Europe, Governance, Risk and Compliance, Content, EMEA

First GDPR Penalties Levied By Year’s End, EU Privacy Boss Says

Organizations violating the General Data Protection Regulation’s (GDPR) privacy rules will be hit with fines, warnings or temporary bans by the end of 2018, the European Union’s privacy boss said earlier this week.

Giovanni Buttarelli

“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” European Data Protection Supervisor Giovanni Buttarelli told Reuters.

The penalties will be imposed both on companies and public entities and extend across EU member countries, he said. Citing ongoing investigations, Buttarelli refused to name any organizations as early transgressors, the report said. It’s possible that giants British Airways and Facebook could be among the culprits (see below). An organization running afoul of the GDPR’s mandates is subject to the higher figure of four percent of global sales or $23 million (20 million euros).

“The fine is relevant for the company and important for the public opinion, for consumer trust. But from an administrative viewpoint, this is just one element of the global enforcement,” Buttarelli reportedly said.

Data privacy charges filed against Facebook, Google, Instagram and WhatsApp by Austrian activist Max Schrems on the same day as the GDPR went into effect are not among the cases under investigation for this first round of enforcement, the official said. (Note: Schrems for years has doggedly pursued Facebook for its data collection practices, filing numerous lawsuits charging the company with breaking European data protection laws. He is credited with bringing down Safe Harbor, the venerable data transfer privacy policy that preceded the GDPR. Here’s more on Schrems.)

Facebook could be hit with billion in fines if the EU dings the company for failing to adequately protect data in a recent breach of more than 50 million accounts in the largest known security breach in the company’s history. In that instance, an as-yet unidentified hacker exploited a technical vulnerability in Facebook’s code that impacted its ‘View As’ feature that lets people to see how their profile is viewed by others. The hackers subsequently stole the login tokens (digital keys) of some 50 million people and potentially gained command over their accounts.

Last year, U.K. regulators tagged Facebook with the maximum allowable penalty of $650,000 under earlier data protection laws over its unauthorized sharing with Cambridge Analytica of personal data on millions of its users. In that case, had Facebook been fined under the GDPR the penalty could have been $1.6 billion.

British Airways (BA) might also be fined under the GDPR owing to a security break in late August and September when hackers dipped into the airline’s database to hijack account numbers and personal information of customers booking travel online. BA could be penalized up to $650 million under the GDPR’s rules.

Earlier this year, the U.K.’s Information Commissioner’s Office, a regulatory watchdog, said that in the six weeks from May 25 — when the GDPR took effect — to July 3, some 6,300 documented grievances were filed by U.K. individuals and companies claiming their personal data has been accessed without permission. That’s more than 2.5 times the number recorded in the same period last year. Roughly 10 percent of the complaints are linked to financial services, with others coming from the education, health and local government sectors.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.