Comitetul European pentru Protecția Datelor

National News

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
25 October 2018

The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law.

In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes.

After considering representations from the company, the ICO has issued the fine to Facebook and confirmed that the amount – the maximum allowable under the laws which applied at the time the incidents occurred - will remain unchanged. The full penalty notice can be read here.

The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.

Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.

Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.

The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

Elizabeth Denham, Information Commissioner, said:

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation. These provide a range of new enforcement tools for the ICO, including maximum fines of £17 million or 4% of global turnover.

Ms Denham added:

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”

Watch Elizabeth Denham talk about the fine here.

A further update on the ICO investigation into data analytics for political purposes will be on Tuesday 6 November, when Ms Denham will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee.

In July, the ICO published an interim progress update on its investigation and also published a partner report, Democracy Disrupted? Personal information and political influence looking at the broader policy issues identified during the investigation along with findings and the Information Commissioner’s recommendations for future action.

If you need more information, please contact the ICO press office on 0303 123 9070, or visit the media section on our website.

Notes to Editors

1.   The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2.   The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).

3.   The General Data Protection Regulation (GDPR) is a new data protection law which applies in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU will not affect the commencement of the GDPR.

4.   However, due to the timing of certain incidents in this investigation, civil monetary penalties have to be issued under the previous legislation, the Data Protection Act 1998. The maximum financial penalty in civil cases under former laws is £500,000.

5.   Under past and current law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.

6.   Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.

7.   The GDPR and the DPA2018 gave the ICO new strengthened powers, some of which, such as assessment notices can be used for this investigation.

8.   The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

·         Processed lawfully, fairly and in a transparent manner in relation to individuals;

·         Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

·         Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

·         Accurate and, where necessary, kept up to date

·         Kept in a form which permits identification of data subjects for no longer than is necessary; and

·         Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”

·         Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

·         Civil Monetary Penalties (CMPs) under past and current law are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

9.   Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO. To report a concern to the ICO go to ico.org.uk/concerns.

 

The original news release can be consulted here 

Fur further information please contact the ICO at casework@ico.org.uk 

23 October 2018

The Swedish Data Protection Authority has examined whether more than 350 companies and authorities have appointed a data protection officer. The audit shows, among other things, shortcomings in nearly a quarter of the unions selected for control.

According to the General Data Protection Regulation, GDPR, all authorities and also certain companies are obliged to designate a data protection officer. This person shall check that its own organization complies with data protection regulations, and inform and advise internally.

"It is a very important role when it comes to raising awareness and compliance with GDPR, which is why we prioritized this as our first GDPR review," says Inspector General Lena Lindgren Schelin.

The Swedish Data Protection Authority has conducted a broad review of more than 350 authorities and companies and has examined whether they appointed a data protection officer and, if they also have reported this to the Swedish Data Protection Authority, which they must do.

The audit shows that the majority of the organizations have notified and appointed a data protection officer in time. However, some sectors stand out in a negative way. Of the 51 unions included in the supervision, nearly 25 percent had deficiencies.

"The review was conducted shortly after GDPR came into effect on May 25th. Therefore we have not gone further than issuing reprimands. But, if in the future we continue to see shortcomings when it comes to appointing a data protection officer, fines will be on the table”, says Lena Lindgren Schelin.

Read the summary of the supervision in pdf-format

 

For further information, please contact the Swedish supervisory authority at datainspektionen@datainspektionen.se 

12 September 2018

On September 12th 2018, the Austrian DPA made its very first administrative penal decision for infringements of the GDPR and Austrian Data Protection Act.

The Austrian DPA imposed a fine on a Limited Liability Company which is running a sports betting café as the controller within the meaning of Article 4. 7 GDPR of an image processing system (video surveillance). The subject cameras have been in use at least since March 22nd 2018.

The controller has violated Art. 5 para. 1 lit. a and c as well as Art. 6 para. 1 of the General Data Protection Regulation (GDPR) and several provisions of the Austrian Data Protection Act (DSG).

Due to these administrative offences, the Limited Liability Company as a controller is imposed administrative fines to the total amount of € 5.280,00.

The infringements refer to the following: the video surveillance system covers public streets as well as parking lots, both part of the public area in front of the entrance of the sports betting café. This is not adequate for the purposes of the processing and is not limited to a necessary extent. There are no logs of video surveillance processing operations. There is no deletion of the personal image data recorded by the video surveillance within 72 hours and no separate logs for processing in this regard and a justification for an extended storage period is missing (as determined in the Austrian Data Protection Act). In Addition to that, the filmed area does not have adequate signage about CCTV.

The controller lodged a complaint with the Federal Administration Court against this decision.

 

For more information, please contact the Austrian supervisory authority at dsb@dsb.gv.at