GDPR is six months old: Any losers so far?

flag of europe

General Data Protection Regulation (GDPR) has been in effect since May the 25th, 2018. The act imposes stricter rules on organizations that handle EU citizens’ personal data. Concerned about possible big fines, companies have been scrambling to comply.

This month marks a six-month anniversary of GDPR. We decided to find out which companies have been fined so far and what precedent this creates for everyone concerned.

GDPR losers so far (effective fines)

1. German social media company fined for failing to protect user passwords

Fine: € 20,000; Reason: Storing passwords in plain-text format.

A German social media company got a relatively low fine of € 20,000 following a hacking attack that resulted in their users’ login data being published on the web. The violation is that the company didn’t hash or otherwise protect user passwords, which they were obliged to do pursuant to Art. 32 (1) of GDPR.

2. Austrian betting shop fined for over-the-board video surveillance

Fine: € 4,800; Reason: Video surveillance of a public sidewalk.

The owner of an Austrian betting shop put up a CCTV camera in front of his store. Apparently, someone found issue with the camera not being clearly marked as performing video surveillance. Besides, it recorded a large portion of the sidewalk, which means, again, that the presence of the camera was not explicitly disclosed to the public. Since GDPR forbids undisclosed surveillance, the entrepreneur was fined € 4,800.

Eva Škorničková of GDPR.cz says:

[Those who perform video surveillance] should take all appropriate measures to provide the monitored persons with information in a brief, transparent, comprehensible and easily accessible manner concerning the processing of their data by the camera system, especially when it comes to data about children. This means that when I enter a shop where cameras are watching me, besides the sign with information about cameras, I have the right to know the details of the recording, and the administrator should make this information available in writing or by other means in printed or electronic form."(emphasis added)

3. Portuguese hospital fined over excessive access to patient records

Fine: € 400,000; Reason: Unnecessary access to patient data granted to employees.

A Portuguese hospital that uses patient management software was fined € 400,000 for granting nearly 1,000 employees doctor-level access to the system. The hospital had 985 registered doctor profiles, while there were only 296 doctors working there. Besides, doctors had unlimited access to patient data, even when some information was irrelevant to the doctor’s specialty.

The hospital fought back, saying that it was using a system provided to public hospitals by the Portuguese Ministry of Health. Whether it will end up paying the fine remains to be seen.

Close escapes

In the following abstract, the accused party either was fined or is facing a potential fine under older legislation. The same violations would have resulted in much greater penalties under GDPR.

1. British IICSA fined £200,000 under Data Protection Act 1998

Fine: £200,000; Reason: Bulk disclosure of personal information in an email blast.

In a pretty bizarre case that seems to consist of one unlikely mistake after another, an employee for British IICSA (Independent Inquiry into Child Sexual Abuse) wanted to correct an error in the bulk of emails they had sent out about a court hearing. However, instead of clarifying things to one recipient at a time, the staffer included ninety addresses of case participants into the "TO" field.

Fifty-two of those addresses had full names attached to them, which allowed everyone to see who else was on the list. Considering the sensitivity of the matter, the British information protection authority issued a maximum fine possible under the Data Protection Act 1998. Had the same occurred under GDPR, the fine could have been up to 100 times greater.

2. Facebook fined £500,000 under Data Protection Act 1998

Fine: £500,000; Reason: Sharing too much data with app developers.

In October 2018, in the wake of the Cambridge Analytica scandal, the UK issued a £500,000 fine to Facebook for allowing app developers to gather user information without their explicit consent.

Cambridge Analytica, the company that helped Donald Trump with his 2016 presidential campaign, allegedly harvested millions of Facebook user profiles through a personality test app, which they built specifically for this purpose. A loophole in Facebook’s privacy policy allowed the app developer to gather data such as users’ private messages and their friends’ information to "improve the user experience." It is believed, though, that the data may have been used for other purposes.

As whistleblower Christopher Wylie said earlier to the press:

We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on. (emphasis added)

Facebook said it’d appeal the fine (which, honestly, is a drop in the ocean for a company that reported $13.23 billion in revenue in Q2, 2018) The social media giant said the UK’s stance on the issue sends a message, with which Facebook can’t agree - that users shouldn’t be allowed to share information freely on the web. That said, the fine could have been much greater if the incident did not happen back in 2016.

Suits under way

And here are some lawsuits still underway that may (or may not) result in actual fines.

1. AIQ is served a notice; could be fined if doesn’t comply

AIQ, a Canadian company that’s believed to be linked to Cambridge Analytica, has been served an enforcement notice by UK’s ICO with a demand to remove any UK citizens’ personal data it may have on file. The overseeing body threatened to fine AIQ a maximum amount of money possible under GDPR - up to €20 million or 4% of its annual turnover, whichever is greater - if the tech company doesn’t comply.

AIQ allegedly played a critical role in the UK’s Vote Leave campaign in 2016. Earlier this year, AIQ’s ties to Cambridge Analytica were revealed thanks to whistleblower Christopher Wylie. The two companies may have used similar or even the exact same targeting models to influence public opinions in both political campaigns: the US presidential election and UK Brexit Referendum.

2. Dutch government uncovers un-GDPR collection of Office usage data by Microsoft

The Dutch government is among Microsoft Office’s corporate users. Recently, it commissioned a contractor firm - Privacy Company - to investigate how Office usage data was being managed by Microsoft.

The report says Microsoft tracks some 25,000 types of events, and most of them are not required for fulfilling the company’s contractual obligations. For example, information like email subjects and spell-checked/translated bits of text have been collected. To make things worse, the data gathering has been going on in a stealthy mode - Office users were not offered an option to prevent the system from sharing their data and were not made aware that it was happening.

Now Microsoft could be faced with a multi-million-dollar fine, which may be reduced or avoided if the corporation cooperates (which it said it would) and manages to settle the issue.