Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany.
"The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list."
Poor guy.
This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.
In the UK, the data regulator fined a small organisation £180,000 ($230,000) for exactly the same mistake on a list with 781 recipients. The organisation was a specialist sexual health clinic and the newsletter was for patients with HIV.
Without knowing the details, I can't say whether a €2000 fine was disproportionately onerous or a slap on the wrist.
It's worth noting that that fine was made under the Data Protection Act 1998 (implementing the Data Protection Directive), which is what was in force before the GDPR became law.
The ICO might well consider a similar breach worthy of a bigger fine now.
With such sensitive information they should really avoid CC/BCC and do it manually, or write a script for sending 1 email at a time. Not because CC/BCC is bad, but because you want to be 100% sure to dodge this kind of problems.
That'll be part of why they got the fine. One component of gdpr is taking reasonable steps to avoid leaking personal data, and as you pointed out relying on someone remembering to bcc rather than cc is asking for trouble.
Not just that. Health data is considered especially sensitive by the GDPR, so sharing it is a more serious transgression than simply sharing personally identifiable information in general.
The details are that some of the most sensitive medical information you could imagine got leaked. Huge, huge violation. Even in the US HIV status is extremely confidential.
Details on the 2k€ fine; the guy used his mailing list for harassment, the 2k€ fine would likely have also been issued prior to the GDPR as german privacy law is fairly strict.
HN tangent: This is a great example of where the oft touted wildcards on a personal domain fall short: if you’re on that list, you’re outed. Even without your name on it; only you use that domain.
This is where Outlook with their *@outlook.com and apple’s new system really do shine.
Wildcards are a measure to track what others are (automatically) doing with your email address, provide a way to remove yourself from shared lists of bad actors, and sign up to something a dozen times. What they don't do is provide privacy against human eyes.
I've been wondering how this sort of email management strategy is going to handle the rules certain countries are bringing in now where if you want to go there then you have to provide a list of all of your email addresses and social media accounts. Has anyone run into that problem yet?
If the story linked elsewhere in this thread is the one in question, this wasn't an accident. It was a guy running some kind of harrassment campaign. His "little mailing list" was of people he was harrassing, not subscribers to a newsletter.
Not a harassment campaign as such, it seems. He was mad about something, and mailed a bunch of politicians and press his complaints. Complaints, sometimes bordering on being libelous, according to the agency which fined him, not death threats.
He was fined solely based upon the email addresses being visible to all recipients, not because of the content of his mails, said a spokesperson. However, he was a repeat offender in terms of privacy, who in the past was warned, then fined for similar stuff.
I'm a little bit torn on that one. The fine seems excessive for what he did (and the email addresses seem to be a list of already public journalist and press contacts) and it certainly looks like somebody in the govt got annoyed and threw the book at the guy in retaliation. Then again, he had ample warnings, and choose to ignore those warnings.
Isn't one of the points of separation of power that the government (executive branche) should not have priority access to the judicial branche? Fining individuals, even loony ones, while not even attempting to fight the big battles (FAANG, personal data trading for 'profiling' or even government profiling within the EU) is imho just preposterous.
Well, the judiciary branch was not involved in this fine. It was a government agency issuing the fine. Now the fined person could pay the fine, or file a suit asking a court to overturn it.
It really is analogous to most govt fines e.g. speeding tickets: the government (the police) gives you a ticket, and if you pay it then OK, no court involved, but if you challenge it then the courts get involved.
But more generally, the government should and does get priority access to the courts already. Criminal courts exist solely to serve the government; you cannot bring criminal suits as a citizen yourself, only civil suites. Also, e.g. in Germany the government and legislatures (federal and state) get priority access to e.g. the constitutional (supreme) court. A mere mortal cannot just file suit directly in the constitutional court, but has to go through the lower instances first (unless there is something similar to a class action petition, showing a sizable chunk of the population sees the same issue and wants it decided). Members of the parliaments and IIRC of the cabinet are allowed to file suit in the constitutional court directly. The reasoning here is that if it was allowed for citizens to petition the highest court directly, then the court would do nothing else than write rejection letters for bullshit petitions. While the govt and legislatures incl the parliamentary opposition of course represent the people (in theory) and aren't stupid morons wasting the courts time (in theory).
PS: Google was already fined €50M for GDPR violations, and there is probably more of those in their future. Facebook got fined €10M so far, IIRC, also with more to come.
And don't forget the billions of Euros worth of antitrust fines against Google and Microsoft, e.g.
I support this fine in principle. Maybe not the magnitude, maybe not without a warning, and of course a three liner isn't enough context to be sure.
But using CC instead of BCC causes a massive leak of personal information, especially when either the subject being discussed or the people on the list are sensitive. In my life this has mostly been annoyance at large org stuff, but my wife has had this happen with a sensitive medical practice and we were not in the US so HIPAA did not apply.
I don't think fines are the only solution, of course. But I think fines should be on the table and it's easy to me imagine a circumstance where 2k euro would be appropriate.
Last year, when GDPR was heavily discussed, people were criticizing those who decided to just stop their small hobby websites because of the potential GDPR exposure.
The argument back then was that they were overreacting, that we didn't understand how Europe works, that you'd only get fined after repeated warnings about violating procedures etc.
I'm sure the private person was dumb for doing what he did, but that doesn't invalidate the general point: unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet that might be used by EU citizens.
The benefits, whatever they might be, just don't justify the risks.
Except we see just the fine. We have no idea how many attempts and warnings to get them to comply were sent first. It wasn't one email, it was multiple emails, multiple times over months.
This site makes no mention of warnings and escalations, and ICO at least doesn't normally announce that for individual cases. Though they do put out aggregate stats. When they have fines are clearly shown as arising in a small minority of cases.
800k email records and passwords in plain text when breached. I don't know how big Knuddels are, so I don't know if that fine sounds lenient, right or high. Yet as it's a large breach it seems fitting of no warning first, considering the scale of negligence, mitigated by their "exemplary cooperation" afterwards.
Which goes to show why the regulators get the discretion to decide appropriate action from warning only to maximum fine. Without context and aggravating and mitigating factors we can't know, which was my point. If a penalty is disproportionate there's well worn appeal tracks.
Other comments seem to point to the small case in OP comment being some guy running a list to harass people, which seems like a huge aggravating factor to me. Maybe he got one warning, maybe in context he didn't deserve even that.
