Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


09:35 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

GDPR Fines: Some Bark, Little Bite

As Security Now says 'Happy Halfiversary' to GDPR, we take a look at what few GDPR fines and other DPA orders and guidance have been made public over the past six months.

Sunday, November 25, marked the "halfiversary" of the European Union's General Data Protection Regulation. In that time, organizations and governments alike have struggled with making sure they are up to par for GDPR compliance -- to much hoopla.

Indeed, after GDPR came into effect on May 25, there was no real slowdown in the fusillade of articles and blog posts warning, shouting, and kvetching about GDPR risks. More recent headlines from over the past month speculate that billion-dollar GDPR fines are just around the bend for major companies like Facebook and British Airways after their recent respective data breaches. (See Facebook's Data Breach: Will It Be First Test of GDPR? and British Airways Already Facing Lawsuits Following Data Breach.)

For the most part, however, what I predicted last year here on this point has thus far rung true -- that GDPR appears to have been more puff than plague in 2018. Data Protection Authorities (DPAs) are hardly zapping every company left and right with their maximum fining powers. (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)

DPAs clarify PHI stances
Still, DPAs are indicating that certain kinds of data are subject to greater scrutiny -- and greater punishment -- when it comes to how that information is guarded.

In July, the Netherlands' DPA held that a public insurance body violated GDPR security standards by using only single-factor authentication on its employer portal instead of multi-factor authentication. The DPA specifically stated that multi-factor authentication was required because the employer portal allows access to employees' Protected Health Information (PHI).

Moreover, EU regulators are not screwing around when it comes to defining what constitutes PHI under GDPR.

In setting this specific standard for PHI, the DPA set another one as well. Reportedly, the public insurance body's portal contains minimal information about employee health -- only the dates of sick days, parental leave, and information related to when an employee is pregnant or gives birth; other than pregnancy, no information about employees' actual medical conditions is listed. Nonetheless, the DPA ruled that by merely existing on the portal to begin with, all of that information qualifies as PHI because it indicates that someone had or has a medical condition. Res ipsa loquitur.

The DPA ordered the public insurance body to conduct a new data-privacy impact assessment (DPIA) by October 31, 2018, and to implement appropriate security measures in line with its ruling by October 31, 2019. While no immediate fines were assessed, the DPA ordered that fines of €150,000 ($170,000) would be assessed against the public insurance body for every month of delay in complying with its order -- up to a maximum of six months' worth of fines.

Also in July, Portugal's DPA privately issued a GDPR fine of €400,000 ($450,000) against a hospital for allegedly allowing hospital-system users "unrestricted" access to PHI via temporary accounts. The hospital has announced its intent to appeal.

This not-yet-finalized six-figure fine, however, may so far be the exception as opposed to the rule.

Austria fines first
Only a couple of publicly levied fines for GDPR violations have come down from DPAs thus far. The first EU member state to publicly issue a fine under GDPR appears to have been Austria. This is no big surprise given the nation's recent history; in addition to being home to privacy activist and serial litigant Max Schrems (whose legal crusade against Facebook led to the fall of the EU-US Safe Harbor Principles), Austria was the only EU member state to vote against GDPR -- for not being strict enough.

In the instant case, Austria fined a small business under GDPR for installing a CCTV camera that recorded part of a public way -- without sufficient indication that there was a camera recording passersby. The fine, however, was modest -- €4,800 ($5,500).

DPAs decline to compete on fines
More recently, Germany's DPA announced that it had issued a GDPR fine against Knuddels -- a German social-networking site -- after the company suffered a data breach in which a minimum of 320,000 user credentials (and possibly as many as 1.8 million) were stolen. The fine amounted to €20,000 ($23,000) -- at first, a seemingly paltry sum considering that Knuddels had stored user credentials in plaintext (a veritable cybersecurity facepalm, with or without Article 32 of GDPR). This appears to have been Knuddels's only GDPR sin, however. The fine was mitigated because, according to Germany's DPA, Knuddels took swift and exemplary action in "immediately and comprehensively" notifying the DPA of the breach in compliance with GDPR, kept users informed in a timely manner, and extensively improved its IT-security posture in collaboration with the DPA.

Stefan Brink, Germany's State Commissioner for Data Protection and Freedom of Information, commented that his organization is not interested in competing over which DPA can issue the highest fines -- and instead is focused on the overarching goal of improving information security and data privacy.

This corresponds with comments last year from his opposite number in the UK, Elizabeth Denham, when she downplayed the hullaballoo over "massive" GDPR fines.

"[GDPR] is not about fines," wrote Denham in a since taken-down blog post (archived here). "It's about putting the consumer and citizen first. We can't lose sight of that."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...