It’s been a little over a year since the EU General Data Protection Regulation (GDPR) came into force, but with that it has been clear that dealing with data breaches has become a norm for EU protection authorities.
According to the European Data Protection Board, the majority of the cases were related to complaints, notably 94.622, while 64.684 were initiated on the basis of data breach notification by the controller.
In the list provided by the GDPR Enforcement Tracker, 16 EU countries have already imposed fines and penalties, roughly totalling to €51,980,118 with the highest fines coming out of France, Portugal and Spain. The highest vast majority of that total comes from the €50 million fine France’s CNILissued to Google in January 2019.
The CNIL’s sanction is based on three key problem areas:
- Lack of transparency: The CNIL has argued that relevant information is not easily accessible to Google’s users because it is scattered and hidden.
- Deficiencies in information: According to the CNIL, there is a vagueness and ambiguity in the drafting of basic information around data processing.
- Lack of consent: A lack of legal basis for the processing of data for personalised advertisements is included in the deficiencies already described, since the CNIL considers that the information provided to the user in this sense is not sufficient. In addition, the withdrawal options are neither clear nor easy to access, and consent is marked by default, without the user’s positive action.
The Portuguese Data Protection Authority (CNPD) took its first action on 17 July 2018, when it issued a €400,000 fine to a hospital because staffs, psychologists, dietitians and other professionals had access to patient data through false profiles.
The national Football League (LaLiga) was fined €250,000 by the Spanish Data Protection Authority (AEPD) for offering an app which once per minute accessed the microphone of users’ mobile phones in order to detect pubs screening football matches without paying a fee. The app did not inform users of this malpractice and did not meet the requirements for withdrawal of consent.
In the UK, the Information Commissioner’s Office (ICO) has given out numerous fines but none have yet exceeded the £500,000 maximum penalty. In October 2018, The ICO slapped Facebook with the maximum possible fine of £500,000for failing to protect users’ personal information and its role in the Cambridge Analytica scandal.