> We have no idea how many attempts and warnings to get them to comply were sent first.
True. But I doubt that even the most ruthlessly efficient GDPR enforcement authority could multiple enforcement requests between mid July and end July.
Why are multiple requests needed? You do shit, you get a request to stop it, you don't do it, you get hit with a fine. How many requests do you expect the authorities to send? 5? 10? 100? If I get summoned to court and don't follow it I get a fine. How is this any different?
Sure, but there are different kind of mistakes. Surgeon can make a mistake, but it's a different kind of mistake if instead of a surgeon, a plumber cuts the patient with a kitchen knife.
I agree it's a difficult problem and it's hard to define boundaries, but some level of competence is welcome when handling data that belongs to other people.
If you start some internet service, I expect you not to lose my data (in some lame way, s.h.), just like I expect my car mechanic not to destroy my engine.
edit: to give it context, I closed my programming website with thousands of active users that I had for almost 20 years because of GDPR, I'm not a big fan of it, but what I like even less is when complete incompetence when handling personal data results in zero consequences
Yes, people make mistakes. And by deciding to create a business around other people's personal information some mistakes are bad enough to merit a fine.
All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.
The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.
>deciding to create a business around other people's personal information
>profit off people's personal data
Have you "decided to create a business around destroying the environment" and "profit off CO2 emissions" because your office is heated in the winter? GDPR is not specific to the adtech or data brokerage industries.
Yes, climate change effects would probably be a more accurate analogy -- but many people are very much against carbon tax schemes so it felt best to avoid that comparison.
GDPR doesn't prevent you from collecting personal data. It only requires you to have a clear reason for collecting everything and being transparent about what data is collected and how it is processed.
The examples here make clear that "a clear reason for collecting everything" means an ironclad justification for each field, each bit of precision, each minute of retention. That is not a casual thing. As in, one of the fines here is for retaining a phone number to fulfill a need to communicate, when postal mail could have worked instead.
It is doable, if you have the lawyers and the time. But that's not a degree of scrutiny you want to gamble your life savings on for a personal project.
"Don't need" as in "there are feasible alternatives."
HN doesn't need to know or share your username to post your comment, it is clearly possible to run a message board without usernames, and conversations could be maintained by generating a random pseudonym for each thread.
Also, the fine (if we are talking about the Danish one) was not for collecting a phone number. It was for retaining it after the retention limit (in this case 2 years, and they kept them for 5 years) without a good cause. The company argued they were and essential part of the database. People love to make GDPR look bad, but it's often not as bad as it looks from a one line summary.
Well, suppose he does some transformation involving position. GPS points also have altitude in them. He neglects to sanitize altitude at the point of collection, and is therefore collecting and retaining more data than necessary to perform the service. He plots positions on a relatively zoomed-out map. Only the first six significant figures make a perceptible difference in the map position, but he retains the same precision that was uploaded, usually higher. Again, failure to minimize. Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.
Now he has "decided to build a business around profiting from the abuse of personal data" and the consensus in this thread looks on his destruction with glee.
> Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.
This is typical FUD. GDPR allows backups. Right to be deleted doesn't mean grovelling through backups. If those snapshots are rotated out after e.g. 3 months he is fine.
And regarding sanitizing altitude. Again pure FUD. There is no way that that would be a problem.
Of course if he stores the data in a personally identifying way and then is either incompetent or abusive then he could attract a fine...
In the real world GDPR enables such websites because users can trust that he has to follow some minimum standards.
The great thing about TFA is we can stop speculating and see what the regulators are actually doing.
>After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency.
So maybe if his backup regime were precisely specified in his privacy policy. But even a conflicting legal requirement is no defense, here.
Regarding minimization, 4 other cases:
>During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller.
>Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
> The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller.
> The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance
"Of course if he stores the data in a personally identifying way..." GDPR cares not for identifying but for identifiable. It's GPS data. If someone uploads data pertaining to their home, workplace, frequent travel routes, etc. then it is definitely identifiable.
Regarding FUD, it seems FUD is exactly what the DPAs intend, since they are punishing rather than helping when asked for advice!
>Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider.
The Data Protection Authority of Hessen suggested Kolibri Image to draft their own data processing agreement and get Packlink, located in Madrid, to sign it. [1]
Kolibri Image then stated that they would "leave things as they are", which was incorrectly interpreted to mean that they'd use Packlink without an agreement instead of not using Packlink in the future.
In addition, Kolibri Image forgot to update one of their six data processing agreements on various websites which still mentioned Packlink, so their clarification of the matter was not believed.
Finally, the case was dropped because it (partially?) happened before the 24th of Mai.
[1] Drafting a data processing agreement for Packlink is of course not very practical because who knows how they handles their data and why would Packlink sign it in the first place if they don't want to offer a data processing agreement. In addition, the cost of drafting and translating the agreement is much more expensive than the savings from using Packlink as a shipping processor.
In any case, I agree that fining after asking for advice is not a friendly move.
You receive an email with a request for a privacy statement? Great, one way or the other, that's work with potential legal repercussion, which means you probably should talk to a lawyer. Additional expenses and hassle for no good reason.
You make a fix in the email system that accidentally emails everybody at the same time? (It almost happened.) Oops. There's your exposure to some nice fine.
You don't need to be abusing somebody's privacy to be concerned about legal exposure. Just like there are asshole companies, there are asshole users as well who can make your life miserable.
Any hobbyist who doesn't take this kind of exposure into consideration is naive.
I'm sorry but every website collecting personal data should set out clearly and simply what it is used for and how it can be distributed. For asmall hobbyist site you don't need a lawyer, there are plenty of decent templates out there.
If you make a mistake and you do so honestly, not out of malice and fix it, you are very unlikely to get a fine - you will get guidance and a warning. Unless you are being egregiously slip-shod.
Storing user names and passwords in plain text when you have several hundred thousand users is not a "honest mistake" in 2019. In other fields a commercial entity failing basic security practices can be considered criminally negligent.
That's absurd. Talking purely about the UK right now: there were tens of thousands of cases logged with ICO since GDPR came into power. So far,there were only a handful of companies that had to pay fines and their actions were either borderline criminal,or deliberate refusal to cooperate with ICO.
If it's the case I've seen [1], it wasn't someone sending a little mailing list newsletter to people who have opted in, it was someone sending complaints and CC'ing everyone they could get an e-mail address of. The article I saw also makes it sound very much like he was told to stop repeatedly.
Seems like an appropriate fine. Or do you think I should be allowed to collect 150 e-mail addresses, then e-mail them out to all 150 other people, after some of them told me not to do that?
The list has over 1600 recipients making it a bit larger than for "personal use". The quoted 187 recipients might just be one batch of recipients the examined mail was sent to.
The sender is also non-repentant and is running some sort of hate campaign.
I expect there would have been a warning given in that case before assessing a fine. Many of the less serious ones I read explicitly mentioned warnings that were ignored.
Seems to be proof it is being weaponized against behavior one doesn’t like, the behavior which is forbidden by the law.
This isn’t a one time slip up, it’s a 10 times slip up and chances are there were a lot of warnings this guy didn’t want to listen to. So he was hit where it hurts. Poor guy, it’s like he was caught speeding ten times and then got fined.
In Poland we actually have a sort-of tradition, AFAIK started by one of computer security portals, where if you find yourself on the receiving end of such CC-instead-of-BCC, you kindly tell the company responsible that this can and should be picked up with data protection regulators, and it would be nice if they e.g. paid ~500-2k EUR equivalent to a charity of their choice.
I'm totally 100% in support of this against companies. Less so about private individuals, though a 150-people newsletter is kind of thought-out and organized thing, and then 2k EUR in Germany is probably less than a monthly paycheck. A hard hit, but survivable without loss of life quality.
Whether this is guy is a victim of overzealous enforcement, or an example of the GDPR protecting people, is completely dependent on the context of the case and the nature of the mailing list.
The linked article suggests that the guy was sending out angry political rants and criminal accusations to thousands of people a day, which adds a further twist.
If that’s true then the gdpr was not used according to it’s spirit at all. They punished annoying guy who was trying to get some attention. Of course google or fb is fine...
This is crazy. I've seen it done plenty of times by accident in the past, because people don't know how to use BCC (and its hidden by default in many clients).
Yeah, but ten times in a row? And that's just in half a month, it sounds it could've been dozens of times over 3 months?
Nothing I've heard about this case sounds to me like an innocent mistake that a reasonable effort was made to correct.
I've accidentally smacked people on the street before (gesturing, probably). That's technically a crime, but it'd be crazy to prosecute me for a little mistake like that. But it's not crazy that hitting people is a crime and that people do get prosecuted for it in egregious cases.
It should have been more.The idiots who do this deserve it. My fiancé's ex employeer used to send emails cc'ing contractors that haven't even seen each other.I've seen some small scale companies even try to send marketing emails to their small list of clients..
Different take: This is exactly what GDPR was designed for. It just hasn't been "weaponized" enough yet to have the bandwidth to deal with every situation, so situations like these seem like targeted attacks when in reality they're precisely what GDPR is supposed to deal with.
I personally think ~$15 per leaked email is a reasonable fine. I bet this guy and everyone else who reads this article won't accidentally leak emails again, and that's great.
The thing is if this was a civil case you have to prove some damages had be done by the leak. A random person leaking my email in CC - that happens a lot - is not even necessarily annoying but for sure don't cause any damages.
But how is that different from any of the other privacy violations that are regulated? I doubt many of us could prove any damages from Amazon listening in on conversations made by our kids, or Google not properly disclosing that its tracking our search clicks and GPS location for better ad targeting.
In fact, I'd argue that leaking an email that exposes a private association with a mailing list to other unknown people has much clearer potential for damage than any of the privacy issues that big companies get fined for. And yes, CC leaks do happen (not a lot, in my experience), but I'm personally upset about it every time - much more so than when I find out Google didn't get my consent before recording half of my internet activity. Just because the violation is something that "happens a lot" because it can be done by accident by a careless individual doesn't mean it's less serious.
+1. Privacy violations sure do cause damages, they're just very difficult to attribute. When someone suffers identity theft, which ones of the dozens of leaking sieves with their data most enabled it?
Can you clarify what you mean by "The thing is"? Are you saying that's good, bad, or something else?
If a behavior is harmful and we want to stop it, but it's difficult to prove direct damages and therefore civil suits have been ineffective at curbing the behavior, then it seems like a reasonable public policy to impose fines on engaging in the behavior without requiring actual damages be proven in court.
(And if it's easy to innocently accidentally engage in the behavior, it seems reasonable to first issue warnings, and then impose fines if the behavior continues repeatedly.)
Whether there are damages depends on the context. In 2015 an HIV clinic in London used the to: field instead of bcc: on a patient newsletter, thus exposing the names of 700 patients, many of whom knew each other due to the small geographic area being served (https://www.theguardian.com/technology/2016/may/09/london-hi...). They were fined GBP180K (under the pre-gdpr regime, incidentally, so this isn't a new risk for businesses).
"The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee"
Yes, proof of weaponized gdpr use indeed (for very specific filtering cases of gdpr use).
In India, I often get government mails (e.g. reminder for some compliance) of local city with all the business owners in CC. I even went to authority in question to tell them about the privacy issue in vain.
So if a EU citizen's email id was part of the list, will it be liable for action according to GDPR?
Yes, but if an entity has no interest in interacting with the EU then they don't have to respond. You only need to care about a country's laws if (1) you want to do business or visit there or (2) you're going to piss them off to such a degree that they convince your home country to come after you.
> This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.
Well, against people who publicly share private info of 150 other people who trusted them those emails. 2K euros is not that huge money in Germany, it's not like they'll loose their house over it, and that certainly is a practice that needs to be stopped. Just being an amateur is not an excuse when you deal with other peoples' data.
250K Euros to LaLiga for their app that tries to find bars illegally broadcasting their games by sampling user's microphones once a minute. I remember when it was discovered what it was doing thinking this must be a massive GDPR issue. I'm a little bit surprised that the fine is this low:
"The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent."
- Show the average people why privacy is important with concrete examples
- Find previous rulings for people in a specific situation
- Stop(reduce.) the "there is no way we're going to be sued for that" by the company's managers
My wish for that website is that in the future, the data is more easily readable and "big-data exploitable" (good luck with that)
Little things I can tell on the top of my head:
- the height of the fines is basically random, that makes scrolling cognitively heavy imo. Having (...) to click to expand long descriptions sounds fair I think
- it's not possible to link to a row (useful for giving examples to people)
- long descriptions deserve multiple paragraphs, they are hard to read as-is.
Also, I think negative rulings would be useful as well, though could send a different political message, so that's author's choice.
