First GDPR penalties: who has already been punished

    GDRP came into force more than six months ago, but the regulators began to write out the first "letters of happiness" only recently. In the material - about those companies that have already received them.

    / photo Kiefer CC BY-SA

    “Soft start” GDPR

    The GDPR entered into force on May 25, 2018 . By that time, all the organizations that store and process the personal data of the residents of the European Union, had to update the user agreement and bring all work processes in accordance with the requirements of the regulations. Failure to comply with the requirements resulted in a fine of twenty million euros or four percent of the intruder’s annual revenue.

    But not all companies treated the regulations with due attention. According to a study by analysts from the Ponemon Institute, more than half of European and American organizations did not have time to fulfill all of the GDPR deadline requirements. Therefore, many major publications, among which was The Verge, suggested that European regulators will conduct a "soft launch" of the new law. That is, for some time they will not penalize violators, considering financial penalties as a last resort.

    In general, this is what happened, even large companies such as Facebook and Google have not been punished. Complaints against them filed on the first day of the action of the regulations. Then, with a claim he addressed an Australian lawyer and fighter for the protection of data Schrems Max (Max Schrems). Schrems argued that companies are forcing users to consent to the processing of personal data under the threat of restricting access to services. And although the consideration of cases is still underway , it is likely that in the end the charges will be dropped.

    Who nevertheless received fines

    A few months after the entry into force of the GDPR, European regulators tightened their approach to companies. In November, the regulator of the German region of Baden-Württemberg (LfDI) imposed a fine chat application for dating Knuddels. This case was the first punishment for the GDPR in Germany.

    In September, the service discovered a “breach”, through which 330 thousand users and passwords flowed into the network . It turned out that all personal data was stored in the form of unencrypted text files. The German regulator has appointed a company a fine of 20 thousand euros. The amount was relatively small , because Knuddles promptly reported the leak and agreed to introduce additional security measures.

    / photo Stock Catalog CC BY

    Another GDPR penalty, which became known in September, was imposed by the Portuguese Data Protection Commission (CNPD). He received one of the hospitals of Portugal. A vulnerability was discovered in her medical record storage system, which allowed access to patient data using fake employee profiles. The system found 985 registered accounts, although only 296 doctors worked in the hospital. The medical institution had to pay 400 thousand euros.

    The first maximum penalty for violation of the requirements of the GDPR was also appointed. British regulator obligedCanadian consulting company AggregateIQ to pay twenty million euros for the illegal collection and processing of data of users of social networks for targeted campaigns. Now AggregateIQ is trying to challenge the fine, but probably the company will still have to part with their money.

    Who else can get a fine

    So far, the fines imposed for violation of the requirements of the GDPR remain rather small (except for the situation with AggregateIQ), compared with the maximum penalty for not meeting the requirements of the GDPR. However, data protection expert and author of information security books Guy Bunker believes that the law “will show more teeth.” Data leaks occur almost daily, so Banker believes that fines will increase significantly in the near future.

    Agrees with him and information security consultant Benjamin Ellis (Benjamin Ellis). According to him, while regulators willingly helped companies to “patch up the gaps” in safety and practically did not apply penalties. But Ellis believes that in 2019 those who violate the regulations will be treated more severely.

    One of the first major "victims of GDPR" of the coming year could be Microsoft . The IT giant was accused of storing data on users — IP addresses and e-mail headers — Office applications. At the same time, some of this data fell on servers located in the United States (and not in Europe, as required by the GDPR), and users were not warned about collecting any telemetry.

    Another big fine soon threatensFacebook In September, the social network was hacked - the attackers stole personal data of 50 million users. Now, European regulators are investigating and trying to determine whether Facebook’s negligence led to a leak and how much EU citizens suffered from data theft. Facebook may be required to pay up to four billion dollars.

    It can be assumed that next year the penalties for violations in the processing of personal data of users in Europe will become more and more. "Fuel to the fire" will add to the ePrivacy Regulation, which should begin to operate in 2019.

    It will further tighten the rules for working with cookies and will add headaches to IT companies. And the penalties for non-compliance with its requirements are also high: from two to four percent of the company's annual income of the culprit, or ten million euros.

    PS Materials on the topic from the First Corporate IaaS Blog:

    PPS Our Telegram channel about IaaS technology:

    Also popular now: