Tag: GDPR Fines
22. April 2022
After being hit with a €150 million fine by France’s data protection agency CNIL earlier in the year for making the process of rejecting cookies unnecessarily confusing and convoluted for users, Google has added a new “Reject All” button to the cookie consent banners that have become ubiquitous on websites in Europe. Users visiting Search and YouTube in Europe while signed out or in incognito mode will soon see an updated cookie dialogue with reject all and accept all buttons.
Previously, users only had two options: “I accept” and “personalize.” While this allowed users to accept all cookies with a single click, they had to navigate through various menus and options if they wanted to reject all cookies. “This update, which began rolling out earlier this month on YouTube, will provide you with equal “Reject All” and “Accept All” buttons on the first screen in your preferred language,” wrote Google product manager Sammit Adhya in a blog post.
According to Google they have kicked off the rollout of the new cookie banner in France and will be extending the change to all Google users in Europe, the U.K., and Switzerland soon.
Google’s plan to include a “Reject All” button on cookie banners after its existing policy violated EU law was also welcomed by Hamburg’s Commissioner for Data Protection and Freedom of Information Thomas Fuchs during a presentation of his 2021 activity report.
But the introduction of the “Reject All” button is likely to be only an interim solution because the US giant already presented far-reaching plans at the end of January to altogether remove Google cookies from third-party providers by 2023.
Instead of cookies, the internet giant wants to rely on in-house tracking technology for the Google Privacy Sandbox project.
29. March 2022
The Italian data protection authority “Garante” has fined Clearview AI 20 million Euros for data protection violations regarding its facial recognition technology. Clearview AI’s facial recognition system uses over 10 billion images from the internet and prides themself to have the largest biometric image database in the world. The data protection authority has found Clearview AI to be in breach of numerous GDPR requirements. For example, fair and lawful processing was not carried out within the data protection framework, and there was no lawful basis for the collection of information and no appropriate transparency and data retention policies.
Last November, the UK ICO warned of a potential 17 million pound fine against Clearview, and in this context, and also ordered Clearview to stop processing data.
Then, in December, the French CNIL ordered Clearview to stop processing citizens’ data and gave it two months to delete all the data it had stored, but did not mention any explicit financial sanction.
In Italy, Clearview AI must now, in addition to the 20 million Euro fine, not only delete all images of Italian citizens from its database. It must also delete the biometric information needed to search for a specific face. Furthermore, the company must provide a EU representative as a point of contact for EU data subjects and the supervisory authority.
28. March 2022
In a long-awaited decision on the Transparency and Consent Framework (TCF), the Belgian data protection authority APD concludes that this technical standard, which advertisers use to collect consent for targeted advertising on the Internet, does not comply with the principles of legality and fairness. Accordingly, it violates the GDPR.
The ADP’s decision is aligned with other European data protection authorities and has consequences for cookie banners and behavioral online advertising in the EU. The advertising association IAB Europe, which develops and operates the TCF system, must now delete the personal data collected in this way and pay a fine of 250,000 euros. In addition, conditions have been determined for the advertising industry under which the TCF may continue to be used at all.
Almost all companies, including advertising companies such as Google or Amazon, use the mechanism to pass on users’ presumed consent to the processing of their personal data for personalized advertising purposes. This decision will have a major impact on the protection of users’ personal data. This is also confirmed by Hielke Hijmans from APD.
The basic structure of the targeted advertising system is that each visit to a participating website triggers an auction among the providers of advertisements. Based on the desired prices and the user’s data profile, among other things, a decision is made in milliseconds as to which advertisements she will see. For this real-time bidding (RTB) to work, the advertising companies collect data to compile target groups for ads.
If users accept cookies or do not object that the use of their data is in the legitimate interest of the provider, the TCF generates a so-called TC string, which contains information about consent decisions. This identifier forms the basis for the creation of individual profiles and for the auctions in which advertising spaces and, with them, the attention of the desired target group are auctioned off, and is forwarded to partners in the OpenRTB system.
According to the authority, the TC strings already constitute personal data because they enable users to be identified with the IP address and the cookies set by the TCF. In addition, IAB Europe is said to be jointly legally responsible for any data processing via the framework, although IAB Europe has not positioned itself as a data processor, only as a provider of a standard.