> Stop(reduce.) the "there is no way we're going to be sued for that" by the company's managers
I was thinking the opposite. The fines listed are so low, that from a purely financial perspective complying doesn't seem to make much sense. I would estimate all GDPR compliance efforts I've been involved in to be more costly than the largest fine issued in Germany.
The idea, generally speaking, is escalating fines. If a fine of this level doesn't stop you, you will get a substantially larger fine for the next or on-going infringement.
If you look back at comments as GDPR was first coming into effect, you saw a lot of comments here along the lines of 'The EU doesn't want to fine anyone. They want you to become compliant, and will help you do so, and you won't be fined unless you were intentionally being non-compliant'
But then look at this example from Germany:
> Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.
The company emailed the authority asking for advice on how to deal with a service provider who didn't want to cooperate with GDPR, then the authority ignored his request, forwarded their information to another authority, which then fined them for the exact thing which they was asking for advice on.
Yes, the fine has apparently been withdrawn, but how much time, money, and mental capacity did Kolibri Image have to spend dealing with this before the authority decided to drop it?
I'm not actually that sympathetic. If you have a processor that does not want to sign a processing agreement, you have to stop using them. There is no leeway on this issue in GDPR. You are responsible for ensuring that third party processors you engage agree to handle the data lawfully. There's not a lot of context to go on, but it seems to me that the company in question is just stalling. I literally can't think of a legitimate reason for their opinion that the service provider "does not act as a processor". Either you are sending PII to them or not. If you are, then they are a processor. If not, then it's not related to GDPR in any way.
That's fine, but my point was not that Kolibri Image took the appropriate steps immediately, but whether the commenters here on HN were correct in their estimation that the various data protection authorities would help you resolve compliance issues versus just issuing you fines.
Relevant passage: "Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor."
The article is a bit hard to understand, but it seems that someone asked Kolibri to provide information on how 3rd party information was kept secured. Kolibri declined to answer saying that it was another contractor who was doing it. Reading between the lines, Kolibri seems to have asked for guidance on what to do, but did not receive guidance.
I have to say that I'm even less inclined to be sympathetic. It's a pretty blatant disregard for the GDPR. If you want guidance at that level, hire a lawyer. But in reality, there is no need for a lawyer: it is completely obvious that you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be a bit more clear, I don't know what the authority could do to help resolve the compliance issue other than to say, "Yes, you have to comply with the law. Sorry that you thought you didn't have to". Is a 5000 euro fine justified -- even without having given guidance. IMHO, yes, however you can see that they thought they were in error and hence are reviewing the fine. The other blurb made it seem as if the compliance issue was only discovered because Kolibri asked what they should do. This article makes it more clear that it's just a normal complaint with a company doing everything in its power to avoid doing anything.
you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be specific, this is mandated explicitly by the GDPR:
> the controller shall [ensure] to be able to demonstrate that processing is performed in accordance with this Regulation.
[art.24]
> Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees
[art.28]
> Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller
[art.28]
> "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands"
In this case, the other company is also in Europe (Spain), so by law must abide by GDPR. It seems they didn't have a contract ready, and Kolibri didn't want to spend money on translating/creating a contract to Spanish.
From what I read from Kolibri themselves (https://kolibri-image.com/causa-datenschutz/), the "processing" was a company that bundles DHL package orders to get batch pricing. You send them the information, they send the order (together with other orders) to DHL, DHL picks up the package and you save on postage. Apparently, Kolibri wasn't sure whether that's actually data processing (but did mention them using the company for this particular reason in their privacy information, according to the Bavarian officials, it isn't). They asked the German branch of the company who said they wouldn't need a contract and subsequently referred them to HQ in Spain. They asked the Hessian official to make the company's German branch comply with GDPR and sign a data processing contract. Instead, the Hessians forwarded it to Hamburg.
Kolibri claims to have stopped using that company after hearing back from the Hessians, but forgotten to remove them from the privacy information on one website. If they are to be believed, they were told "you can't use them without a contract" and stopped using them.
The fine has since been withdrawn and the case was closed.
It's interesting how enforcement changes between countries. For instance, all the fines in Austria where for CCTV and dashcam use, all of France's fines were against large corporations, and the single fine Italy imposed was on the "Movimento 5 Stelle" political party.
These aren't all fines. Most of them are published by a select few individuals or newspapers with a clear focus of interest.
What you are seeing is french newspapers being especially interested in fines for big corporations, this is without a doubt a direct result of the current political situation in France.
I've tried to read two articles on it and they don't make sense.
It seems they stored data on users who closed their account to prevent money laundering, which is apparently fine if the bank actually blocks operation of those accounts according to one article.
But somehow this was not the case for those old accounts that were closed? How can you close an account but it's still an operational account? Like, was it still possible to send money to it etc.?
My guess is that the article is wrong and this was simply about them preventing legitimate users to close and then reopen a new account.
I have a hard time believing they were not allowed to keep that data for some time after acccount closing. It seems to be more about how it was used.
If they only kept the data that was necessary for legal compliance with tax regulations, they wouldn't have been fined. That's explicitly allowed. That they were fined suggests they just kept everything, far beyond what they had to keep.
At the time of the GDPRpocalypse last year, there were a lot of discussions here, and a lot of FUD being slung around about how if your US website wasn't 100% GDPR-compliant you'd be handcuffed if you set foot in an EU airport bla bla bla, or that minor infractions would incur the maximum penalty of millions of euro, bankrupting your awesome adtech startup bla bla bla. Most of it was fueled by the clash between US and EU jurisprudence, the legal systems are actually pretty different.
Some of us argued that no, this is not the apocalypse, the law says that fines will be proportionate, and the various national agencies will work with you to ensure you are compliant. And unless you willfully do the kind of shady shit the law is meant to protect against, you're fine.
Seems we were right. This list looks pretty sane to me, with one exception.
250k€ for using the microphones of all users of an app to spy and determine if they were in a pub that showed football matches without a license. Fuck yeah.
400k€ for a hospital that had effectively unrestricted access to all patient files for all staff. Yes. What would the HIPAA-equivalent fine be?
1400€ for a police officer abusing systems doing lookups for personal gain. Yes.
170k€ for a school district allowing public access to personal data of all minor-aged students. Yes, yes, yes.
The one exception is the fine on Google in France. This is purely a political bullshit game over control and loss of control.
