Despite the quiet start to enforcement of the EU General Data Protection Regulation (GDPR), the rate of fines issued under the regulation has ramped up over recent months. We take a look at some of the European authorities’ most notable judgments and the key takeaways for companies at risk in those jurisdictions.
Austria: compensation for immaterial damages
Last month, the Regional Court of Feldkirch awarded compensation for immaterial damages for a GDPR breach for the first time in Austria, after finding that the Austrian Post had violated the regulation by collecting and storing data relating to the “political affinities” of approximately 2.2 million Austrian users. The court held that compensation was necessary given the highly sensitive nature of the data, with damages amounting to €800 in one particular case.
Although the decision is not yet final, it serves as a warning to companies that any person who has suffered material or immaterial damage as a result of a GDPR violation is entitled to receive compensation, and other jurisdictions may follow the view of the Austrian court.
France: Google fined €50 million
Back in January, the French Data Protection Authority (CNIL) fined Google €50 million for a lack of transparency, inadequate information and a lack of valid consent regarding the personalisation of adverts on its platform. The level of the CNIL’s fine was determined by the “massive and intrusive” nature of Google’s data processing, as well as the key nature of the relevant GDPR provisions.
Although Google has appealed the decision to the Conseil d’État (France’s highest public law court), the overall takeaway – particularly for tech companies providing complex online services – is that there is a fine line between providing sufficient information to meet the GDPR’s information requirements and not providing excessive or disparate information in a manner which violates the principle of transparency. To meet this balancing act, companies should ensure that all fair processing information is contained in one document; specify which processing is based on consent and which is based on legitimate interests; avoid using pre-ticked boxes; and obtain consent for each specific purpose, rather than for all purposes together.
Germany: mega-fines under new calculation model
German Data Protection Authorities (DPAs) also seem to be following in the footsteps of the CNIL. On 13 August 2019 the Berlin DPA announced its willingness to impose multi-million euro fines for data breaches under the GDPR. Although the specific details of the Berlin DPA’s investigation have not been released, public information reveals that the authority based its calculation of the reported fine on a new model, which involves – among other things – multiplying a daily rate (determined by the aggregate global revenue of the company) by the severity of the infringement and its consequences, accounting for mitigating factors such as a swift response to the breach and the company’s willingness to cooperate with the DPA.
Considering that, until June 2019, the 75 fines imposed under the GDPR in Germany amounted to only €449,000 (the largest single fine being €80,000), the Berlin DPA’s decision marks a dramatic increase in the rate of such penalties in the country. As such, companies should be reviewing their data protection processes, as failure to comply with the GDPR may result in more than a slap on the wrist.
Greece: PwC fined €150,000
In Greece, the Hellenic DPA has also entered the fray, issuing a €150,000 fine against PwC for GDPR breaches in relation to the unauthorised processing of employee data. The authority held that PwC’s choice to process employees’ personal data on the legal basis of consent was inaccurate since, under the GDPR, consent must be freely given, and this is rarely the case in the context of employment. The Hellenic DPA found that not only was the choice of consent as the legal basis inappropriate, but PwC had actually been processing the data on a different legal basis undisclosed to its employees.
The significant fine imposed by the Hellenic DPA is a stark reminder that employers can only process data on one of the legal grounds outlined by the GDPR. In most cases, the basis of consent will not hold up under scrutiny, as employees are unlikely to be able to exercise free will, given the power imbalance in the employment relationship. Moreover, all stages of data processing should be transparent to the data subject; therefore, employers must do everything in their power to ensure that the legal grounds for processing data are made clear to employees.
Sweden: first fine issued to local school
On 20 August 2019 the Swedish DPA issued the country’s first GDPR fine to a local high-school for its use of facial recognition technology. The authority held that the technology, which was used to monitor student attendance, was excessively intrusive, while the permission obtained from students did not constitute GDPR-required consent because it was not voluntarily given and freely chosen. What is more, the school had failed to conduct the necessary documented data protection impact assessment.
However, given that the technology was only used for three weeks to monitor 22 students, the DPA held that a modest fine of Skr200,000 (approximately €19,000) was sufficient for the school – and any onlookers – to learn its lesson. Despite being Sweden’s first GDPR fine, it seems that the DPA may simply have been testing the water. Whether it will need to wade any deeper in the near future remains to be seen.
United Kingdom: ICO announces biggest fines to date
In stark contrast to Sweden’s modest first fine, the United Kingdom has made headlines in the past few months for issuing the biggest fines under the GDPR to date. On 8 July 2019 the Information Commissioner’s Office (ICO) announced that its first GDPR monetary penalty would be issued to British Airways (BA), following an investigation into a cyber incident in which users of the BA website were diverted to a fraudulent site, where their details were harvested. Given the severity of the breach, which affected around 500,000 BA customers, the ICO announced that the company would be fined £183.39 million (approximately €204 million) – 1.5% of its worldwide annual turnover – for security failures under the GDPR.
Although this is still substantially less than the maximum available GDPR fine of 4% worldwide annual turnover, and the exact details of BA’s violation are yet to be released, the ICO’s decision makes a loud statement: the UK authorities will not be scaling up like other jurisdictions and cybersecurity will be held in high regard. As such, companies should be wary of complacency when it comes to data protection, as an unexpected cyberattack may have serious financial consequences.
To reinforce this point, the ICO released a second statement the following day, announcing that it would also be fining hospitality company Marriott International £99 million (approximately €110.4 million) for similar security failures. In this case, an ICO investigation revealed that the personal data of 30 million Marriott International guests – including their names, post and email addresses, phone numbers, passport numbers, dates of birth, genders and encrypted payment card numbers – had been compromised.
The ICO’s message, then, is clear: companies must ensure that their information security is in order and review and update this on a regular basis if they want to avoid significant penalties. However, there is a danger that by making an example of two high-profile companies, the ICO has set an uncomfortably high standard and runs the risk of smaller companies in similar positions failing to report data breaches for fear of uncompromising fines.
To comply or not to comply: there is no question
Understanding how the ICO calculated these penalties will be key if the UK office is to guide the level of fines issued under the GDPR in future. While the exact details of both cases are yet to be released, the United Kingdom seems to be paving the way for authorities in other jurisdictions to up the ante when it comes to penalising companies for GDPR breaches, and the recent ICO decisions may act as precedent for supervisory authorities in similar cases.
Although there has been no significant enforcement in relation to businesses outside Europe, it has taken 12 months for EU authorities to start cracking the whip. As such, companies with a lax compliance plan should not bank on the fact that they have made it unscathed thus far. If the latest mega-fines are anything to go by, the size of the risk is only likely to increase. Therefore, companies should review their data protection processes regularly and ensure that they have the appropriate technical, organisational and security measures in place to minimise the risks to all forms of security.