WhatsApp Slapped with €225 Million GDPR Violation Penalty

WhatsApp has been fined €225 million ($265 million) by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation’s (GDPR) requirements for transparency about the processing of the personal data of EU data subjects.

The DPC launched an inquiry into WhatsApp in December 2018 which was focused on a narrow aspect of GDPR compliance, which solely looked at compliance with the data processing transparency requirements of the GDPR.

The DPC identified several “severe” violations of the GDPR. The violations included a lack of transparency about the sharing of personal data of app users with companies owned by its parent company Facebook, a failure to provide users and non-users of its app with clear, transparent, or sufficient information about the level of data processing, a lack of sufficient granularity regarding the legal basis for some of the data processing activities, and WhatsApp’s statement about the transfer of data to non-EEA jurisdictions was deemed to be adequate. The DPC determined WhatsApp had failed to meet the transparency requirements of Articles 12-14 of the GDPR and issued a draft decision in December 2020 suggesting a financial penalty of between €30-€50 million to resolve the case.

The Irish DPC is the lead supervisory authority in the EU as WhatsApp and its parent company Facebook have their European base in Dublin, Ireland; however, since the data processing activities of WhatsApp spans several countries, the draft decision of the DPC was reviewed by other supervisory authorities in the EU. 8 of those supervisory authorities objected to the DPC’s draft decision and called for a far greater financial penalty to be imposed.

The objections were referred to the European Data Protection Board (EDPB) as the Irish DPC was unable to reach an agreement with the objecting supervisory authorities. According to the EDPB, “This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”

The EDPB determined that the turnover of Facebook should have been taken into consideration when determining an appropriate GDPR fine since the DPC had presented both Facebook and WhatsApp as a single undertaking in the draft decision. The total turnover of both the parent company and the subsidiary therefore needed to be considered. The failure to ensure transparency was determined to be in violation of Article 5(1)(a) of the GDPR due to the “gravity and the overarching nature and impact of the infringements.”

Following the ruling of the EDPB, the DPC increased the financial penalty fourfold. In addition to the financial penalty, WhatsApp has been ordered to bring its data processing in line with the GDPR.

WhatsApp has issued a statement announcing its intention to appeal the fine. The appeals process is likely to take some time, so it may well be years before the fine is actually paid.

The financial penalty is the highest ever imposed by the Irish DPC to resolve GDPR violations. Should the penalty stand, it will be the second largest fine to resolve GDPR violations to date, behind the €746 million financial penalty imposed on Amazon by the Luxembourg supervisory authority in July. That penalty is also being appealed.

The post WhatsApp Slapped with €225 Million GDPR Violation Penalty appeared first on HIPAA Journal.

Record GDPR Fine of $886 Million Imposed on Amazon

The Luxembourg Data Protection Authority – Commission Nationale pour la Protection des Données (CNPD) – has slapped with a €746 million ($886 million) financial penalty to resolve alleged violations of the EU General Data Protection Regulation (GDPR).

The GDPR, which took effect on May 25, 2018, gave EU citizens new rights over their personal data and placed restrictions on uses and disclosures of personal data by individuals and companies doing business with EU citizens.

In 2018, the French privacy advocacy group La Quadrature du Net filed a complaint with CNPD over Amazon’s alleged violations of the GDPR. CNPD has jurisdiction as Amazon has its European headquarters in Luxembourg. The financial penalty will close that complaint, although Amazon is planning to appeal the fine and that process is likely to take several months or years.

The complaint related to how Amazon obtains consent from consumers to use their personal data for delivering targeted advertisements.  CNPD has not publicly disclosed the exact nature of the alleged violations and issued a statement saying it is against Luxembourg law to comment on individual legal cases.

The fine was imposed on Amazon on July 16, 2021 and was disclosed by the retail giant in its July 30 Q2 Securities and Exchange Commission (SEC) filing. Amazon said the fine is “without merit” and that it will be rigorously defending itself in this matter. “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” said in a statement.

The GDPR violation penalty is substantial, but it could have been far higher. The maximum penalty for a violation of the GDPR is €20 million, or 4% of global annual revenue for the previous year, whichever is higher. In 2020, Amazon generated $386 billion in revenue globally, so the maximum financial penalty would have been $15.4 billion.

While massive financial penalties are possible for egregious violations of the GDPR, in the three years that compliance with the GDPR has been enforceable there have been few large fines. The previous record, set in 2020, was the €50 million ($59.4 million) fine for Google that was imposed by the French Data Protection Authority, followed by the €35 million ($41.6 million) fine for the clothing retailer H&M (Germany), and the €27.8 million ($33 million) fine for Telecom Italia (Italy).

