In the first fine issued by a German data protection authority under the European General Data Protection Regulation (“GDPR”), on 21 November 2018 the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for a violation of its data security obligations under Art. 32 of the GDPR. The company’s very good cooperation with the LfDI was key to avoiding a higher level of fines.
According to the press statement of the LfDI (in German), the Company contacted the LfDI with a data breach notification following a hacker attack in the summer of 2018. The attack resulted in the unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses.
After becoming aware of the incident, the Company immediately informed its users about the attack in a comprehensive and fully transparent manner (as per Art. 34 GDPR). In the proceedings with the LfDI, following the notification of the data breach to the regulator (as per Art. 33 GDPR), the Company disclosed its data processing and company structures as well as its own security failures to the LfDI in an “exemplary manner.” During this investigation, the LfDI became aware that the Company had stored the passwords in plain text and in an unencrypted format, which helped facilitate the attack.
During the course of the proceedings, the Company implemented comprehensive measures to improve its IT security architecture and applied the latest state of the art to the security of its user data. In addition, the Company committed itself to implementing additional measures to further improve its data security level in cooperation with the LfDI.
Decision of the LfDI
The LfDI found that, by storing the passwords in plain text, the Company knowingly infringed its obligation to appropriately encrypt personal data pursuant to Art. 32(1)(a) of the GDPR.
Under Art. 83(4) of the GDPR, a violation of Art. 32 can result in fines of up to Euro 10 million or up to 2% of an organization’s total worldwide annual turnover, if higher. For the calculation of the fine, Art. 83(1) GDPR sets forth that any fine imposed under the GDPR must be effective, proportionate and dissuasive. In this respect, the LfDI took into account the company’s willingness to cooperate and to improve its IT security architecture based on the recommendations of the LfDI. In addition, the LfDI viewed favourably that the company immediately informed its users of the attack. Finally, the LfDI took into account that the incident resulted in additional costs for the company. All in all, the LfDI found that a fine of Euro 20,000 was appropriate to address the GDPR violation in question.
Dr. Stefan Brink, the head of the LfDI concluded: “As a data protection authority, it is not the aim of the LfDI to compete for the highest possible fines. What really matters after all is the improvement of the level of data protection and data security for the users concerned.”
Apparently, the LfDI did not apply Section 43(4) German Federal Data Protection Act (“BDSG”). According to this provision, the facts disclosed in a data breach notification under Art. 33 of the GDPR may not be used in proceedings for administrative fines without the consent of the organization concerned. According to the view of some privacy professionals in Germany, this provision is not in line with the GDPR and therefore not applicable. However, this has not yet been confirmed by a court.
The “perfect storm”
At the occasion of the September IAPP conference in Munich, Thomas Kranig, the President of the Bavarian State data protection supervisory authority, was asked about the first fine to be expected from his authority. He replied that this would be applied in a “perfect case,” both relevant for the general public and conveying the right message. The current one can be regarded as the “perfect storm” because it directly affects consumers and it is in the area of social media, which currently attracts major attention from both privacy regulators and consumers.
The publication of this enforcement action also has the intention of sending a wider message: if you cooperate, the fines will be tolerable. This message is in line with previous actions of German supervisory authorities under the previous legal framework. Cooperation, transparency, and documented willingness to implement new compliant processes enabled those who broke the law to negotiate and agree fines of relatively moderate amounts.
Cooperate or litigate
This will add to the ongoing “cooperate v. litigate” debate in data protection and privacy matters. Some commentators (see for instance Härting, in German) point to weaknesses in supervisory authorities’ powers when informal compliance questionnaires are sent, and call for caution and reluctance to disclose compliance shortcomings too willingly. This latest decision and the reasons for the relatively low fine are intended to motivate organizations to cooperate and to be transparent about any shortcomings.
The European context
The fine imposed by the LfDI is the third public fine imposed by a European data protection authority for GDPR breaches. The first two were as follows:
In July 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of Euro 400,000 on a hospital for failing to prevent unauthorized access to patient data.
In October 2018, The Austrian DPA fined a company Euro 4,800 for use of CCTV in a public space without proper transparency and notice.
The following lessons can be learned from the German enforcement action:
Having processes in place to promptly detect and report data breaches is paramount.
Be prepared to accept that notifying a personal data breach might open the door for further regulatory investigations, although this is less likely for minor breaches (in this case, passwords of 330,000 users were lost as a consequence of a malicious attack and the unencrypted storage of those passwords was a contributing factor).
Learn to manage the reputational impact. In its statement, the LfDI only mentioned that the enforcement involved a social media provider based in Baden-Württemberg (although the media quickly identified the provider behind the press release). From this, there is a positive message: by cooperating with regulators, it may still be possible to be portrayed as a “good corporate citizen” from a privacy perspective.