GDPR Fines: Some Bark, Little Bite

Sunday, November 25, marked the "halfiversary" of the European Union's General Data Protection Regulation. In that time, organizations and governments alike have struggled with making sure they are up to par for GDPR compliance -- to much hoopla.

Indeed, after GDPR came into effect on May 25, there was no real slowdown in the fusillade of articles and blog posts warning, shouting, and kvetching about GDPR risks. More recent headlines from over the past month speculate that billion-dollar GDPR fines are just around the bend for major companies like Facebook and British Airways after their recent respective data breaches. (See Facebook's Data Breach: Will It Be First Test of GDPR? and British Airways Already Facing Lawsuits Following Data Breach.)

For the most part, however, what I predicted last year here on this point has thus far rung true -- that GDPR appears to have been more puff than plague in 2018. Data Protection Authorities (DPAs) are hardly zapping every company left and right with their maximum fining powers. (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)

DPAs clarify PHI stances
Still, DPAs are indicating that certain kinds of data are subject to greater scrutiny -- and greater punishment -- when it comes to how that information is guarded.

(Source: iStock)

In July, the Netherlands' DPA held that a public insurance body violated GDPR security standards by using only single-factor authentication on its employer portal instead of multi-factor authentication. The DPA specifically stated that multi-factor authentication was required because the employer portal allows access to employees' Protected Health Information (PHI).

Moreover, EU regulators are not screwing around when it comes to defining what constitutes PHI under GDPR.

In setting this specific standard for PHI, the DPA set another one as well. Reportedly, the public insurance body's portal contains minimal information about employee health -- only the dates of sick days, parental leave, and information related to when an employee is pregnant or gives birth; other than pregnancy, no information about employees' actual medical conditions is listed. Nonetheless, the DPA ruled that by merely existing on the portal to begin with, all of that information qualifies as PHI because it indicates that someone had or has a medical condition. Res ipsa loquitur.

The DPA ordered the public insurance body to conduct a new data-privacy impact assessment (DPIA) by October 31, 2018, and to implement appropriate security measures in line with its ruling by October 31, 2019. While no immediate fines were assessed, the DPA ordered that fines of €150,000 ($170,000) would be assessed against the public insurance body for every month of delay in complying with its order -- up to a maximum of six months' worth of fines.

Also in July, Portugal's DPA privately issued a GDPR fine of €400,000 ($450,000) against a hospital for allegedly allowing hospital-system users "unrestricted" access to PHI via temporary accounts. The hospital has announced its intent to appeal.

This not-yet-finalized six-figure fine, however, may so far be the exception as opposed to the rule.

Austria fines first
Only a couple of publicly levied fines for GDPR violations have come down from DPAs thus far. The first EU member state to publicly issue a fine under GDPR appears to have been Austria. This is no big surprise given the nation's recent history; in addition to being home to privacy activist and serial litigant Max Schrems (whose legal crusade against Facebook led to the fall of the EU-US Safe Harbor Principles), Austria was the only EU member state to vote against GDPR -- for not being strict enough.

In the instant case, Austria fined a small business under GDPR for installing a CCTV camera that recorded part of a public way -- without sufficient indication that there was a camera recording passersby. The fine, however, was modest -- €4,800 ($5,500).

DPAs decline to compete on fines
More recently, Germany's DPA announced that it had issued a GDPR fine against Knuddels -- a German social-networking site -- after the company suffered a data breach in which a minimum of 320,000 user credentials (and possibly as many as 1.8 million) were stolen. The fine amounted to €20,000 ($23,000) -- at first, a seemingly paltry sum considering that Knuddels had stored user credentials in plaintext (a veritable cybersecurity facepalm, with or without Article 32 of GDPR). This appears to have been Knuddels's only GDPR sin, however. The fine was mitigated because, according to Germany's DPA, Knuddels took swift and exemplary action in "immediately and comprehensively" notifying the DPA of the breach in compliance with GDPR, kept users informed in a timely manner, and extensively improved its IT-security posture in collaboration with the DPA.

Stefan Brink, Germany's State Commissioner for Data Protection and Freedom of Information, commented that his organization is not interested in competing over which DPA can issue the highest fines -- and instead is focused on the overarching goal of improving information security and data privacy.

This corresponds with comments last year from his opposite number in the UK, Elizabeth Denham, when she downplayed the hullaballoo over "massive" GDPR fines.

"[GDPR] is not about fines," wrote Denham in a since taken-down blog post (archived here). "It's about putting the consumer and citizen first. We can't lose sight of that."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)