There are sites that just block requests from the EU, there's a difficult-to-measure chilling effect on small businesses, and just because nobody's been hanged over it in year one doesn't mean it won't be abused, oppressive, or have other negative unintended consequences in the future.
> There are sites that just block requests from the EU, there's a difficult-to-measure chilling effect on small businesses
food safety regulations have a chilling effect on businesses that would try and sell arsenic-laced food.
dumping poisonous byproducts of a manufacturing process in a river will also net you a stomping by the society, another instance of a chilling effect of regulations.
i'm happy with these chilling effects, they relieve me of the need for constant vigilance. they enable our society to function. we do not need to fear for our mental of physical health and (private) lives all the time, we can focus on higher-order things instead.
I feel differently about it, but I think that's totally fair. Just pointing out that it's not quite the case that opponents' predictions turned out to be wrong.
Some did, at least for the first year. But some haven't.
Could you elaborate on why you think they do not have to follow GDPR? Do you think they can continue to track all their visitors as before, including the odd EU citizen?
Something I often see in discussions about GDPR on HN is that the law is vague. A hugely valuable comment on a previous GDPR discussion (which unfortunately I've been unable to track down) pointed out a marked difference in style between US and EU law. In the US, laws are usually very detailed and explicit about what will happen in all cases. If that's what someone is expecting, EU law is indeed very vague - because the underlying idea is that judges are trusted to interpret law in the context of constitutions, precedent and so on. EU citizens are much more used to this kind of language, so many of the discussions on here are people shouting past each other because there's a more fundamental issue about the way laws are phrased. If you're in the US and want to quibble with the language, please bear in mind the broader context of EU law. And if you're in the EU please bear in mind that people in the US are used to much more explicit legal language. If we all did that some of the discussions on HN about GDPR might be more meaningful.
The other thing that seems to happen a lot is that people are looking for a stick - any stick - to beat GDPR with. The current top-voted comment - https://news.ycombinator.com/item?id=20279249 - is a prime example. These lists of fines often don't give context (which, to be clear, is a failing of the list too) and often when you dig into these things you'll find that the ruling is entirely sensible. People need to give a bit more credit to legal systems than to think "Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany" could possible be true. If a fine seems ridiculous, do a bit of digging before you take a short summary at face value, and you won't be left with egg on your face when people point out what actually happened.
Perhaps this shouldn't be surprising, but what this site makes clear to me is that GDPR enforcement is more lax on major companies than many people expected, and more severe on private individuals.
For all the breathless reporting of how GDPR would ruin companies financially by levying fines on worldwide revenue, there is exactly one fine listed that exceeds 400k EUR. Granted, it's 50MM EUR to Google, but that's still a drop in the bucket compared to Google's worldwide revenue.
On the other hand, commenters below have pointed out that some private individuals have received fines in the hundreds to thousands of EUR for actions such as "using Cc instead of Bcc in emails" and "using a dashcam". I agree that these are privacy lapses but it's pretty unfortunate to see the power of the state used for these purposes rather than bringing serial data privacy abusers in line.
This could be a case of enforcement against large companies taking longer to conduct, given the complex nature of the cases and the resources of the legal teams involved. My understanding is that a lot of stuff is pending before the Irish data protection agency.
That certainly plays a role, especially as soon as courts get involved (or will get involved), see e.g. the pre-GDPR cases against Facebook still bouncing around the Irish court system. Smaller cases can be handled without international coordination, the facts are often easy to determine, ..., which makes them faster to process.
And the rules about international coordination mean other countries have to wait for Ireland in many cases.
GDPR isn't in effect for a long time and a big case against Google and similar companies isn't easy. Doing this needs in depth research in the ways they process data and through the terms, which were written by hghly paid lawyers. Doing this right is hard and if the goal is not to make money but to improve privacy there is value in pushing them in a political way over fighting longncourt cases - during which they probably won't change a bit.
Also there is this rule, that primarily responsibility is in the country where the corporation has their European legal headquarters, and for many the tis Ireland and the Irish government prefers getting 0.5% in taxes for those corporations over having issues with them and having them move to Malta or something.
Except that of course it wasn't about "using Cc instead of Bcc in emails" but using CC instead of BCC in mailing lists with hundreds of recipients and also not about "using a dashcam" but using a dashcam illegally, which in itself can imply a much higher fine in some European countries regardless of GDPR. So not as benign as you are trying to make it sound.
I honestly don't see how "using a dashcam illegally" is such a big deal, nor how "hundreds of recipients" on an email are a big deal. The email list seemed to be just rants.
I wish they would tell what the harm of both of those actually was.
The analogy was that GDPR fines, similar to other administrative fines (which was the term that had escaped me) like traffic tickets, do not require damage to be shown (although it plays a role in setting the amount of the fine) - unlike e.g. cases pressing for damages, brought by a wronged party, would be.
The law regarding dash cams (if there is an explicit one, I don't know enough about the situation in Austria) might just declare it a privacy violation, and thus defer to the enforcement mechanisms created by GDPR.
Interesting one from Spain, accessing user's microphones to crowdsource publicbroadcast violations:
> The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
GDPR unified and clarified all the different directions and laws active in EU member states before. So while most of those indeed were illegal before in one or more member states, all of them are illegal now in all member states. As such, GDPR does not really extend privacy protection de jure but merely helps enforcement by unifying protections de jure and hence allowing for a more efficient enforcement de facto.
Depending on the circumstances (I didn't actually look into it) the rental car tracking could have been done in ways that were at least arguably legal under EU law (though at least several member states had legislation that would have covered that).
As somebody else pointed out, they're being tracked by the ICO [0]. I think they previously had a blog where they documented enforcement while the UK was still under the older Data Protection legislation but I can't seem to find it.
The Information Commissioner's Office maintains a list of the UK fines.
> The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
Some countries don't consider public space free-for-all for recordings, and have different balances between privacy and the interest in recordings. E.g. in Germany, legal dashcams require a trigger to keep a recording long-term, so no long-term recordings exist in the normal case, but in the case of e.g. a crash the interest of the car owner in evidence is fulfilled.
The general consensus in the german legal system is that a dashcam that records on loop is not allowed; you basically film people without their consent and with the intent to distribute to third parties (the police) for no good reason (the possibility of a crash).
On the other hand, what is permitted is dashcams with shock sensors and trigger buttons. The shock sensor gives you a good reason (very high probability of a crash).
