Now that a little over a year has passed since the General Data Protection Regulation (“GDPR”) became effective, now is a good time to reflect on the activities that have prompted enforcement actions to assist you in assessing and developing your cybersecurity programs.
As we previously discussed, the GDPR can apply to you, even if you have no physical presence in the EU and even if you are not in the business of collecting or selling sensitive information. It was implemented to give residents of the European Union more control over their personal data while simplifying the EU's regulatory framework relating to data privacy and protection, and has prompted US companies and legislators to pay greater attention to data privacy practices.
The GDPR established a privacy “bill of rights” to allow individuals to have greater control over who collects their data, how the information is used, and for how long. The regulation imposes significant compliance requirements on companies obtaining, recording or holding personal data of individuals covered by the GDPR (essentially individuals who work or reside in the EU, regardless of where the data is collected) – while also granting enforcement agencies authority to impose substantial financial penalties for non-compliance.
Over the past year, the GDPR has inspired significant change, not only in the data privacy industry, but across the business world, raising issues of compliance struggles and financial penalties. It has also sparked debate as to whether the US will implement a similar regulatory framework on a national scale.
Compliance and Enforcement Costs
The GDPR functions both as a mandate to take affirmative action to protect consumer data as well as a breach notification law. EU data authorities have the ability to issue significant penalties against certain US companies for failing to comply with the law (i.e., mishandling data) even in the absence of a breach. When a breach does occur, organizations are required to notify both the affected individuals and the appropriate data authorities within 72 hours of being discovered. GDPR authorizes fines of €20 million or 2% of a company’s worldwide revenues, or, for more serious violations, €40 million or 4% of a company’s worldwide revenues, whichever is larger.
While data breaches are the source of many fines thus far, a fine may also result from a compliance violation uncovered during an audit or by complaint by a data subject, including against US companies. The European Data Protection Board reported that in the first 9 months since GDPR was effective, data authorities in 31 countries reported 206,326 cases, of which 94,622 were based on complaints, 64,684 were based on breach notifications, and 47,020 were unspecified other cases.
To date, however, EU data authorities have not been heavy handed. During the first nine months that the GDPR was in effect, the total penalties imposed totaled €55,955,871, with a single €50 million fine against Google accounting for nearly 90% of the fines.
What Can Get You In Trouble?
Storing Passwords in Plain Text: German social media provider Knuddels was fined €20,000 for storing user’s passwords in unencrypted plain text, a direct violation of the GDPR. This was discovered after hackers compromised personal information of more than 330,000 users, including 808,000 email addresses and passwords. Because the company immediately shut down all affected accounts, notified its users, and reported the breach to the German data authority, the fine imposed was relatively small in comparison to the potential €20 million or 2% of the company’s annual revenue. The fine was determined to be proportional to the incident and how it was handled, including swift action to implement stronger security measures and long-term plans for increased security.
Poor Security Measures: The UK’s data authority announced plans to fine British Airways a record £183 million under the GDPR, citing “poor security arrangements” related to a cyber incident in September 2018. In that incident, hackers diverted users from the British Airways website to a false site, through which personal data of approximately 500,000 customers was compromised. Under the GDPR the fine could have been up to £500 million. In comparison, the UK’s data authority was restricted to the maximum fine under the prior Data Protection Act when it fined Facebook £500,000 in the Cambridge Analytical scandal that affected as many as 87 million data subjects.
Lack of Transparency and Failing to Obtain Consent: Unrelated to a breach incident, the French data authority fined Google €50 million for violating the GDPR. The investigation stemmed from complaints from data subjects. The data authority found that the structure of Google’s privacy policy and terms and conditions lacked transparency, requiring users to go through up to five or six actions to obtain essential information, and the use of pre-ticked boxes as a consent mechanism did not establish a legal basis for data processing to deliver targeted advertising. Under the GDPR, consent must be “granular, freely given, informed and must involve affirmative action.” The fine represented only .04% of Google’s $136.2 billion in revenue in 2018, far from the potential 4% penalty.
Lessons Learned
As GDPR enforcement continues to develop, the largest takeaway for US companies is that this increased focus on handling data and breaches will hopefully motivate US legislators to develop a comprehensive national privacy law. Currently the states are taking the lead, as demonstrated by the California Consumer Privacy Act and the recently enacted New York SHIELD Act. This legal patchwork, however, creates significant compliance issues for companies that operate in multiple states, further emphasizing the need for unified standards.