The European Union's General Data Protection Regulation (GDPR) is the most comprehensive data privacy regulation in the world. It also confers upon supervisory authorities – i.e., regulators within the European Union Member States that have authority for data protection – broad reaching powers to conduct investigations and to impose draconian civil penalties of up to the greater of 4% of an organization’s annual global turnover or 20 million Euro.
One of the greatest uncertainties leading up to the GDPR was the extent to which European regulators would avail themselves of the powers conferred by the GDPR to bring enforcement actions and issue fines.
In the first fine issued by a German data protection authority under the GDPR, the Baden-Württemberg data protection authority (DPA) imposed a fine of € 20,000 on the German chat app provider Knuddels for violating its data security obligations under Article 32 GDPR.
According to a press release issued by the Baden-Württemberg DPA, Knuddels notified the authority following a hacker attack in which the personal data of approximately 330,000 users, including user names, passwords and email addresses, were stolen and subsequently published online. During the investigation, the DPA found that Knuddels had stored the passwords of its users in plain text without encryption when implementing a “password filter” in order to prevent the transmission of user passwords to unauthorized third parties with the aim of better protecting its users. By storing the passwords in plain text, Knuddels infringed its obligation to adequately protect personal data.
Given the extent of the data breach at Knuddels and the large number of the users affected, the fine of € 20,000 was less than some observers expected. In determining the fine, the Baden-Württemberg DPA took into account in Knuddels’ favor that it fully cooperated with the DPA from the outset, immediately implemented far-reaching measures to improve its IT security architecture and thus brought the protection of the data of its users up to date. The Baden-Württemberg DPA also considered the company’s overall financial burden as a result of the infringement, highlighting that Knuddels incurred total costs in a six-figure Euro amount, including the fine issued by the DPA. According to the DPA, GDPR fines must not only be effective and dissuasive, but also proportionate. Stefan Brink, head of the Baden-Württemberg DPA, explained in a statement that the authority “is not interested in entering into competition for the highest possible fines. At the end of the day, it’s about improving data protection and data security for the affected users.”
The decision of the Baden-Württemberg DPA shows that cooperating with the data protection authority in a comprehensive and transparent manner as well as taking immediate corrective steps may significantly reduce the amount of fine under the GDPR. However, the fine imposed on Knuddels should not encourage companies to sit back and relax. The first fines issued by data protection authorities in Europe under the GDPR have varied substantially, from a rather moderate € 4,800 fine issued by the Austrian data protection authority to a retail establishment to a high € 400,000 fine imposed on a hospital by the Portuguese data protection authority. It therefore remains essential for companies to implement state-of-the-art IT security solutions and to set up processes to react to data security incidents quickly and effectively.