Using the trigger button is okay if either there was a crash (or something illegal) or if you mask out any identifiable details about the car and person involved afterwards.
Generally, recording public spaces is illegal, if you setup a security camera on your property, you have to make sure it's not filming outside your property in an unreasonable manner (you may be allowed to film the sidewalk, for instance, if you suspect someone is salting your garden out of revenge, but only until you have proof and then you have to make sure to delete all non-essential footage).
Privacy in public space is an important right that doesn't exist in the US.
Do these specialized dashcams keep a buffer? Otherwise it seems both the shock and trigger button would activate too late to capture the moments before the 'crash' which typically are more important for determining the cause.
It is a weird one in Germany. Generally you can record everything because of a law called Panoramafreiheit, however once you start to have discernible individuals on your photograph/video you need their consent, because individuals own the Bildrecht (”image rights”) to themselves, while you as the creator own the Urheberrecht (”creator rights”). And it needs both for a image to be taken legally.
So you get their written consent, ask them if it is okay or take the risk that they will e.g. see themselves in your movie and force you to take it down. This fits with the general feeling that filming another person without asking is seen as extremely rude.
The key here is that people need to be recognizable, so pictures of crowds usually don’t count.
Certain architects can also forbid circulation of photographed versions of their building if it is central subject of the photograph — but I only know of one such thing.
Note that this all was enshrined in law way before GDPR.
Unless you stick your camera into other people’s faces without asking or plan to distribute your images on a bigger scale you will probably manage without ever hearing about these laws.
>So, I assume that recording in public spaces is illegal in general and they make a specific exception to allow dash cams on the conditions mentioned?
The act of recording isn't the problem but the retention of the data records. If you have no need to keep a recording of a day's video for any purposes, then that falls under the provisions of likely being exploited data (e.g.: being used to build a profile of a person's travels throughout the day, week, year, etc.).
In the sense of the allowances, it's about balancing the need of the data's use (e.g.: in car accidents) versus the privacy impacts to other individuals (e.g.: you post your dashcam footage to YouTube and don't obfuscate faces or license plates).
An example of this, pre-GDPR, was when Google was forced to obfuscate faces and license plates in Google Maps for Street View.
"a man illegally used a dashcam, he was fined 300 euros. It was a camera recording the use of a car from the driver's point of view, which is illegal."
Some countries are sane enough to enshrine privacy in public spaces into law, because of the potential for abuse.
This is slowly but surely being eroded also in Germany. Multiple cities are trialling full video surveillance to stop the terrorists.
e.g: Some USA towns have near 100% video surveillance through the Amazon doorbell cameras (Ring) of the town's inhabitants. Some content is publicly available, cops can also request it.
Then Amazon is posting captured video as Facebook advertisements to identify suspected thieves.
Actually he was lucky. Austrian law says the fine should be €10,000. It is not legal to own or to use a dashcam in Austria, like in a few other European countries
Not true. You can have a dash cam, but it has to be the kind that continuously overwrites its own data and only records when it detects an accident. You can also record based on your intent - if your intent is to, say, capture a scenic drive ,then you can do that. If your intent is to just capture the license plates of 1000s of other cars that pass you, you can't do that.
The dashcam will record into a, say, 5-minute buffer until the accelerometer registers a high value, at which point it starts writing into a new file (so the buffer becomes a permanent record of the 5 minutes prior to the incident).
That's one way to implement it, one can come up with many others.
Dunno how well this will work if you need to claim that the pedestrian or cyclist just darted in front of you. But then again, maybe you don't want that kind of thing recorded.
Shouldn't be any more illegal than recording something with your cellphone (when not in the car) that you are interested with. I'm not quite certain about the legal code in australia but private recordings should generally be exempt from a lot of things.
Accelerometers. How it works is there is something like a 5 minute, constantly overwriting video file. Once the accelerometers detects an abrupt deceleration, it determines an accident occurred and marks the previous 5 minute segment of video as read-only.
It's good to be reminded of how many backwards laws there are in the world. Every country is a little bit fascist and insane and it makes you appreciate the good parts of your own country.
That's just a reductionist stance and when you follow that line of thinking to its conclusion then it would mean being illegal to record anything outside of your own house which is ridiculous because people need to film their kids going to the beach or take selfies in the mall. The negative side effects of prohibiting public photography greatly outweigh the positives.
See... and most countries that recognize a right to privacy even in public have found a way to let people film their kids, while still making it illegal to point a private surveillance camera onto a public area (be it from your window or a car).
There is a difference between taking a picture of your kid with someone in the background, and intentionally taking a picture of that person. And turns out that in practice, the law is able to distinguish those two even though technically they're quite similar.
And I couldn't care less about having that right. I would rather have freedom.
If you view the world from the point of view of [rights I have] vs [rights I don't have], you may as well be a happy pig in a cage. This worldview is in fact fascist, because it implies that the state should "give" you rights (giving you this type of right means taking away someone's freedom).
The opposite view is giving you the freedom to do anything as long as you don't attack someone (physically) or steal from them. If you want to prohibit something you must have good reasons, not "let's give everyone rights" or "it makes people feel bad".
Having a "right to not be insulted" means that you don't have the freedom to insult. i.e. you have no freedom of speech. If you put emphasis on the "right", you view the world like the pig in a cage, if you put emphasis on the freedom side, the opposite.
On public streets, yeah, that's kind of insane. It's pretty common for people to have a dashcam running with a buffer so if you're involved in a not at fault accident or someone vandalizes your car, or such things, you have documentation.
Some societies think that tracking people on public spaces isn't acceptable either. I don't know why it would be insane - if anything, losing all privacy because you stepped out of the house is the insane thing.
Insane would be the fact that i cannot use pictures/video taken in a public setting for my personal use. Publicising these pictures/videos are another thing and that is covered by GDPR.
Where is info on how to install it legally and why this stupid ban on dashcams when GDPR actually allows it (it made dashcam usage easier in my home country as now you don't have to register as data processor because dashcams fall under surveillance). I feel that this is a bad thing - you have a regulation that covers all EU but some countries have their specific laws overriding it and banning things that are allowed under GDPR.
Where does it say that? The linked article says "recordings of their house", which very well could e.g. be a camera on the outside, capturing surrounding public space.
