On November 21, 2018, the data protection authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of EUR 20,000 on a German social media company for failing to encrypt user passwords, the first fine issued under the General Data Protection Regulation (“GDPR”) in Germany. In considering the amount of the fine to be imposed on the company, the LfDI explicitly rewarded the company’s exemplary cooperation by disclosing and addressing its shortcomings under GDPR.
In September 2018, the social media company contacted the LfDI to report a data breach following a hacker attack, which had resulted in the theft and disclosure of personal data of around 330,000 users, including passwords and email addresses. It then provided an updated notification in which the company fully disclosed its data processing and business structures to the LfDI. In the update, it became evident that the company had deliberately violated its obligation to ensure the security of personal data under Art. 32 of GDPR as the social media company was saving and using user passwords unencrypted and not hashed.
Although under GDPR a fine for a contravention of this nature can be as high as EUR 10 million or 2 percent of the company’s worldwide revenue in the previous year, whichever is higher, the LfDI imposed a fine of EUR 20,000. According to the authority’s press release, the company’s “exemplary” cooperation with the authorities by disclosing its shortcomings was taken into account when assessing the fine. Not only did the company fully disclose its data processing and business structures, but it also willingly implemented the authority’s instructions and recommendations. Within a couple of weeks, the company had implemented far-reaching measures around its IT security infrastructure and had upgraded the protection of user data to a standard considered to be state of the art. The LfDI noted that with these measures the company had improved the safety of user data significantly and in a very short period of time. As fines issued under GDPR are not only intended to provide a deterrent, but are also required to be appropriate, the authority also took into consideration the overall financial burden for the company which amounted in total to a six-digit figure.
Dr. Stefan Brink, the head of LfDI concluded, “As data protection authority, it is not the aim of the LfDI to compete for the highest possible fines. What really matters is the improvement of the level of data protection and data security for the users concerned.”
This first fine to be issued in Germany under GDPR teaches a valuable lesson for companies active on the EU market: It seems that European data protection authorities are willing to reward companies’ cooperation and transparency as well as the willingness to implement measures recommended by the data protection authorities with relatively moderate fines, even in case of deliberate data protection violations. Thus, when becoming aware of potential irregularities under GDPR, it is crucial for companies to develop a good strategy for the cooperation with data protection authorities. Taking the LfDI’s recent statement on the calculation of fines into account, European data protection authorities’ Guidelines on the application an setting of administrative fines (wp253) are worth a closer look as they provide helpful guidance on the behavior authorities expect from companies when faced with violations under GDPR.
