GDPR Enforcement Actions, Fines Pile Up

Advertising Law

Since the General Data Protection Regulation (GDPR) took effect on May 25, 2018, data protection authorities in the European Union (EU) have wasted no time in launching enforcement actions and issuing fines.

The U.K.’s regulator, the Information Commissioner’s Office (ICO), accused a Canada-based company of using personal data—including names and email addresses—of U.K. individuals to target them with political advertising messages on social media. AggregateIQ Data Services Ltd. was provided with the personal data by political groups (such as Veterans for Britain and Vote Leave).

AggregateIQ violated Article 5(1)(a), (b) and (c) of the GDPR, which require that personal data shall be “[p]rocessed lawfully, fairly and in a transparent manner in relation to the data subject” and shall be collected for specified, explicit and legitimate purposes and further processed only in a manner that is compatible with those purposes and is “[a]dequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,” the ICO said.

The ICO ordered the company to erase any personal data of U.K. individuals retained on its servers.

In France, La Commission Nationale de L’Informatique et des Libertes (CNIL) found that a mobile ad network illegally obtained the consent of more than 67 million people. Pursuant to the GDPR, consent must be specific, informed and freely given, but Vectuary’s consent was improperly gained, the regulator said, because “bundling consent to partner processing in a contract is not valid consent.”

The regulator ordered the company to change its consent practices and purge all data collected on the basis of the invalid consent previously obtained.

Other actions resulted in fines. The first occurred in Austria, where the Osterreichische Datenschutzbehorde (DPA) issued a 4,800€ fine to a retail company that used a surveillance camera that captured too much of the sidewalk. The retailer lacked the GDPR’s required notice and transparency, the DPA determined.

An even larger fine followed in Portugal, where the Comissao Nacional de Proteccao de Dados (NCPD) hit a hospital with a 400,000€ fine for allowing employees indiscriminate access to patient data. Barreiro Montijo lacked adequate staff to control access to patient information, the NCPD said, and, as a result, 985 persons associated with the profile “doctor” were granted access to the patient management system, despite the fact only 296 doctors actually worked at the hospital.

Germany’s State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) issued the most recent fine, of 20,000€, in November. Following a data breach at a social media company, in which a hacker stole and published the passwords and email addresses of roughly 330,000 users, the LfDI determined that by storing the passwords in plain text, the company ran afoul of the GDPR’s requirement to pseudonymize and encrypt personal data.

To read the ICO Enforcement Notice, click here.

To read the CNIL warning, click here.

Why it matters: EU regulators wasted little time launching investigations, taking enforcement action and fining entities for violations of the GDPR, although several recipients are appealing (including AggregateIQ and the Portuguese hospital). American companies subject to the requirements of the GDPR should ensure compliance, or they may face similar action. According to news reports, Austria’s DPA already has 115 U.S. proceedings pending and another 58 investigations underway.