Regulatory Enforcement Update – December 2019
As a follow up to our first round-up in July this year – Regulatory Action so far in the UK and EU I’ve taken a further delve into areas where organisations are being found to be lacking and fines are being imposed.
In the Summer the UK Regulator issued ‘Notices of Intention’ to fine Marriott and British Airways – the figures were eye-watering but we still await the final outcome in both cases. Since then the ICO has issued a few fines, but all under the previous DPA 1998 legislation/PECR. For example, a Swansea double-glazing company was fined £150,000 for unsolicited marketing calls, and Making it Easy Ltd was fined £160,000, also for spam calls. Hudson Bay Finance was fined for failing to respond to a Subject Access Request. It’s fair to say many are anticipating more action by the UK Regulator in 2020.
Latest news: On 20th December the ICO issued its first fine under GDPR – £275,000 to a London-based pharmacy for failing to keep special category data securely. More details here.
Meanwhile, GDPR enforcement elsewhere in the EU
What infringements of GDPR are attracting regulatory action? Here’s a non-exhaustive summary:
The requirement to implement appropriate Technical and Organisational Measures (TOMs) is not new, but GDPR does go further than previous legislation suggesting the kinds of security measures that might be considered “appropriate to the risk”. There have been a number of recent fines in this area, including the following…
A German telecoms provider was fined this month by the Federal Commissioner for Data Protection and Freedom of Information (BfDI), for failing to implement sufficient authentication procedures to prevent unauthorised staff from accessing customer data during telephone consulting services. People who called customer service could receive a significant amount of personal data by providing only the name and date of birth of a customer. Fine: €9.5 million
In November the Romanian DPA fined ING Bank following online payment problems whereby customers’ payments were processed twice and the bank took double the correct amount from their accounts. Fine: €80,000
Inadequate security was cited as the reason for a fine in The Netherlands in October, when an employee insurance service provider (UWV) did not use multi-factor authentication for access to an online employer portal. Fine: €900,000
In September the Polish DPA fined an online retailer, Morele.net, following a cyber-attack in which more than two million client records were stolen. The Authority found the retailer did not have proper access authentication processes and there was ineffective monitoring of potential threats. Fine: €644,780
Following the biggest personal data breach in Bulgaria to date, in which the personal data of five million Bulgaria citizens was hacked, the National Revenue Agency was fined by the Data Protection Commissioner of Bulgaria (KZLD) in August for having highly insufficient measures for the protection of personal data. Fine: €2.5 million
Keeping Data too Long
A key challenge for many organisations is upholding the core data protection principle of ‘storage limitation’. In October we saw a multi-million pound fine issued in Germany for over retention of personal data and other infringements. Fine: €14.5 million
So what happened? The real estate company, Deutsche Wohnen SE, was accused of having used an archiving system for the storage of personal data which did not allow for the erasure of the data when it was no longer necessary. The data retained included tenants’ payslips, self-disclosure forms, extracts from employment and training contracts, tax information, bank statements and health insurance data.
The Berlin DPA found Deutsche Wohnen guilty on three counts. Firstly, for not having a legal ground to store the data, secondly for failing to meet data protection design requirements and finally for not meeting the ‘storage limitation’ principle.
It’s believed German DPAs are paying particular attention to personal data deletion, and the issue of organisations keeping personal data for longer than is necessary. Will other countries follow suit?
The DPN is currently working on industry-led Data Retention Guidance which we hope to publish early in 2020. A recording is available of our recent Data Retention Webinar
Failure to uphold individual rights
In November the French Data Protection Authority (CNIL) imposed a fine on Futura Internationale (a small company of less than 100 employees operating in the energy sector). CNIL had receive a complaint from an individual who said they continued to receive phone calls despite repeatedly asking for the company to stop. Futura Internationale was found to have ignored this and similar requests from others. It was also found that it had failed to properly inform its customers about is data processing activities. Fine: €500,000
There was also a warning to be careful about ensuring individual rights requests are handled within specified time periods, with a fine issued in Romania against BNP Paribas Personal Finance in November for not reacting to an erasure request within the time period set by GDPR. Fine: €2,000
Insufficient Legal Basis for processing
In October the Austrian Post was fined after it was found to have created profiles of more than three million Austrians, which included possible political affinity, which were subsequently resold to political parties and other companies. It was found to have done so unlawfully and culpably. It’s reported the Austrian Post will appeal this decision. Fine: €18 million
The Spanish DPA took action against Vueling Airlines in October for not giving users the ability to refuse their cookies. It was found that it was not possible to browse the airlines’s website without accepting their cookies. Fine €30,000 (reduced if immediate payment)
In a case that has received a fair amount of publicity a school in Sweden was fined in October for trialling the use of facial recognition technology to monitor the attendance of students. Although the school obtained the consent of parents, the Swedish DPA did not feel that this was a legally adequate reason to collect this sensitive personal data. It was indicated that the fine would have been bigger if the three-week trial had continued for longer. Fine: €18.630
And finally, this month an internet provider in Germany was fined for not complying with its legal obligation to appoint a DPO. Fine: €10,000
If you are based in the UK, the ICO has guidance on requirements to appoint a DPO.
What’s evident is EU DPAs are clearly taking action, and more can be anticipated in 2020. Will they start to stretch beyond EU based companies in the New Year? Will we see fines for lack of accountability and data protection by design? See our 2020 Vision Privacy Predictions.
Philippa Donn, December 2019
If you want to keep track here are some handy enforcement trackers
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.