(also probably existing law, not GDPR specifically: video surveillance has been fairly strictly regulated for a while)
It's not the GDPR that made this illegal. It was most probably illegal before the GDPR, and it was probably enforced by the same agency that now enforces GDPR. The GDPR is an umbrella that covers all the new things it introduced, but also a lot of old things the various national data privacy agencies covered.
Recording in one's own home is exempted under the GDPR[0].
I suspect something broader was involved here.
[0] Article 2(2): "This Regulation does not apply to the processing of personal data [...] by a natural person in the course of a purely personal or household activity"
A prime example where GDPR would apply to a security camera in your own house would be if that camera was used to record renters (including short term rentals e.g. AirBnB) without their knowledge.
For example, I recall reading about cases of renters finding out that the landlord has installed hidden cameras in the bedrooms and showers.
I wonder where the line is drawn when it comes to things like that.
Yesterday I was walking on the side of the road and some girl was half way hanging out of the passenger window recording a video of the scenery. I was able to see her from a few hundred feet away.
Eventually the car intersected with me and I was in the line of sight of the video for a second or 2. Of course I made a stupid pose to photo bomb her video which I found hilarious while continuing my walk home.
But under GDPR, is she technically in violation for recording me without my consent? I can't imagine how any of that could really be enforced. What about all of those Youtubers who happen to record people in a busy place like NYC or Vegas. Do they really get written consent from 400-500 people in the background for 10 seconds of video?
The line is drawn at surveillance of a public place [0] and in this instance only in Austria, as other commentors have pointed out the laws may have changed in 2018 to allow for dashcams that continuously overwrite old footage but I can't verify that. It is not illegal to make recordings in a public place in Austria, although you may have some limitations on what you can do with that footage if it captured other people and those limitations may change depending on what was captured (i.e., whether it was incidental, or footage of a crowd).
In Germany for instance dashcams are perfectly legal, you only have conditions on what you can do with that footage afterwards, for instance posting it on Youtube or social media is a big no-no, and unlike Austria you're likely to get a warning in Germany instead of a fine [1].
This can vary between jurisdictions but in all jurisdictions i know, photographing someone in a public location is always legal and never requires consent. Whether publishing requires consent varies, in the normal case it does for commercial but not for journalistic purposes.
Note that laws written this way usually distinguish “taking photos” from “surveillance” - so mounting the camera on a street corner immediately changes the legal context. This may be why dash cams fall into the surveillance category in some
places.
Depends heavily on the jurisdiction. In Germany, there would be two parts to this; Panoramarecht (Right to Panorama) and some general opinions of judges.
Panoramarecht means that the girl can film into a crowd or public space for her own reasons if she wants to. As long as she doesn't put one person in the center of the image or focuses on them in other ways, it's generally permitted.
There is also some more general law handling, if you posed for the picture, judges would generally agree that this constitutes consent to be recorded (a more recent case would the famous Angry German Hat Incident, in which a very angry right-wing man walked up to a camera team to complain about being recorded; the judge ruled that the camera team was justified in recording at first due to Panoramarecht and the man walking up to them, knowing they were recording, rightfully so, constituted consent to be recorded further).
Posing to a camera or walking up to it basically means consent in germany; you noticed the camera and you did take actions that would put you center in the image or make you a focus point.
As far as i understand this doesn't fall under GDPR unless the video is published because of personal use. If she publishes the video, you have the right to ask her to take it down/remove your PII from the video. But there might be additional local privacy laws that change things and GDPR has nothing to do with it.
As we learned from this listing, the video's controller is required to notify the subject that he appears in the video before processing it. If the controller does not have enough information to contact the subject, he cannot fulfill that requirement, and is therefore noncompliant.
I would disagree because "The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity." Obviously when you put the video out in the world those rules start to apply (especially if you make money from that - ads etc.). I don't see how GDPR applies if i take pictures on my vacation and show them to my family/friends after (this is purely personal use). Even in case of surveillance (dashcam, cctv) you don't need to get consent from every person, you just need to inform them (signage) that surveillance is happening.
1) We don't know much. GDPR allows processing if it's for purely personal use, so if he's putting it on youtube with ads that takes it out of purely personal use.
2) As the linked news article says, Austria may be getting the balance between cautions and fines wrong, which is why they may face a case in EU.
> In Germany, for example, people use caution instead of punishment - which is why Austria may face an EU case.
Based on this article [1], it looks like EU country laws on dashcams ranges from similar to the US, to legal but with restrictions on the duration, retention, or use of the footage, to illegal to use subject to fines, to illegal to use subject to prison, to illegal to even own one regardless of whether or not you are using it.
How aware are EU drivers of these differences? Is it well known to those in places with less restrictive rules that their cameras could get them in a lot of trouble if they take them with them when they take a road trip that passes through other EU countries?
Don't know dash cams specifically, but it's common knowledge that laws surrounding what's in your car (e.g. emergency kit) vary and you need to check up on that.
It's basically impossible to know. Even laws which should be really clear, such and if and when you need winter tires are not clear.
At the end of March I drove across Europe from south of Spain, and had summer tyres on. The weather conditions were good, so I was fairly confident I would be ok without winter tyres, but a lot of European countries have laws requiring then at certain points of the year.
I knew in my destination country you needed winter tyres until April 1st, but I couldn't find anything clear on all the countries in-between. Austria was actually the toughest, my understanding is their laws are you need winter tires if the road conditions dictate you need them. In some cases snow chains can be used, but not on highways. But this was based on reading English forum posts from 10 years ago, so I have no idea if it's still correct. I tried to find something clear from an official authority (probably doesn't help I don't speak German) or an automobile association website, but couldn't.
Why are there so many violators marked as "unknown"? Is that from the sanction being redacted or the aggregator's lack of information? The header paragraph states that not all violations are made public, but the ones that are made public can also be redacted?
A was curious about the dashcam fine so I looked it up and it seems some vary ordinary usages of cameras are violating GDPR:
> It was a camera recording the use of a car from the driver's point of view, which is illegal. Two people were reprimanded for using surveillance cameras for their own home without permission.
I assume "driver's point of view" means looking out of the front windshield? Is this not how dash cams are meant to be used? (On second though perhaps this is a translation issue... the article was in German). And then I assume the surveillance cameras were mounted outside and recorded people in public?
Both of the possible scenarios here seem pretty benign and ordinary by US standards.
What do you do if e.g. Instagram ignores your GDPR requests? I have sent them multiple emails about misuse of my personal data and they only replied with a template that didn't address my emails?
