Important lessons from Germany’s first GDPR-related fine

Germany has issued its first GDPR fine. The penalty underscores the willingness of data protection authorities to enforce the law, but its relatively low amount — just 20,000 euros, or less than $23,000 — may also indicate leniency for companies that report violations promptly, fully comply with authorities and swiftly take action to fix the problem.

The fine was levied against social media chat app Knuddels, which failed to encrypt the personal data of some of its customers. The site was breached in July, and the hack was discovered in September, when 330,000 customer email addresses and passwords were posted on the internet.

According to German magazine Der Spiegel, a total of over 800,000 email addresses and 1.8 million user names are suspected of being stolen, though only the 330,000 cases have been verified so far. Some customers used their real names and listed their home addresses on the site. Whether that information was taken is still unclear.

Founded in 1999, Knuddels is one of the oldest and largest German chat platforms. It began encrypting user passwords in 2012, but continued to save the old, unencrypted versions on a backup server with an outdated operating system. After learning of the breach, the company deleted its database of unencrypted user information and notified the local Baden-Württemberg data protection authority about the breach.

The company also apologized for its actions, promptly notified customers and had them change their passwords and made extensive changes to improve its data security. It has plans to make further technology improvements in the coming weeks.

“Knuddels is safer than ever,” Holger Kujath, the managing director of Knuddels, told Spiegel Online.

Regulators appear to agree.

“Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack," said Stefan Brink, the data protection and freedom of information officer for Baden- Württemberg, in a statement.

Significantly, he added that regulators are “not interested in entering into a competition for the highest possible fines. The bottom line is improving privacy and data security for users.”

Given the possible penalties involved, Knuddels’ fine itself was effectively a slap on the wrist. Depending on the severity of the incident, the GDPR allows for fines of up to 20 million euros or 4 percent of annual revenue.

That said, it’s critical for multinationals to understand that while the fine in this case made headlines in part for its leniency, there were other costs involved. Knuddels’ prompt actions, for example, represent what must have been serious administrative burdens. It is also common in such cases to incur legal and other third-party costs, such as those related to PR. Finally, there may be reputational costs which, while difficult to measure, can be significant, particularly over the long term.

Other Euro fines

While being forthcoming about mistakes and acting quickly to improve security may help reduce fines, it won’t stop authorities from enforcing the law, and Germany is not the first country to act.

A Portuguese hospital was fined 400,000 euros for giving too many users access to patient data. Nearly a thousand users had physician-access rights, while fewer than 300 doctors were employed at the hospital. The hospital is appealing the fine.

An Austrian retailer was fined 4,800 euros for using a surveillance camera that captured too much of the sidewalk outside. In addition, the camera didn’t warn passers-by that they might be recorded.

Going after big game

These fines may be the tip of the iceberg for GDPR enforcement. Complaints have been filed against several major technology companies about the way they track users. 

Privacy International, a UK-based nonprofit, has filed GDPR complaints against seven corporations, including data brokers Acxiom and Oracle, credit bureaus Equifax and Experian, and several ad tech companies. These firms use cookies and IP addresses to track users without obtaining adequate permission, the group and other privacy advocates say.

A separate complaint was filed against Google and other ad tech companies, claiming that current online advertising technology — which affects most internet users — violates European privacy standards. The complaint says that when someone is shown a personalized ad online, what they are watching is broadcast to a host of other ad companies in an attempt to get them to bid on targeting the individual. The complaint says that procedure violates privacy under the GDPR. If complaints like this are found to be valid, they could upend the current business model that supports most sites.

Another group has filed complaints against Google for tracking user location even when the “Location History” option is turned off (users must adjust an additional setting to disable location tracking).

Facebook, which was fined 500,000 pounds for the Cambridge Analytica scandal, could be hit with a billion-dollar fine after the data of up to 30 million users was exposed through a bug in the platform’s “View As” feature. The problem has since been fixed.

Another complaint was filed against Facebook shortly after GDPR went into effect in May for not obtaining adequate opt-in consent from users for data collection.

Twitter is being investigated by GDPR authorities for failing to disclose to users how their information is tracked when they click links.

What to do

What these companies have in common — besides their size and notoriety — is their alleged failure to obtain permission before collecting data and failure to explain how the collected data will be used, both key provisions of the GDPR.

Multinationals that collect information about customers or employees in the EU should review the GDPR with a focus on permission and explanation procedures. It’s important to remember that you are also responsible for ensuring that your partners and contractors follow the law.

While the GDPR’s protocol for a data breach is straightforward, the language surrounding permission and consent has been accused of being murky and ambiguous. This may be a deliberate measure designed to give companies choices about how they achieve the law’s aims. Authorities’ reaction to existing complaints will shed more light on enforcement and expectations.

In the meantime, for a data breach, the Knuddels fine makes it clear that intention and attitude matter a lot. While prompt reporting and corrective action won’t help you avoid a fine — or some of the related costs mentioned, such as administrative burdens and legal fees — it appears that regulators are trying their best to make the punishment fit the crime.

Paul Sutton, Head of Legal Advisory Group, contributed to this article.