The General Data Protection Regulation (GDPR) provides for a significant increase of the maximum possible fine for legal infringements compared to previous data protection legislation. Fines of up to 20 million euros or 4 percent of the worldwide annual turnover, whichever is higher, can be imposed (Art. 83 para. 5 GDPR). Yet, the first few months after the introduction of the GDPR in May 2018 were uneventful in this regard. That is now changing, however.
Supervisory authorities have now started imposing more fines. Especially noteworthy among these is the fine of 50 million euros imposed by the French supervisory authority, CNIL (Commission Nationale de l’Informatique et des Libertés), against Google LLC on 21 January 2019. CNIL identified several infringements by Google against data protection legislation. In the announcement on its website, CNIL justifies its decision by asserting that Google is not complying with its obligation to provide information to users, and its processing operations are not sufficiently transparent. In addition, user consent to process data for personalized advertising had not been validly obtained. Users were not provided with sufficient information prior to giving consent. Furthermore, the consent collected does not distinguish sufficiently between the individual processing operations.
CNIL explained that the amount of the fine was primarily based on the fact that the infringement was a continuous one that was still ongoing (at least until the CNIL ruling). As an aggravating circumstance, the infringement concerned a tremendous quantity of data relating to a variety of services with almost unlimited possible combinations. The widespread use of the Android operating system, owned by Google, means that many people have been affected by this data protection infringement. The fine imposed against Google illustrates the radical sanctions available to the supervisory authorities under the new legislation, as well as which criteria are considered when issuing fines.
In the meantime, increased fines have also been imposed in Germany. The State Data Protection and Freedom of Information Officer (LfDI) for Baden-Württemberg imposed a fine of EUR 20,000 against the “Knuddels.de” chat portal as early as November 2018. The company was the victim of a hacker attack in summer 2018 during which hackers captured personal data. One reason they were able to do this was that customers’ passwords were saved in plain text on the company server. In addition to this, Knuddels had neglected to install the new version of the operating system in good time.
However, in comparison with the current proceedings in France against Google, the amount of the fine remained low. According to the LfDI, this was because the company had cooperated well with the supervisory authority and had made the effort to quickly provide full and comprehensive information. In addition, the company suffered significant economic damage because of the data breach. A similar argument could have been applied in the fine proceedings against Google, although it would have been to the disadvantage of Google. The more data Google collects and stores (unlawfully, in this case), the greater the economic benefit for the company. CNIL explains that Google’s business model was at least partly based on personalized advertising and compliance with data protection legislation should therefore be their number one priority.
In total, the German supervisory authorities had issued 41 fines by mid-January 2019, according to a survey by 'Handelsblatt'. However, a number of other proceedings are already ongoing. The highest fine in Germany so far has been EUR 80,000. In this case, health-related data, which is sensitive personal data that requires special safeguards, was able to be viewed publicly.
Fine proceedings are often initiated by the authorities following complaints from data subjects, in particular dissatisfied employees or customers. In addition, a data breach must be reported by the controller or processor to the responsible supervisory authority within 72 hours pursuant to Art. 33 GDPR. This can also give rise to fine proceedings. Competitors also watch their rivals and report them to the authorities. And last but not least, the investigative powers of the supervisory authorities are not to be forgotten. The authorities have a number of tools available to be able to actively monitor controllers and processors. This includes access to premises, including data processing systems and equipment (Art. 58 para. 1 f) GDPR).
Some state data supervisory authorities are still hesitant to issue fines. However, companies should not rely on this. Rather, they should see the now publicized fines as a motivation to check their current data protection policy at regular intervals and adjust it where necessary. In the event of a data breach, it should be borne in mind that the supervisory authorities reward cooperative behavior and the desire to clarify the situation.