This is my selection of the top 5 data breach fines in the EU and the United Kingdom in 2021, many of which have featured in our Law and Media Round Ups over the past year.
- Amazon Europe Core S.a.r.l €746,000,000
Luxembourg’s National Commission for Data Protection issued a fine under the GDPR to Amazon Europe Core S.a.r.l. Amazon plans to appeal the penalty stating “there has been no data breach, and no customer data has been exposed to any third party… these facts are undisputed. We strongly disagree with the CNPD’s ruling.” Whilst Luxembourg’s national data protection law precludes the Commission from commenting on individual cases Amazon disclosed the fine in a filing of its quarterly results with the US Securities and Exchange Commission.
From what we can gather the fine came following a May 2018 complaint by La Quadrature du Net. The fine is by far the biggest under the GDPR to date.
Bloomberg has the initial report. The fine attracted much coverage from the BBC, Pinsent Masons and the Hunton Privacy Blog.
- Whatsapp Ireland Ltd €225,000,000
On 2 September 2021 the Irish Data Protection Commission announced a fine of €225,000,000 to Whatsapp. The investigation began on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
The case is notable due to its cross-border nature, which required data protection authorities in France, Germany and the Netherlands to consider it. The fine was considered by the European Data Protection Board, which mandated a reassessment and increase. WhatsApp disagreed with the fine, calling it “wholly disproportionate”.
The IAPP, Bird & Bird and Pinsent Masons have coverage of the fine.
- Notebooksbillinger.de €10,400,000
The State Commissioner for Data Protection in Lower Saxony fined notebooksbilliger.de AG €10,400,000, issued in December 2020. The Commission found that the company has been using video surveillance to monitor its employees for at least two years without any legal justification. Areas recorded included workspaces, sales floors, warehouses and staff rooms.
Whilst the company argued the cameras has been installed to prevent theft it first should have tried to implement less serve means. Furthermore, the recordings were saved for 60 days which was much longer than deemed necessary.
“This is a serious case of workplace surveillance”, says the State Commissioner for Data Protection in Lower Saxony, Barbara Thiel. “Companies have to understand that such intensive video surveillance is a major violation of their employees’ rights”. While businesses often argue that video surveillance can be effectively used to deter criminals, this does not justify the permanent and unjustified interference with the personal rights of their employees. “If that were the case, companies would be able to extend their surveillance without limit. Employees do not have to sacrifice their personal rights just because their employer puts them under general suspicion”, explains Thiel. “Video surveillance is a particularly invasive encroachment on a person’s rights, because their entire behaviour can theoretically be observed and analysed. According to the case law of the Federal Labour Court, this can put staff under pressure to act as inconspicuously as possible to avoid being criticised or sanctioned for their behaviour”.
Data Privacy Manager, Data Guidance, Simmons & Simmons and Luther have commentary.
- Austrian Post €9,500,000
The Austrian Data Protection Authority issued a fine of €9,500,000 to the Austrian Post alleging that it had not enabled data protection enquiries via email.
In October 2019 the Post received a €18,000,000 fine for processing personal data on the alleged political affinity of affected data subjects. The fine was later annulled in a November 2020 court decision. The Post has announced it plans to appeal this second penalty. “The allegations made by the Authority mainly relate to the fact that, in addition to the contact opportunities made available by Austrian Post via mail, a web contact form and the company’s customer service centre, inquiries about personal data must also be made possible via e-mail. Austrian Post also intends to launch an appeal against this decision.”
See coverage from Data Guidance.
- Vodaphone Espana €8,150,000
From April 2018 to September 2019, 191 complaints were received for similar cases concerning telephone calls and SMS messages to citizens who had opposed the processing of their data for advertising. The failure of Vodapone to avoid advertising actions to those citizens who had exercised their rights of opposition or erasure of their data justified a fine.
Coverage was broad with Compliance Week, Data Guidance and Stephenson Harwood commenting.
United Kingdom Fines
UK fines- the ICO has issued 35 monetary penalty notices thus far in 2021. Below we take a look at a selection of the fines.
- Clearview AI £17 million
The Information Commissioner’s Office (“ICO”) has issued a provisional view of the imposition of a £17m fine over Clearview AI.. The BBC cites that the firms’ database has over 10bn images. The ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any such data following alleged serious breaches of the UK’s data protection laws.
In a joint investigation with the Australian Information Commissioner (“AIC”) the ICO concluded that the data, some scraped from the internet, was being processed, in the case of UK persons, unlawfully in some instances.
Clearview AI Inc’s services were being used on a free trial basis by some law enforcement agencies. This has been confirmed to no longer be the case.
The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:
- failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to have a lawful reason for collecting the information;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- failing to inform people in the UK about what is happening to their data; and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
Information Commissioner Elizabeth Denham commented:
“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.
Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”
The ICO press release can be found here and the AIC press release here.
The previous statement of the ICO on the conclusion of the joint investigation can be found here.
- Cabinet Office £500,000
The Cabinet Office was fined £500,000 on 2 December 2021 for disclosing the postal addresses of the 2020 New Years honours recipients online. In finding that the Cabinet Office failed to put appropriate technical and organisation measures in place the ICO noted that the data was accessed 3,872 times.
The ICO received three complaints from affected individuals who raise personal safety concerns and 27 contacts from individuals citing similar concerns. Steve Eckersley, ICO Director of Investigations, said:
“When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.
“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.
“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”
The Guardian reports on the data breach as does Data Guidance.
- EB Associates Group Limited £140,000
The ICO issued its largest fine to date to EB Associates Group Limited for instigating over 107,000 illegal cold calls to people about pensions. The practice has been banned since 2019.
Andy Curry, Head of ICO Investigations, said:
“Our priority is to protect people and we will always take robust action against companies operating illegally for their own financial gain.
“Cold calls about pensions were banned to protect people from scammers trying to cheat them out of their retirement plans.
“We encourage anyone who receives an unexpected call about their pension to hang up and then report it to us.”
The fine was covered by professional pensions.
- Mermaids £25,000
It is unfortunate at times that some charities which do the most sensitive of work also hold the most sensitive data. It makes data protection compliance all the more critical. Unfortunately, the transgender rights charity Mermaids fell afoul of data protection laws in the creation of an email group that was not sufficiently annexed or encrypted to protect the data it contained.
The result was that the 780 email pages were identifiable online over a period of three years. This led to the personal information of 550 people to be searchable online. Furthermore. the personal data of 24 of those people revealed how they were coping and feeling. Finally, for a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.
Steve Eckersley, Director of Investigations at the ICO said:
“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often-vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
This serves a warning call for charities who process sensitive personal data – under the GDPR and the framework of self-reporting you need to have appropriate technical measures in place. Failure to do so puts users’ data at risk and leaves them vulnerable. Mermaids’ penalty was imposed for the data being at risk for the period of 25 May 2018 to 14 June 2019.
It is notable that Mermaid’s data protection policies and procedures were not updated to reflect GDPR standards. Post the implementation of the Data Protection Act 2018 data protection practices are taking increasing importance and a robust review with practical changes to data harvesting, management, retention and rights handling is now a necessity.
DAC Beachcroft comments as does Slaughter and May, the Independent and EM Law.
- HIV Scotland £10,000
In a cautionary tale for those using bulk email practices HIV Scotland was fined £10,000 for sending an email to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name.
From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. The ICO’s investigation found inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy and an inadequate data protection policy.
Ken Macdonald, Head of ICO Regions, said:
“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.
“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
The BBC, Keller Lenker and the Times have coverage.
Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law. He is the editor of The Privacy Perspective blog.