The post Record GDPR Fine of $886 Million Imposed on Amazon appeared first on HIPAA Journal.

Twitter Hit with $544,000 Penalty for Violating GDPR Data Breach Provisions

Twitter has been hit with a €450,000 ($544,600) financial penalty for violations of the data breach provisions of the EU’s General Data Protection Regulation (GDPR). The fine was issued by the Data Protection Commission (DPC) in Ireland over a privacy breach reported to the DPC by Twitter in January 2019.

The DPC received a breach notification from Twitter International Company on January 8, 2019 and an investigation was commenced on January 22, 2019 to determine whether Twitter was in compliance with its responsibilities under the GDPR.

Twitter had received a notification from a researcher on December 26, 2018 advising the company about the flaw. Twitter users have the option of having their Tweets protected or unprotected. If Tweets are protected, only a specific set of individuals are able to view those Tweets – the individual’s followers. Unprotected tweets are in the public domain and can be viewed by anyone.

The bug changed protected Tweets to unprotected Tweets without the user’s knowledge if the user changed the email address associated with their account on an Android device. Twitter determined the bug was introduced on November 4, 2014 but was unable to determine which users were affected prior to September 5, 2017. The issue was corrected on January 11, 2019. Between September 5, 2017 and January 11, 2019, 88,726 EU and EEA users had been affected.

Article 33(1) of the GDPR requires companies to notify the appropriate Data Protection Authority within 72 hours of the discovery of a data breach. The Irish DPC found Twitter to have violated this GDPR provision. Article 33(5) of the GDPR requires companies to promptly document a breach and detail the data involved and the measures that have been taken to address the breach to allow the data protection controller to assess compliance. The DPC found Twitter had failed to adequately document its breach.

A financial penalty was deemed appropriate and was issued as “an effective, proportionate, and dissuasive measure,” according to a statement issued by the DPC.

Twitter worked closely with the DPC and fully assisted in the investigation and accepted there had been a failure in its incident response process. This was “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72-hour statutory notice period,” said Damien Kieran, Twitter’s chief privacy officer and global data protection officer in a statement. “We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.”

This is the first cross-border penalty to be issued by the Irish GDPR watchdog and, while sizeable, is a tiny fraction of the penalty that could have been issued. The maximum penalty for a GDPR violation is €20 million ($24.2 million) or 4% of global annual turnover, whichever is greater.

The maximum financial penalty would have been €138 million ($168 million). The fine therefore equates to around 0.1% of global annual turnover for 2019, or around 1.5 hours of revenue for Twitter.

The post Twitter Hit with $544,000 Penalty for Violating GDPR Data Breach Provisions appeared first on HIPAA Journal.

ICO Fines Marriott International £18.4 Million for GDPR Violation

The Information Commissioner’s Office (ICO), the data protection authority in the United Kingdom, has imposed a £18.4 million ($23.8 million) financial penalty on Marriott International for violations of the EU’s General Data Protection Regulation (GDPR).

The ICO investigated Marriott over its massive data breach that affected 339 million customers, 30.1 million of whom reside in the EU including 7 million in the UK. The ICO investigators identified multiple security failures and determined Marriott had failed to implement appropriate technical and organizational measures to protect the personal data of EU citizens being processed on its systems, in violation of the GDPR.

The data breach in question affected Starwood Hotels and Resorts Worldwide, which Marriott acquired in 2016. In July 2014, hackers attacked Starwood and installed a web shell on one of its websites which allowed them to access a server and install a remote access Trojan, which gave the attackers persistent access. The attackers were able to explore the network and used Mimikatz tool to steal passwords, then installed malware that allowed them to steal payment card data and personal information. The attackers had full access to the initial compromised device and other devices on the network which the compromised account had access to. The breach was discovered four years later.

The types of data stolen by the attackers varied from individual to individual and may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership numbers.

The financial penalty could have been considerably higher. Under the GDPR, companies found to have violated GDPR provisions can be fined up to €20 million (£18,077,500 / $23,582,460) or 4% of global annual turnover, whichever is greater. In 2019, the ICO announced its intention to fine Marriott £99.2 million ($128.2 million) for the data breach but after considering Marriott’s representations, the speed and thoroughness of its breach response, and the impact COVID-19 has had on the hotel group, the decision was taken to reduce the financial penalty.