The TCF envisions advertising providers invoking a “legitimate interest” in data collection in cookie banners that pop up all the time, rather than asking for consent. This would have to be prohibited, for example, for it to be lawful. The principles of privacy by design and by default are also violated, since consent is literally tricked by design tricks, the data flows are not manageable, and revocation of consent is hardly possible.
23. March 2022
The Dutch Data Protection Authority, autoriteit persoonsgegevens (hereinafter “ap”) imposed a fine of €525,000 on DPG Media at the beginning of March.
The background to the fine were access and deletion requests of various data subjects who had a newspaper subscription or received increased advertising. If a data subject wanted to know what personal data the company had collected about him, he had to send an ID document to DPG Media to prove his identity. The same applied to anyone who asked the company to delete their data. The customer was supposed to either upload a scan of his ID document or send it to the company by mail or letter.
DPG Media’s procedure for proof of identity was criticized for several reasons. From ap’s point of view, too much data was requested and it was made too difficult for the data subjects to assert their rights to access and deletion. If, for example, DPG Media had requested blackened ID documents, this method of proof of identity would also have been questionable. The ap emphasizes that requesting blackened ID documents is often disproportionate.
It also notes that ID documents are documents that are particularly worthy of protection. Especially regarding possible identity theft, they must be handled very carefully.
Thus, ap clarifies that, even if an identification document is in principle suitable for identifying the data subject, less intrusive identifiers should be used in preference. Milder identifiers, but equally suitable in this specific case, are for example to request the postal address for a telephone inquiry or – as recital 57 states – the use of an “authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the data controller.“
12. February 2021
In 2020 a total of €158.5 million in fines were imposed, research by DLA Piper shows. This represents a 39% increase compared to the 20 months the GDPR was previously in force since May 25th, 2018.
Since that date, a total of € 272.5 million in fines have been imposed across Europe under the General Data Protection Regulation (“GDPR”). Italian authorities imposed a total of € 69.3 million, German authorities € 69.1 million, and French authorities 54.4 million. This calculation does not include two fines against Google LLC and Google Ireland Limited totalling € 100 million (€ 60million + € 40million) and a fine of € 35 million against Amazon Europe Core issued by the French data protection authority “Commission nationale de l’informatique et des libertés” (“CNIL”) on December 10th, 2020, (please see our respective blog post), as proceedings on these fines are pending before the Conseil d’Etat.
A total of 281,000 data breaches were reported during this period, although the countries that imposed the highest fines were not necessarily those where the most data breaches were reported. While Germany and the UK can be found in the top of both lists, with 77,747 data breaches reported in Germany, 30,536 in the UK and 66,527 in the Netherlands, only 5,389 data breaches were reported in France and only 3,460 in Italy.
Although the biggest imposed fine to date still is a fine of € 50 million issued by CNIL against Google LLC in January 2019 (please see our respective blog post) a number of high-profile fines were imposed in 2020, with 6 of the top 10 all time fines being issued in 2020 and one in 2021.
1. H&M Hennes & Mauritz Online Shop A.B. & Co. KG was fined € 35 million for monitoring several hundred employees (please see our respective blog post).
2. TIM (Italian telecommunications operator) was fined € 27 million for making unwanted promotion calls.
3. British Airways was fined € 22 million for failing to protect personal and financial data of more than 400,000 customers (please see our blog post)
4. Marriott International was fined € 20 million for a data breach affecting up to 383 million customers (please see our respective blog post)
5. Wind Tre S.p.A. was fined € 17 million for unsolicited marketing communications.
A comparison of the highest fines shows that most of them were imposed due to an insufficient legal basis for the processing of personal data (Art. 5 & 6 GDPR) or due to insufficient technical and organizational measures to ensure an appropriate level of security (Art. 32 GDPR).
While the European authorities have shown their willingness to enforce the GDPR rules, they have also shown leniency due to the impact that the COVID 19 pandemic has had on businesses. At least in part due to the impact of the pandemic, the penalties planned by the UK ICO have been softened. A planned fine of €205 million for British Airways was reduced to €22 million and a planned fine of €110 million for Marriott International was reduced to €20 million. GDPR investigations are also often lengthy and contentious, so the increased fines may in part be due to more investigations having had sufficient time to be completed. For example, the dispute over the above fines for British Airways and Marriott International has already started in 2019.
