GDPR One Year On – A review of fines across the EUPosted in : Crowley Solicitors Hot Topics Series on 7 June 2019
The first anniversary of the GDPR passed on 25 May 2019 and we are beginning to see publication of the first fines being administered under the new regime by various Supervisory Authorities. In this months, ‘Hot Topics’ Cormac Murphy, Senior Associate Solicitor in Crowley Solicitors, reviews the fines across Europe in the last year, notably, a German fine and an Austrian fine relate fully or in part to the processing of employee-related personal data.
To start, some GDPR statistics below from the European Data Protection Board:
- 89,000 data breaches logged by EEA Supervisory Authorities in 2018
- 144,000 queries and complaints received
- Total fines imposed from 11 EEA countries of €55,955,871
“What about these huge potential fines!!”
When the GDPR first came upon our radars, it was the potential large fines which caught the attention of many. Certainly, whether you were a large multinational or a domestic company, it was difficult not to take notice when faced with potential fines of up to 4% of your global annual turnover.
On the other side of the coin, we saw Supervisory Authorities such as the ICO in the UK taking a more measured approach to the idea of large fines. The UK Information Commissioner Elizabeth Denham said back in August 2017:
“This law is not about fines. It’s about putting the consumer and citizen first. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
Whilst the potentially large fines kick-started many GDPR projects within companies, a certain sigh of relief must have been breathed off the back of Elizabeth Denham’s comments.
But where the ICO is the calm, the CNIL showed it is the proverbial storm. If your data processing crosses borders, you would be remiss to rest on the laurels of Elizabeth Denham’s comments.
What’s really happening out there?
Certainly, the Google fine of €50m has attracted lots of attention. Large fines are for now the exception rather than the rule. Let’s take a look at some of the other fines imposed across Europe over the past year:
- In Germany, a regulator imposed a €20,000 fine on a company for failing to protect employee passwords with cryptographic hashes
- In Austria, the Data Protection Authority imposed a €4,800 fine on a company who had installed a CCTV system that partially surveilled a public footpath which included the surveillance of employees
- A Portuguese hospital was fined €400,000 fine for two GDPR violations relating to inappropriate access to patient data
- The Polish data protection authority imposed its first GDPR fine of €200,000 on a company which aggregated personal data from publicly available registers for the purpose of providing company-verification services for failing to provide individuals with the information required when collecting personal data from sources other than the individual
- Latvian e-payment company MisterTango fined €61,500 for two GDPR violations: improperly processing personal data by storing it for longer than customers were led to believe and for failing to report a data breach within the 72-hour period. The fine represented 2.5% of the company’s global annual turnover
- Chat platform Knuddels was fined €20,000 in Germany for storing customer data about 330,000 users in clear text on its server which was subsequently hacked. The regulator stated the lower range fine was due to the company’s cooperation with the data protection authority
In addition to the fines, it is interesting to look at the type of data breaches attracting fines. The majority are not related to cyber-attacks, but are more breaches caused by human error:
- An employer monitoring its employees during their work day without their knowledge
- An employer failing to use reasonable security methods to secure employee information
- Medical clinic accidently handing over a copy of a handicapped person’s ID card to the wrong person
- A fire department accidently recording all incoming and outgoing phone calls, instead of only recording emergency calls
- Bank customers able to see the bank statements of third parties online banking
What about the rest of 2019?
The messages coming from the regulators is that the past year has been a transition year with some watchdogs saying they are just warming up.
We had the pleasure of speaking alongside Anna Morgan, Head of Legal and Deputy Commissioner for the Data Protection Commission at a Privacy and Data Protection Law Conference hosted by the Irish Centre for European Law in Dublin on 23 May 2019. The DPC provided some very insightful information on what has been keeping their office busy over the past year. They spoke about consistency and cooperation with other Supervisory Authorities through use of the Internal Markets Information (IMI) system and the difficulties experienced when each regulator takes a different approach to using the system.
We heard about its proactive priorities and its intention to start looking at cookies and banners and separately, the appointment of DPOs within organisations and why, if a DPO is not appointed, this is so.
There are no shortage of media articles questioning when the DPC is going to issue a fine and the DPC’s talk provided a good understanding of all the other work the DPC is involved in and went a way towards explaining why a fine has not been issued to date.
The decision by the Austrian and German Supervisory Authorities to issue fines and penalties regarding the improper processing of employee data are important case studies for every HR professional.This article is correct at 07/06/2019
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.