The ICO notes that when the breach was discovered, Marriott acted quickly and reported the breach to the appropriate data protection authorities and promptly notified affected customers. Since the breach, Marriott has implemented a range of new measures to improve system security and rapidly detect breaches should they occur. Marriott has issued a statement confirming it will appeal the financial penalty.

The post ICO Fines Marriott International £18.4 Million for GDPR Violation appeared first on HIPAA Journal.

Google Slapped with $8 Million GDPR Penalty

Google has been slapped with a 75 million kroner ($7.8 million) GDPR fine by the Swedish Data Protection Authority (DPA) over the failure to comply with ‘right-to-be-forgotten’ requests from EU citizens to have webpages removed from its search engine listings.

The right to be forgotten in the EU predates GDPR. It was first introduced in EU legislation in 2014 following a ruling by the Court of Justice of the European in the case, Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González. The law requires search engines to remove links to freely accessible webpages that appear in search results generated from a search of an individual’s name, if that individual requests the listing is removed and if certain conditions are satisfied.

GDPR strengthened the right to be forgotten. If a request is received from an EU citizen who wishes to exercise the right to be forgotten, provided the request does not collide with the right of freedom of expression and information, “personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing.”

Google has received millions of requests from EU citizens to have content delisted and approximately 45% of those requests have been fulfilled.

The Swedish DPA conducted an audit of Google in 2017 to assess how Google was handling requests to delist webpages indexed by its search engine and Google was ordered to delist several webpages.

In 2018, the Swedish DPA followed up on the audit and discovered Google had not delisted all the search results detailed in the order. The GDPR fine relates to two of the listings Google was ordered to remove. In one case, Google’s interpretation of the web addresses that needed to be removed was determined to be too narrow. In the second case, Google failed to delist the search result listing without undue delay.

The Swedish DPA also found that when Google delists webpages notifications are sent to website owners alerting them about the removal of the content from its listings and information is provided about who made the request. These notifications ensure website owners are made aware of the delisting, but by doing so the website owners can simply republish the delisted content on a different URL.

The Swedish DPA said that this approach undermines the effectiveness of the right to be forgotten, stating “Google does not have a legal basis for informing site owners when search result listings are removed, and furthermore gives individuals misleading information by the statement in the request form.”

“We disagree with this decision on principle and plan to appeal,” said a spokesperson for Google in a statement about the financial penalty. Under EU law, the appeal must be launched within 3 weeks.

The post Google Slapped with $8 Million GDPR Penalty appeared first on HIPAA Journal.

German Telecoms Firm Slapped with $10.56 Million GDPR Penalty

A data protection authority in Germany has issued one of the largest ever GDPR penalties to the telecommunications and hosting firm 1&1 Telecommunications. The fine was issued for a failure to implement appropriate technical and administrative measures to authenticate individuals in its call centers.

1&1 Telecommunications, a subsidiary of United Internet Group, is one of the largest telecommunications and mobile service providers in Germany. The firm was investigated by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) after a report was received that the only information required to authenticate customers in its call centers was a name and data of birth – Information that can easily be found on social media sites. If a correct name and data of birth was provided, it was possible to obtain an extensive range of sensitive information on customers.

BfDI determined that 1&1 Telecommunications had failed to comply with Article 32 of the EU’s General Data Protection Regulation. Article 32 requires appropriate technical and administrative measures to be put in place to protect the processing of personal data. The inadequate authentication measures meant the confidentiality of customer data was put at risk. Since the failure had potential to place its entire customer base at risk, a financial penalty was deemed appropriate.

On December 9, BfDI announced that a penalty of €9.55 million ($10,556,000) had been issued. The financial penalty took into account the relatively small size of the company and the level of transparency and cooperation in the investigation. When contacted by BfDI and advised about the GDPR violation, 1&1 Telecommunications implemented an additional authentication measure and cooperated fully with the investigation. The company also continued to improve its authentication processes and will now require customers to provide a PIN before any data is disclosed.

1&1 Telecommunications believes the fine is disproportionate and that the fine was calculated based on wider company sales. The Telecommunications company will appeal the fine and is considering suing BfDI. While the financial penalty is significant, it is much lower than the maximum possible penalty for a GDPR violation, which is €20 million ($22,110,800) or 4% of global annual turnover, whichever is greater.

This is the second multi-million Euro GDPR penalty to be issued in Germany the past two months. In October, the Berlin Data Protection Authority, Berliner Beauftragte für Datenschutz und Informationsfreiheit, imposed a €14.5 million ($16.26 million) penalty on the German property company Deutsche Wohnen. The company was storing data on current and former tenants in a system that did not allow data to be deleted. Data was being retained long after the purpose for which the information had been collected had been satisfied.