Not only the fines but also the number of data breach notifications increased in 2020. In 2020 121,165 data breaches were reported, an average of 331 notifications per day, compared to 278 per day in 2019. In terms of reported data breaches per 100,000 inhabitants, there is a stark contrast between Northern and Southern European countries. In 2020, Denmark recorded 155.6 data breaches per 100,000 inhabitants, the Netherlands 150, Ireland 127.8, while Greece, Italy and Croatia reported the lowest number of data breaches per inhabitant.
The trend shows that the GDPR is being taken more and more seriously by companies and authorities, and this trend is likely to continue as authorities become more confident in enforcing the GDPR. Fines are only likely to increase, especially as none of the fines imposed so far even come close to the maximum possible amount of 4% of a company’s global annual turnover. The figures also show that while the laws are in principle the same and are supposed to be applied the same in all EEA countries, nations have different approaches to interpreting and implementing them. In the near future, we can expect to see the first penalties resulting from the GDPR restrictions on data transfers to third countries, especially in the aftermath of the Schrems II ruling on data transfers to the USA.
21. October 2020
In the beginning of October, the Hamburg Data Protection Commissioner (“HmbBfDI”) imposed a record-breaking 35,258,707.95 Euro GDPR fine on the German branch of the Swedish clothing-retail giant H&M. It is the highest fine, based on a GDPR violation, a German Data Protection Authority has ever issued.
Since 2014, the management of the H&M service centre in Nuremberg extensively monitored the private lives of their employees in various ways. Following holidays and sick leaves of employees, team leaders would conduct so-called “Welcome Back Talks” in which they recorded employees’ holiday experiences, symptoms of illnesses and medical diagnoses. Some H&M supervisors gathered a broad data base of their employees’ private lives as they recorded details on family issues and religious beliefs from one-on-one talks and even corridor conversations. The recordings had a high level of detail and were updated over time and in some cases were shared with up to 50 other managers throughout the whole company. The H&M supervisors also used this Personal Data to create profiles of their employees and to base future employment decisions and measures on this information. The clandestine data collection only became known as a result of a configuration error in 2019 when the notes were accessible company-wide for a few hours.
After the discovery, the H&M executives presented the HmbBfDI a comprehensive concept on improving Data Protection at their Nuremberg sub-branch. This includes newly appointing a Data Protection coordinator, monthly Data Protection status updates, more strongly communicated whistleblower protection and a consistent process for granting data subject rights. Furthermore, H&M has apologised to their employees and paid the affected people a considerable compensation.
With their secret monitoring system at the service centre in Nuremberg, H&M severely violated the GDPR principles of lawfulness, fairness, and transparency of processing pursuant to Art. 5 no. 1 lit. a) and Art. 6 GDPR because they did not have a legal basis for collecting these Personal Data from their employees. The HmbBfDI commented in his statement on the magnitude of the fine saying that “the size of the fine imposed is appropriate and suitable to deter companies from violating the privacy of their employees”.
1. July 2020
The German State Data Protection Commissioner of Baden-Württemberg (“LfDI Ba-Wü”) imposed a GDPR fine of 1.240.000€ on the German statutory health insurance provider AOK Baden-Württemberg (“AOK”). The fine was a result of the health insurance’s lack of technical and organisational measures pursuant to Art. 32 GDPR. It is the highest fine the LfDI Ba-Wü has ever imposed.
Between 2015 and 2019 the AOK organised lotteries on various occasions and collected personal data of the participants, including their contact details and current health insurance affiliations. The AOK wanted to use the data of the lottery participants for advertising purposes, insofar as the participants gave their consent to this. To ensure the security of processing, the AOK implemented internal guidelines and data protection training of their staff as technical and organisatioal measures. However, these measures were not sufficient to comply with Art. 32 GDPR because AOK staff used the personal data of more than 500 lottery participants for advertising purposes without their prior consent.
Following the investigation of the LfDI Ba-Wü, the AOK immediately stopped all marketing activities in order to revise their internal policies and processes against the GDPR. The LfDI Ba-Wü explained that in determining the extent of the fine, it considered the following mitigating factors:
- the cooperation of the AOK with the Data Protection Authority,
- the fact that the AOK as a statutory health insurance provider is an important part of the German healthcare system, and
- the burdens of the current Corona-Pandemic on the healthcare system.
Finally, the Commissioner pointed out that technical and organisational measures must be regularly adjusted to the actual conditions of each processing activity, in order to ensure an adequate level of data protection in the long term.
6. May 2020
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), has issued a EUR 725 000 fine on April 30th to a company for scanning the fingerprints of its employees in order to record attendance.
As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR.
According to the Dutch DPA, none of the two exceptions apply.
In the first case, the Dutch DPA states that the employer has shown no proof of valid explicit consent of the employees. Rather, the Dutch DPA is of the opinion that in an employment relationship, consent cannot be given freely. While it is tricky to ensure freely given consent in situations where one side is dependant on the other, it is possible to ensure such a freely given consent by the means of offering an alternative form of processing, allowing the employee to choose from two options according to their own judgement. In the case brought to the Dutch DPA, this had not been the case. Rather, employees felt obligated to give their consent, especially since the denial resulted in a personal meeting with the director. An alternative option to scanning their fingerprints was not given by the company.
The second exception of the necessity of the processing for security reasons was also dismantled by the Dutch DPA. It reasoned with the fact that such an exception only applies in cases where the security of the systems or the building depend on biometric data, and cannot be done by a less invasive method. While the activities of the company remain confidential, the Dutch DPA has denied them to be of that level of importance that security can only be done through biometrics. Therefore, the fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.
As this case shows, it is recommendable to be careful with the processing of biometric data. In particular, companies should ensure to have valid consent before progressing with the processing of sensitive data to mitigate the risks of a fine.
27. January 2020
The German car rental company Buchbinder is responsible for leaking Personal Data of more than 3 Million customers from all over Europe. The data leak exposed more than 10 Terabyte of sensitive customer data over several weeks without the company noticing it.
A German cybersecurity firm was executing routine network scans when it found the data leak. The firm reported it twice to Buchbinder via e-mail, but did not receive a reply. After that, the cybersecurity firm reported the leak to the Bavarian Data Protection Authority (DPA) and informed the German computer magazine c’t and newspaper DIE ZEIT.
According to c’t, a configuration error of a Backup-Server was the cause of the leak. The Personal Data exposed included customers’ names, private addresses, birth dates, telephone numbers, rental data, bank details, accident reports, legal documents, as well as Buchbinder employees’ e-mails and access data to internal networks.
The data leak is particularly serious because of the vast amount of leaked Personal Data that could easily be abused through Spam e-mails, Fraud, Phishing, or Identity theft. It is therefore likely that the German DPA will impose a GDPR fine on the company in the future.
Buchbinder released a press statement apologising for the data leak and promising to enhance the level of their defense and cybersecurity system.
10. January 2020
To date, the Polish Data Protection Authority (DPA) have issued 134 decisions and imposed GDPR fines in 5 cases. In 4 cases, the Polish DPA fined private companies and in one case, it fined a public institution.
The fines for the companies ranged from 13.000€ to 645.000€. Reasons for the fines were failures in protecting personal data on websites resulting in the unauthorised access of personal data, inadequate technical and organisational measures, and an insufficient fulfilment of information obligations according to Art. 14 GDPR.
It is also noteworthy that the Polish DPA has imposed a 9.350€ fine on the Mayor of a Polish small town. Under Art. 83 (7) GDPR, each member state of the EU may lay down rules on whether and to what extent administrative fines may be imposed on public authorities. The Polish legislators decided that non-compliant public authorities may receive a GDPR fine of up to 23.475€.
The Mayor received the GDPR fine since he failed to conclude a data processing agreement with the entities to which he transferred data in violation of Art. 28 (3) GDPR. Moreover, the Mayor violated the principle of storage limitation, the principles of integrity and confidentiality, the principle of accountability and furthermore kept an incomplete record of processing activities.
Recently, the Polish DPA also published the EU Project T4DATA’s Handbook for Data Protection Officers (DPO) in order to help define a DPO’s role, their competencies and main responsibilities.