANUARY 2021 Significant increase of breach notifications It has been more than two and half years since GDPR first applied on 25 May 2018. For the period from 28 January 2020 to 27 January 2021 there were, on average, 331 breach notifications per day (a 19% increase on the previous year average of 278 notifications per day), so the current trend for breach notifications continues to see double digit growth. Testing new powers and successful appeals The supervisory authorities responsible for enforcing GDPR5 have not been idle; some notable fines have been imposed relating to a wide variety of infringements. The UK left the EU on 31 January 2020. The UK’s supervisory authority, the Information Commissioner’s Office (ICO), has, however, been active, issuing several large fines. Regulators have been testing their new powers this year, issuing a total of EUR158.5m (USD193.4m / GBP142.7m)6 in fines since 28 January 2020. But they haven’t had it all their own way, with some notable successful appeals and large reductions in proposed fines. The Austrian supervisory authority had a bad end to the year when its headline EUR18m (USD22m / GBP16.2m) fine imposed on Austrian Post was overturned by the Austrian Federal Court on 2 December 2020. Similarly, the two fines issued by the ICO in the UK were reduced from the originally proposed GBP189.39m (EUR210.4m / USD256.7m) and GBP99.3m (EUR110.3m / USD134.6m) to GBP20m (EUR22.2m / USD27.1m) and GBP18.4m (EUR20.4m / USD24.9m) respectively. In percentage terms, the reductions secured were 90% and 80% of the originally proposed fines. The ICO noted in its final penalty notices that the originally proposed fines had been discounted in part in light of the financial hardship caused by COVID-19. Nevertheless, it evidently pays to appeal and to mount robust challenges to proposed regulatory sanctions. Highest individual fine league table Summary and key findings 5 All references in this report to infringements or breaches of GDPR are to findings made by relevant data protection supervisory authorities when issuing fines. In a number of cases, the entity subject to the fine has disputed these findings and the penalty notices are subject to appeal. DLA Piper makes no representation as to the validity or accuracy of the findings made by relevant supervisory authorities. 6 Not all supervisory authorities publish details of fines. Some treat them as confidential. Our report is, therefore, based on fines that have been publicly reported or disclosed by the relevant supervisory authority. It is possible that other fines have been issued on a confidential basis. 7 The CNIL was in the news again in December 2020, having imposed another fine on Google entities for a total of EUR100m. However, these fines related to alleged violations of e-privacy laws rather than GDPR infringements, so are not included in the metrics in this report. France’s data protection supervisory authority, the CNIL, retains pole position, having fined Google Inc EUR50m (USD61m / GBP45m) in January 2019 for breaching GDPR transparency requirements, and for failing to have an adequate legal basis for processing in relation to personalised advertising (breach of Articles 6, 12 and 13 GDPR).7 #1 The Hamburg data protection supervisory authority is in second place, having fined a global retailer EUR35.26m (USD43m / GBP31.7m) in October 2020 for failing to have a sufficient legal basis for processing (breach of Articles 5 and 6 GDPR). #2 In third place, Italy’s data protection supervisory authority, the Garante, fined a telecommunications operator EUR27.8m (USD33.9m / GBP25m) in January 2020 for a number of breaches of GDPR, including breaches relating to transparency obligations, failing to have a sufficient legal basis for processing personal data, and inadequate technical and organisational measures, and breach of the principle of privacy by design (breach of Articles 5, 6, 17, 21 and 32 GDPR). #3 #PRACTICALGLOBALPRIVACY 5 WWW.DLAPIPER.COM 8 The European Data Protection Board is made up of representatives from all 27 EU Member States and the European Data Protection Supervisory Authority. The supervisory authorities of the EFTA EEA States are also members with regard to the GDPR-related matters (without the right to vote or be elected as chair or deputy chairs). 9 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18). 10 See https://noyb.eu/en/101-complaints-eu-us-transfers-filed In the rankings of the total value of all GDPR fines issued to date, the data protection supervisory authority in Italy tops the table, having imposed fines totalling EUR69,328,716 (USD84,581,033 / GBP62,395,844). The data protection authorities in Germany and France are in second and third place with fines totalling EUR69,085,000 (USD84,283,700 / GBP62,176,500) and EUR54,436,000 (USD66,411,920 / GBP48,992,400) respectively. Total amount of fines Last year, the total (reported) fines for the full 20-month period since the introduction of GDPR on 25 May 2018 was just over EUR114m (USD139m / GBP103m), which we noted in our previous report was quite low, given that supervisory authorities enjoy the power to fine organisations up to 4% of their total worldwide annual turnover for the preceding financial year. The total (reported) fines since 25 May 2018 has more than doubled to just over EUR272m (USD332m / GBP245m), with EUR158.5m (USD193.4m / GBP142.7m) over the last 12 months alone, a 39% increase on the previous 20-month period since GDPR came into force. Many open legal questions There are many open legal questions relating to GDPR, including whether fines should be assessed against the consolidated global revenue of the organisation being fined, or just against the revenue of the specific legal entity responsible for the infringement. The clear intent of the non-legally binding recitals in GDPR supports the former broad interpretation, which is also supported by the influential European Data Protection Board.8 However, the legally binding articles of GDPR conflict with the recitals and appear to limit the assessment of fines to the revenues of the specific entity being fined. This is a critical point of interpretation, as it potentially significantly limits the maximum fine that regulators can impose under GDPR. It is also open to interpretation whether fines for breach of Article 5(1)(f) and Article 32 (the integrity and confidentiality principle and the related requirement to ensure the security of processing personal data) should be capped at 2% or 4% of total worldwide annual turnover. Having considered this issue when imposing two headline-grabbing fines last year, the UK ICO concluded in its penalty notices that the higher 4% maximum fine applied to breaches of security. That said, this is far from being settled law, and we expect the point to be argued in future appeals of fines, given the significant amounts involved. The many open legal questions and uncertainties in the interpretation