BfDI also announced on December 9 that a €10,000 ($11,033) financial penalty was imposed on Rapidata GmbH for a violation of Article 37 of GDPR. The company had failed to appoint a data protection officer, despite repeated requests from BfDI.

The State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate also issued a GDPR fine in December. A hospital in the state of Rhineland-Palatinate in Germany must pay €105,000 ($93,525) to resolve violations of several provisions of GDPR related to patient admissions, which could easily lead to patient mix-ups. The investigation uncovered multiple technical and organizational failures related to patient and privacy management.

The post German Telecoms Firm Slapped with $10.56 Million GDPR Penalty appeared first on HIPAA Journal.

Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology

The Swedish Data Protection Authority (DPA) has issued its first ever financial penalty for a violation of the EU’s General Data Protection Regulation (GDPR).

The 200,000 SEK fine (€19,000/$21,000) was issued to a high school in Skellefteå which conducted a pilot study that used facial recognition technology to monitor student attendance. Assisted by IT company Tieto, the school used CCTV cameras and facial recognition technology to monitor the attendance of 22 students at school. The trial ran for three weeks in late 2018.

The aim of the trial was to determine whether facial recognition technology could be used in place of standard roll calls in classes. Under Swedish law, schools are required to conduct a roll call at the start of each lesson, which places a considerable administrative burden on teachers and reduces the time spent teaching students.

According to Tieto, the school was losing 17,280 hours a year simply marking attendance. That equates to 10 full time jobs.

The pilot was conducted with the best intentions but the DPA determined the school violated several articles of GDPR. GDPR was introduced to protect the privacy of EU citizens and give them much greater control over the use of their personal data.

The DPA determined the school unlawfully processed the biometric data of its students and failed to conduct a proper impact assessment. Facial recognition data is treated as sensitive information and requires greater protection that other, less-sensitive data types. The school also failed to notify the DPA about the pilot.

The school maintained it had obtained consent from all students involved in the pilot, but the DPA determined the consent to be invalid as there was “a clear imbalance between the data subject [student] and the controller [municipality].”

The financial penalty could have been much more severe. The GDPR penalty structure permitted a maximum fine of €1 million ($1.1 million) for the violations.

The post Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology appeared first on HIPAA Journal.

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine to Haga Hospital in the Hague. Haga Hospital has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018.

The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated.

In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’.

The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing log files to identify unauthorized data access. The lack of appropriate security measures to protect personal data was in violation of GDPR requirements and a fine was deemed necessary. The hospital will now be monitored to make sure that security is improved. Further fines will be issued if security is not brought up to the standards demanded by GDPR.

The hospital has been given until October 2, 2019 to make the necessary improvements or a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital has agreed to implement additional security measures to improve its security posture.

Last year, a similar fine was issued to Centro Hospitalar Barreiro Montijo in Portugal by the Portuguese data protection authority. The hospital had also failed to secure records and prevent unauthorized access from within the hospital. The Portuguese hospital was fined €400,000 for its security failures.

The post Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine appeared first on HIPAA Journal.

ICO Proposes $123 Million GDPR Fine for Marriott

Just a few days after the UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million ($230 million) for its 383 million-record breach comes another financial penalty for GDPR violations.

ICO has announced its intention to fine Marriott £99 million ($123 million) for its breach of around 339 million customer records, which was discovered in 2018.

The ICO is the UK’s GDPR supervisory authority. When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers.

After receiving Marriott’s breach report in September 2018, ICO launched an investigation. It is not reasonable to expect companies to be able to prevent all data breaches but, under GDPR, reasonable and appropriate security measures should be implemented to reduce the risk of a breach to a low and acceptable level.

In Marriott’s case, the breach occurred at Starwood Hotels & Resorts Worldwide in 2014 when hackers gained access to a guest reservation database. Marriott purchased the hotel chain in September 2016 but failed to discover the compromised database until September 8, 2018.

ICO determined Marriott had failed to conduct sufficient due diligence on Starwood Hotels when it was negotiating its acquisition, and Marriott should have done more to secure its systems and protect the personal information of its customers.

“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Marriott cooperated fully with the ICO investigation and has already overhauled its security program and has improved its security posture. Marriott has 28 days to appeal the proposed £99,200,396 fine before ICO makes its final determination. “We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, president and CEO of Marriott.

The post ICO Proposes $123 Million GDPR Fine for Marriott appeared first on HIPAA Journal.