Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


09:35 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

GDPR Fines: Some Bark, Little Bite

As Security Now says 'Happy Halfiversary' to GDPR, we take a look at what few GDPR fines and other DPA orders and guidance have been made public over the past six months.

Sunday, November 25, marked the "halfiversary" of the European Union's General Data Protection Regulation. In that time, organizations and governments alike have struggled with making sure they are up to par for GDPR compliance -- to much hoopla.

Indeed, after GDPR came into effect on May 25, there was no real slowdown in the fusillade of articles and blog posts warning, shouting, and kvetching about GDPR risks. More recent headlines from over the past month speculate that billion-dollar GDPR fines are just around the bend for major companies like Facebook and British Airways after their recent respective data breaches. (See Facebook's Data Breach: Will It Be First Test of GDPR? and British Airways Already Facing Lawsuits Following Data Breach.)

For the most part, however, what I predicted last year here on this point has thus far rung true -- that GDPR appears to have been more puff than plague in 2018. Data Protection Authorities (DPAs) are hardly zapping every company left and right with their maximum fining powers. (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)

DPAs clarify PHI stances
Still, DPAs are indicating that certain kinds of data are subject to greater scrutiny -- and greater punishment -- when it comes to how that information is guarded.

In July, the Netherlands' DPA held that a public insurance body violated GDPR security standards by using only single-factor authentication on its employer portal instead of multi-factor authentication. The DPA specifically stated that multi-factor authentication was required because the employer portal allows access to employees' Protected Health Information (PHI).

Moreover, EU regulators are not screwing around when it comes to defining what constitutes PHI under GDPR.

In setting this specific standard for PHI, the DPA set another one as well. Reportedly, the public insurance body's portal contains minimal information about employee health -- only the dates of sick days, parental leave, and information related to when an employee is pregnant or gives birth; other than pregnancy, no information about employees' actual medical conditions is listed. Nonetheless, the DPA ruled that by merely existing on the portal to begin with, all of that information qualifies as PHI because it indicates that someone had or has a medical condition. Res ipsa loquitur.

The DPA ordered the public insurance body to conduct a new data-privacy impact assessment (DPIA) by October 31, 2018, and to implement appropriate security measures in line with its ruling by October 31, 2019. While no immediate fines were assessed, the DPA ordered that fines of €150,000 ($170,000) would be assessed against the public insurance body for every month of delay in complying with its order -- up to a maximum of six months' worth of fines.

Also in July, Portugal's DPA privately issued a GDPR fine of €400,000 ($450,000) against a hospital for allegedly allowing hospital-system users "unrestricted" access to PHI via temporary accounts. The hospital has announced its intent to appeal.

This not-yet-finalized six-figure fine, however, may so far be the exception as opposed to the rule.

Austria fines first
Only a couple of publicly levied fines for GDPR violations have come down from DPAs thus far. The first EU member state to publicly issue a fine under GDPR appears to have been Austria. This is no big surprise given the nation's recent history; in addition to being home to privacy activist and serial litigant Max Schrems (whose legal crusade against Facebook led to the fall of the EU-US Safe Harbor Principles), Austria was the only EU member state to vote against GDPR -- for not being strict enough.

In the instant case, Austria fined a small business under GDPR for installing a CCTV camera that recorded part of a public way -- without sufficient indication that there was a camera recording passersby. The fine, however, was modest -- €4,800 ($5,500).

DPAs decline to compete on fines
More recently, Germany's DPA announced that it had issued a GDPR fine against Knuddels -- a German social-networking site -- after the company suffered a data breach in which a minimum of 320,000 user credentials (and possibly as many as 1.8 million) were stolen. The fine amounted to €20,000 ($23,000) -- at first, a seemingly paltry sum considering that Knuddels had stored user credentials in plaintext (a veritable cybersecurity facepalm, with or without Article 32 of GDPR). This appears to have been Knuddels's only GDPR sin, however. The fine was mitigated because, according to Germany's DPA, Knuddels took swift and exemplary action in "immediately and comprehensively" notifying the DPA of the breach in compliance with GDPR, kept users informed in a timely manner, and extensively improved its IT-security posture in collaboration with the DPA.

Stefan Brink, Germany's State Commissioner for Data Protection and Freedom of Information, commented that his organization is not interested in competing over which DPA can issue the highest fines -- and instead is focused on the overarching goal of improving information security and data privacy.

This corresponds with comments last year from his opposite number in the UK, Elizabeth Denham, when she downplayed the hullaballoo over "massive" GDPR fines.

"[GDPR] is not about fines," wrote Denham in a since taken-down blog post (archived here). "It's about putting the consumer and citizen first. We can't lose sight of that."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.