On the 25th of May 2018, almost ten months ago, the European General Data Protection Regulation came into force. After the enormous hype caused by the introduction, you might wonder if the new regulation has had any effect at all. In fact, a lot has happened, fines and warnings have been imposed and many lawsuits have been filed.
To give you an overview of where data protection issues are being violated, we have collected fines, cautions and pending lawsuits based on GDPR.
Fines imposed on the basis of GDPR
Case 1: Theft of user data – Germany
The chat platform “Knuddels” was hacked and passwords, pseudonyms and e-mail addresses were stolen as this information was stored unencrypted. The unencrypted storage of data is an insufficient protection of personal data. This violates the principle of privacy by default and privacy by design required by GDPR.
Case 2: Publication of health data – Germany
Probably due to an unintentional mistake, personal health data became accessible online. (No further details were disclosed on this case.) In this case, too, the principle of privacy by default and privacy by design was violated because inadequate protective measures were taken.
Case 3: Google’s missing/erroneous user approval – France
The highest fine to date was imposed on Google. This lawsuit was filed on the day GDPR came into force. In this case, the fine was based on the violation of the duty to provide information and transparency and the lack of a legal basis to use personalized advertising.
In this case, the fine imposed amounts to 50,000,000 euros.
Quelle: Google’s lack of user approval
Official Communication of the CNIL (French Data Protection Authority)
In total, 41 fines with amounts ranging from 15,000 to 100,000 Euros have been imposed in Germany since GDPR came into force. The fines were justified by a number of factors:
- inadequate technical and organisational measures were taken by a hotel which could not rule out the possibility that credit card or other customer data from its booking system might have been disclosed in the event of an extortionate hacker attack,
- the publication of health data on the Internet due to inadequate internal control mechanisms,
- human error: disclosure of health data to the wrong patient by a hospital,
- recording of all outgoing and incoming calls to a fire brigade of the State of Bremen,
- disclosure of account statements to unauthorized persons using online banking,
- unacceptable advertising e-mails,
- unauthorized copy of customer data during a hacker attack on a web shop,
- unauthorized Dashcam use,
- an open e-mail distribution list,
- unauthorized video surveillance of customers and employees.
In Europe, a total of 91 fines have been imposed since GDPR came into force.
Cautions and judgements since GDPR came into force
Case 1: Website without encryption
The district court of Würzburg forbade a lawyer to use her website without encryption and without a sufficient data protection declaration under threat of a 250,000 Euro fine.
Source: Website without encryption (German)
Case 2: Using the Facebook Custom Audience
The Bavarian State Office for Data Protection prohibited an online shop from using the “Facebook Custom Audience”. The verdict was confirmed by the “Verwaltungsgericht” and the “Verwaltungsgerichtshof”. The reason given here was the use of personal data without consent of the visitors.
Pending lawsuits due to GDPR
- Instagram (Belgium): Reason: Insufficient information and forced, missing or insufficient consent.
- WhatsApp (Hamburg): Reason: Insufficient information and forced, missing or insufficient consent.
- Facebook (Austria): Reason: Insufficient information and forced, missing or insufficient consent.
- Austria: The Austrian Bank charges EUR 30 for retrieving a customer’s stored personal data for that customer. The court ruled in favour of the plaintiff, whereupon the bank appealed the ruling to a higher court, the Federal Administrative Court. The reason for the court’s decision here was the refusal to grant the right to free disclosure of stored personal data.
- European Court of Justice: Action against the use of the US-EU Privacy Shield (example Facebook), as the transfers to the USA can be intercepted by the NSA according to US law.
- UK and Ireland: Google and IAB were sued for Real Time Bidding (RTB) in advertisements. According to the plaintiff, RTB systems share hundreds of billions of personal data points every day with other systems without the user’s consent. Even sensitive data such as “abuse, incest or HIV status” are shared. According to the plaintiff, IAB knew in advance that its system was not GDPR compliant. Google, on the other hand, attempts to pass the obligation to websites that display the advertisements to obtain user consent.
Since GDPR came into force, more than 59,000 data leaks have been reported to the European data protection authorities. The countries with the highest numbers of reported data leaks are the Netherlands with 15,400 data leaks, Germany with 12,600 and Great Britain with 10,600. Cyprus with 35 reports, Iceland with 25 and Liechtenstein with 15 are the countries with the least data leaks.
The Bavarian State Office for Data Protection Supervision (BayLDA) has checked 40 high reach company websites to check if they are GDPR compliant regarding user consent and documentation. None of the 40 company websites correctly implemented a process of obtaining user consent and correct user information. Here, too, there is a threat of lawsuits and cautions.
As you can see a lot has happened in the field of data protection over the last ten months. The new data protection regulation provides an important legal basis for users to protect their personal data. Companies are therefore requested and well advised to comply with the new data protection requirements.
Please keep in mind that GDPR and the new requirements also apply to Swiss companies providing their services and products to EU citizens.