Across Europe, data protection supervisory authorities are beginning to step up their enforcement of the General Data Protection Regulation which came into force on the 25th May 2018.
On the 3rd October 2018, Ireland's Data Protection Commission (DPC) announced that it had commenced an investigation into Facebook as a result of a widely-publicized data breach in which Facebook initially revealed that almost 50 million (later revised to 30 million) of its users had been exposed to a vulnerability which had enabled hackers to gain control of peoples' accounts and access their personal data. Of those 30 million users, the names and contact details of 15 million were exposed, whilst 14 million had additional personal data exposed, including names, contact details, gender, relationship status and recent location checkins.
The DPC announced that its investigation would specifically focus on Facebook's compliance with the requirement arising under the GDPR to implement technical and organizational measures to ensure the security and safeguarding of the personal data it processes. The results of the Irish investigation could have significant consequences for Facebook and for the wider enforcement of the GDPR across Europe. Facebook could be faced with a hefty fine of up to 20 million Euros or 4 % of its worldwide annual turnover of the preceding financial year, whichever is higher. With reported revenues in 2017 of close 40.6 billion USD, Facebook could be facing a fine of over 1.6 billion USD, in the admittedly very unlikely case that the DPC would choose to impose the highest fine available to it. The DPC has an early opportunity not only to show that the GDPR has teeth and will be enforced stringently even against the internet's giants, but also to provide some much needed clarity as to the substantive requirements of the technical and organizational measures required under the GDPR. It remains to be seen exactly what results the DPC's investigation will yield.
The DPC is not alone in escalating its enforcement of the GDPR. Several other data protection authorities across Europe have also been busy with enforcement activities of their own. Notably, the Portuguese authority CNPD announced that it had fined a hospital 400,000 Euros owing to its insecure IT system. The system allowed staff to access patient records by using false profiles. An audit by the CNPD is yet to be made public, but it has been widely reported that, despite having just under 300 doctors, the hospital had almost 1000 registered profiles on the IT system. The hospital has announced that it is appealing the decision.
France's CNIL announced in November that the consent collected by the company VECTUARY, collected by means of software development kits (SDKs) embedded in mobile apps, for the creation of its advertising profiles does not comply with the standards of the GDPR and is invalid. The SDK enabled the collection of geolocation data and the mobile advertising ID, which was cross-referenced with points of interest determined by the partners and then used to display targeted advertising on the device based on the locations visited. CNIL determined that the consent collected did not conform to the GDPR because, inter alia, the obligations to inform were not adhered to when the user downloaded the mobile applications, the consent was only collected after processing had already taken place, the user was often unable to download the application without activating the SDK and data collection occurred by default. CNIL has ordered the company to delete the data already collected and to collect valid consent for all users.
Finally in November, the Bavarian State Agency for Data Protection Supervision (BayLDA) announced it had already conducted a raft of data protection audits for companies based in the southern German state. These audits focused particularly on the security of online shops, the ability of big companies to evidence compliance with the Regulation, the compliance of companies with their obligation to inform job applicants about the processing of their data and the implementation of the GDPR in Small and Medium-sized Enterprises. The BayLDA has already begun its next round of audits, centered on compliance by businesses with the GDPR when selecting sub-contractors and also on the erasure of data.
These examples are just a small sample of the numerous regulatory enforcement activities taking place across Europe with ever increasing frequency. The supervisory authorities have been provided with legislation which has empowered them across the EU and enabled them to take firm and decisive action against those not abiding by the GDPR. The frequency and intensity of such enforcement can likely expect to increase in the coming months and it may only be a matter of time before the first large fine is issued.
The contribution was created with the collaboration of Sam Cross. If you have any questions on this topic, do not hesitate to contact Dr Axel von Walter.