Who has been fined – and what for?
DLA Piper – a US law practice – has published an analysis of the first 8 months of GDPR. Some points of note are as follows:
- 59,000 notifiable breaches involving personal data were reported to EU regulators since May 2018, with The Netherlands, Germany and the UK leading the pack.
- By far the largest fine – €50m imposed on Google by France’s CNIL – was not for a personal data leak but for processing personal data without authorisation.
- German chat platform Knuddels.de (‘Cuddles’) was issued with a >€20,000 fine for storing user’s passwords in plain text. The fine would (and could) have been much higher but the authorities took Knuddels’ co-operation into account and a more substantial fine could have bankrupted the business. More interestingly, it is possible that the authorities chose to ignore a special provision of German data law – (Section 43(4) German Federal Data Protection Act. This provision disallows facts disclosed in a breach notification report from being used in proceedings for fines unless the data controller has given prior assent.
- Austria’s data protection body issued its first GDPR fine (€4,800) on a sports café whose security cameras surveilled too much of the street outside.
The Irish connection
GDPR is still in its infancy, and many of the regulators are still getting up to speed. Fines are expected to increase in size and frequency. Obviously social media platforms are huge repositories of personal data, and for tax reasons most US tech giants (Google, Facebook, Paypal, Yahoo, Microsoft, eBay, LinkedIn, Twitter, AirBNB, Apple etc) have their European headquarters in Ireland. This means that they fall under the purview of Ireland’s Data Protection Commission, whose 2014 headcount of 30 is now 130 and rising fast.
If you have concerns about any of the issues highlighted above please contact us.
The information contained in this article is for discussion purposes only. Auditel does not offer regulatory or legal advice and qualified professional guidance should be sought where appropriate.
Article by: Steven Godfrey