and application of GDPR perhaps explain, in part, why the fines imposed to date by supervisory authorities have been at the lower end of the scale of potential maximum fines. As was the case in last year’s report, fines certainly aren’t the only exposure for organisations that fall short of GDPR’s exacting requirements. The continuing fallout of the Schrems II9 judgment, handed down in July 2020 by Europe’s highest court, is a reminder of the broad range of other sanctions supervisory authorities can impose. Maximillian Schrems has, through his organisation My Privacy is None of Your Business, issued 101 complaints to lead supervisory authorities.10 These complaints demand, in addition to fines, the immediate suspension of alleged illegal transfers of personal data from the EU to third countries. There is also an increased risk of “followon” compensation claims, including US-style “opt-out” class action in a number of EU Member States and the UK, fuelled by billions of euros invested in litigation funds looking for claims to support. 6 #PRACTICALGLOBALPRIVACY DLA PIPER GDPR FINES AND DATA BREACH SURVEY: JANUARY 2021 Commentary Some things stay the same A recurring theme of the three DLA Piper GDPR reports issued to date is that there has been little change at the top of the tables regarding the total number of data breach notifications made since GDPR came into force on 25 May 2018 and during the most recent full year from 28 January 2020 to 27 January 2021. The Netherlands, Germany and the UK retain the top three rankings in both tables, albeit that Germany now takes pole position. There has been some movement at the top of the weighted breach notifications per 100,000 capita table: Denmark now takes the top spot (up three places from last year’s report), with the Netherlands and Ireland in second and third places. Italy continues to sit near the bottom of the population-weighted breach notification table. With a population of more than 62 million people, Italy has recorded only 3,460 breach notifications since GDPR came into force on 25 May 2018, ranking second from last on the populationweighted breach notification table. The story regarding fines is similar, with notable variations in the total value of fines imposed by each country surveyed. These wide variations illustrate that, although data protection laws in the EEA and the UK all derive from GDPR, the compliance culture of organisations and the interpretation and enforcement practice of the different data protection supervisory authorities varies significantly. This regulatory uncertainty is particularly challenging for multinational organisations with operations in multiple countries. It is also challenging for their insurers, compounded by the legal uncertainty surrounding whether GDPR fines can be recovered under an insurance policy.11 Evolving enforcement trends Despite the overall inconsistency in approaches among the countries surveyed, some common enforcement trends are evident. Failure to comply with the transparency principle First, many supervisory authorities have prioritised the enforcement of violations of the lawfulness, fairness and transparency principle (Article 5(1)(a) GDPR). Early enforcement demonstrates that supervisory authorities are setting a high bar to meet the information disclosure requirements of GDPR, fining controllers with overly complex privacy notices and notices deemed to be insufficiently granular, inaccurate or incomplete. For anyone who has had to draft privacy notices, transparency is a conundrum. Include too much detail and it may not be understandable to your audience, breaching GDPR’s transparency principle. Include too little and you risk being sanctioned for providing incomplete or inaccurate information. A layered approach is a potential solution, though care is required: controllers have also been fined for having “fragmented” information where users are required to navigate and cross-check multiple different privacy notices. For some processing, the challenge is simply that the complexity of the processing and data flows is extremely difficult to explain in lay terms, particularly given the reality that, save for data protection lawyers, very few consumers ever read privacy notices. 11 See the third edition of The Price of Data Security guide to the insurability of GDPR fines across Europe, compiled by global insurance broker AON and DLA Piper. #PRACTICALGLOBALPRIVACY 7 WWW.DLAPIPER.COM Failure to demonstrate a lawful basis to process Failure to demonstrate a lawful basis to process is another emerging trend in the early GDPR fines. In some cases, the supervisory authority concluded there simply could not be any lawful basis for the processing in question. In others, although a lawful basis was in theory available, the controller failed to demonstrate evidence of the lawful basis, underlying the importance of effective governance and accountability. Several fines have been imposed for failures to obtain GDPR standard consent or for seeking to rely on invalid consent. Tackling unlawful processing requires a combination of good data mapping in comprehensive and accurate records of processing; good data protection governance, to ensure there is a lawful basis for all processing and that it is documented to demonstrate accountability; and good privacy notices that clearly set out the lawful basis for each processing activity. In combination, this is a sizeable task, so it is sensible to apply a risk-based approach with more time and attention given to higher-risk processing activities, using available guidance defining high-risk processing for the purposes of data protection impact assessments.12 Failure to implement appropriate security measures Over the last 12 months, some of the larger data breach-related fines have been imposed. GDPR requires organisations to implement “appropriate” technical and organisational measures to ensure a level of security appropriate to the risks of processing taking into account the ever-changing state of the art and the costs of implementation. The early GDPR fines are beginning to provide some welcome detail on what may constitute “appropriate” measures depending on the context. In different situations, the omission of one or more of the following measures has been specifically called out as potentially contributing to a breach of Article 32 and the related Article 5(1)(f) GDPR: • monitoring privileged user accounts • monitoring access to and use of databases storing personal data • implementing “server hardening” techniques to prevent access to administrator accounts • encryption of personal data, particularly more sensitive personal data • use of multi-factor authentication to prevent unauthorised access to internet-facing applications • strict access controls for applications on a needs basis, with prompt removal of access when no longer required • regular penetration testing • not storing passwords in plain-te