The General Data Protection Regulation became effective on May 25, 2018. Since that time, European data protection authorities have aggressively initiated enforcement actions and levied numerous fines.
For example, the U.K. Information Commissioner’s Office recently charged a Canadian company of misusing personal data of U.K. individuals for targeted advertising purposes, such as names and email addresses. According to the ICO, the company violated numerous GDPR provisions pertaining to the lawful, fair and transparent manner by which personal data must be processed. The ICO also cited a provision of the law which states that information processing must be “relevant and limited to what is necessary in relation to the purposes for which they are processed.” The company was ultimately ordered to delete U.K. individuals’ information. The matter is being appealed.
In France, La Commission Nationale de L’Informatique et des Libertes determined that a mobile ad network unlawfully obtained the bundled consent of tens of millions of people. According to the French regulator, “bundling consent to partner processing in a contract is not valid consent.” Here, the company was ordered to modify its consent protocols and delete unlawfully collected data.
In Portugal, the Comissao Nacional de Proteccao de Dados fined a hospital 400,000€ for allegedly permitting too many employees with access to sensitive patient data. Issues also allegedly existed with respect to the need of various employees to access such data. This matter is also currently being appealed.
In Germany, the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg issued a fine of 20,000€ following a data breach at a social media company. Here, a hacker gained access to passwords and email addresses of hundreds of thousands of users. The regulator concluded that a violation of GDPR occurred because passwords were no pseudonymized and encrypted.
In Austria, the Osterreichische Datenschutzbehorde recently issued a fine of 4,800 euros to retail company that allegedly used a surveillance camera in violation of GDPR’s notice and transparency requirements. According the Austrian DPA, the surveillance camera captured too much of the sidewalk and that large-scale monitoring of public spaces is not permitted under the GDPR. The camera was allegedly not sufficiently marked as conducting video surveillance. The amount of the fine was moderate and the deputy director of the DPA stated that fines should be proportionate to annual income. The Austrians currently have more than 115 fine proceedings pending and have initiated 58 ex officio investigations.
At present, there is some debate as to whether GDPR fines are insurable. There are a number of potential factors when assessing this issue, including the country at issue. Either way, it is crucial for digital marketers to ensure compliance with applicable state, federal and international data privacy requirements. EU regulators will not hesitate to initiate investigations and enforcement actions.
Richard B. Newman is an FTC defense lawyer at Hinch Newman LLP. He is member of the International Association of Privacy Professionals.
ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777