Data protection authorities in the EU have imposed fines in three separate cases since the start of the application of the EU General Data Protection Regulation (GDPR) on 25 May 2018. What should companies focus on to avoid a similar fate and what can be inferred about the future of GDPR enforcement?
3 Member States, 3 Fines
Personal data of approximately 330,000 users of a chat platform were compromised and then made publicly available by hackers in September 2018. As part of the data breach notification, the provider disclosed that the users' passwords were stored in an unencrypted form. The data protection authority (DPA) of the German state of Baden-Württemberg considered this a violation of the obligation to implement adequate security measures (Article 32 GDPR) and imposed the rather modest fine of EUR 20,000.
When deciding on the amount of the fine to be imposed, the DPA considered in particular that the platform provider:
• notified the breach to the DPA and to the data subjects in due time
• cooperated fully with the DPA
• promptly followed the DPA' s recommendations for how to increase the implemented level of data security.
For a detailed analysis, click here.
An entrepreneur in Austria had installed a CCTV camera in front of his establishment, also recording a substantial section of the side walk. The Austrian DPA considered this a violation of the GDPR because it does not recognize any legitimate interests of companies (or entrepreneurs) to put public spaces under CCTV surveillance. Moreover, the video surveillance was not sufficiently marked, violating the transparency obligation under the GDPR.
Taking into account the annual income of the entrepreneur, the Austrian DPA imposed a fine of EUR 4,800 for illegal video surveillance activities.
After carrying out an inspection at a Portuguese hospital, the Portuguese DPA found that the hospital' s account management practices were deficient because:
• there were 985 active accounts for doctors even tough only 296 doctors worked at the hospital
• any doctor had access to all patient files, regardless of the doctor' s specialty.
The hospital tried to argue that it was not responsible for these deficiencies because it used the IT system provided to public hospitals by the Portuguese Health Ministry.
However, the Portuguese DPA did not let the hospital off the hook that easily. It decided that it was the hospital' s responsibility to ensure that adequate security measures were implemented. For violating this obligation, the Portuguese DPA imposed a fine of EUR 400,000 on the hospital.
Data Security Basics: Encrypt Passwords and Implement Logical Access Control
It has been generally accepted for some time that passwords should be sent over any network, in particular the Internet, only in an encrypted form (e.g., using HTTPS). As regards the unencrypted storage of passwords, IT security experts have long argued that this practice, too, poses an unacceptable security risks.
The fine imposed by the German DPA confirms that the encryption of stored passwords is, indeed, a legal requirement.
The clear recommendation is therefore to only store passwords in an encrypted fashion. More specifically (for the technically inclined reader), we would recommend the use of salted hashes with a different salt for each password.
The decision out of Portugal highlights an even more basic security requirement – logical access control. This requires three distinct steps:
• Identification: The user has to disclose his or her identity. Any system that allows users to log in using accounts such as "test" or "admin" already fails this basic requirement.
• Authentication: The user' s identity is verified, typically using one or two of the following three factors:
o something that the user knows, such as a password
o something that the user has, such as a key or token
o something that the user is (i.e., biometrics).
• Authorization: Once the user' s identity has been verified, the user is granted access only to the data that the user needs to perform his or her job duties (need-to-know principle).
Given that the Portuguese hospital had 985 active accounts with unlimited access for 296 doctors, the hospital apparently performed neither a proper identification, authentication nor an authorization.
The two decisions out of Germany and Portugal are only the first in what will soon be a long list of decisions that will put in concrete terms what it means to implement "appropriate" security measures, as required by the GDPR.
If Nothing Else Helps, Cooperate with Authorities
The German case also demonstrates that full cooperation with a DPA may significantly reduce the amount of fines eventually imposed. In particular in cases where the DPA will learn of the breach anyhow – e.g., because data breach notification requirements are triggered – full cooperation may reduce the overall regulatory risk significantly.
Old-Fashioned Violations Still Matter
With the introduction of the GDPR, much focus has been put on cutting-edge technologies. However, the CCTV case out of Austria demonstrates that old-fashioned violations still matter. After all, old-fashioned technologies are well understood by the DPAs, making them a low-hanging fruit from the enforcement perspective.
Companies should therefore not loose sight of "old-fashioned" data processing operations such as CCTV systems or whistleblowing hotlines.
Focus on Sensitive Data
The case out of Portugal shows that the processing of sensitive data, in particular large amounts of health data, is associated with a high enforcement risk. Given that the unlawful handling of such data is of great concern for large parts of the population, data protection authorities will assign a high priority to enforcement issues concerning sensitive data.
When collecting large amounts of sensitive data, companies should therefore focus significantly on compliance with GDPR.
The first fines under the GDPR show a measured approach to the GDPR' s enforcement. Rather than imposing a great number of fines for non-compliance with new GDPR requirements, the data protection authorities focused on a small number of cases where basic requirements were not satisfied. This underscores the importance of setting clear priorities when implementing the GDPR in any organization.