Two of these are much more intense than I would have guessed:
>The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
So, basically, only use open source datasets that come with contact information for every subject.
and
>The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
You can't just retain the database rows pertaining to accounts with current or likely litigation, but must choose the specific fields relevant to the nature of the dispute. Even the companies that successfully implemented propagation of deletion across their systems are probably going to get spanked for this one when some column in some backwater warehouse backup isn't strictly necessary for the precise claims in that account's lawsuit. Wow.
I hope this puts to bed suggestions that others were "overreacting" to GDPR, that there would be anything other than the meanest, most aggressive, most literal application to every case. Maybe this is a good thing! Maybe everyone needs the fear of God put into them. But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.
RE first example, read the linked official report[0]. Some choice quotes:
"the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data."
"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal."
"The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons."
"While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so."
This is precisely the kind of crap GDPR was meant to address, and I very much like the decision made here.
EDIT: If I'm Googling correctly and found the correct company, then here's an extra irony: they actually offered services and advice to companies in preparing for GDPR coming into force. It's safe to say they were fully aware of the obligations under law when they performed data mining on government databases of entrepreneurs.
> But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.
What? No. Your first example talks about "open source datasets" -- no such thing exists for my personal data. If you've gathered my data you need to tell me why you gathered it. Dumping it into a dataset for other people to use is clearly not ok.
Your misdescribe your second example. Notice the company weren't fined just because they had the phone number. They were fined because they had the phone number, they were asked to delete it, and they declined to delete it. The company were not claiming they couldn't erase the phone number because it would be too hard. They were trying to say that they wouldn't erase it because they needed it for debt collection. The regulator disagreed.
Neither of these are good faith actors and these are exactly the kinds of data misuse I wanted GDPR to handle.
My guess is that nobody is going to sell coverage for fines that could range up to €20 million that can be assessed under a set of regulations as vague, difficult to follow, and up to interpretation as GDPR.
There's nothing difficult to follow in GDPR... unless you're specifically trying to continue collecting too much personal data while trying to skirt the law.
I expect there would have been a warning given in that case before assessing a fine.
What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
Edit: the downvotes on this are coming in fast. Because you are downvoting it, you must know of a specific section of GDPR that requires warnings to be issued (otherwise you wouldn’t be downvoting it, right?). So, along with your downvote, please reply to this comment with a link to the specific section that requires warnings, and I will be happy to say that I am wrong.
You went on and on about some tedious point and kept doing it long after it was clear no productive discussion would take place. Also, you've done this many times before on this particular topic. I don't have a way to stop you from doing that other than banning you, and I don't want to ban you. But if you can't or won't stop doing this, we're going to have to. So would you please stop doing this?
I am not sure how I was supposed to know, in advance, that “no productive discussion would take place”. I only mentioned facts, not my own opinions, so the outlandishly negative reaction was not predictable. It seems that I am being held to a different standard than others, because now I am supposed to somehow correctly forecast the reaction of people to factual information before I post it, or risk being banned. I don’t post here much anymore anyway. I will do my best to make this calculation going forward, however I do not see how I can be expected to do this with a great deal of accuracy, given the wide variety of people that use HN.
Also, you claim that you marked it as “off topic” even though it clearly wasn’t.
Many, but not all of them said this. Given that GDPR has absolutely no requirement that warnings be issued, it is not reasonable to expect that warnings were issued and/or ignored in cases where it doesn’t specifically say this occurred.
You don't seem to have brought up any cases where we know that fines were imposed without a warning, nor any reason to believe this particular case was special.
If, out of all the cases that we do know whether warnings were issued, warnings were in fact issued in the vast majority of them (or even 100% of the known cases), then for a case where we don't know and have no reason to believe is special, isn't the reasonable assumption that it's not special and is no different from the other cases?
Once again, under GDPR, it is entirely legal to issue fines without a warning. Therefore, in any case where it does not say that there was a warning, one can reasonably assume that no warning occurred - especially given that in some cases (according to you, most cases) they did say something about a warning. The absence of the mention of a warning in this context implies that there wasn’t one.
The point is, and no one has been able to refute this, that warnings are not required under GDPR. Even if they have issued warnings in most cases thus far, it is still early days. As these actions under GDPR become more common, there is no guarantee that even those countries that have been issuing warnings first will continue to do so. The enforcement of regulations that have the potential to generate massive revenue streams for government entities tends to become increasingly aggressive and creative as time goes on.
I don’t understand why anyone, even those in favor of GDPR, would attempt to refute the black and white text of the law. No warnings are required under GDPR, and thus the potential exists for fines to be issued without warning. There is no argument or opinion to be interjected here. This is a binary fact. Are warnings required? No, warnings are not required. It’s that simple.
Once again under UK drug law it is entirely legal to send someone to prison for five years (I think) for an eighth of weed. Except it never happens. To get straight to a maximum penalty there would be very damning circumstances.
It's why we have regulators, judges and magistrates - to apply judgement and proportionality. Sure there's a few headline cases of some absurdly harsh sentence - and just about always the details reveal there were a lot of very damning circumstances that make the sentence seem pretty reasonable.
Do US judges rubber stamp a maximum sentence each and every time? No. Does every visit by police result in prosecution? No. Is every warning and scaling mechanism offenders get in the US expressed perfectly in statute? No. Otherwise you would have fired all the judges as surplus to requirements.
You're just spreading FUD. Understand the legal system in Europe before spreading such rubbish.
You appear to be spreading false rumors about them issuing warnings even though they don’t have to. When I organized the data on this site by fine amount, not a single case on the front page said anything about any of the companies fined having received a single warning.
So, by comparing this to legal situations where “it never happens” you are purposely misrepresenting the risk of receiving a fine under GDPR without any type of warning. While having an eighth of weed rarely if ever results in a 5 year sentence in the U.K., clearly not receiving a warning before being fined occurs quite frequently. You have made a false equivalence between these two things.
You also need to remember that if the regulator has got it wrong there is a remedy available for the person being fined.
About cannabis: generally the first offence will receive a warning unless there are aggravating factors. Police are expected to take an escalating approach: 1st offence = warning, 2nd offence = penalty notice for disorder (which doesn't result in a criminal record if it's paid), 3rd offence = arrest followed by caution or charge and prosecution.
Why would you expect a site built to report GDPR fines and penalties to report GDPR warnings?
ICO haven't yet released aggregate figures for GDPR, it's too soon. GDPR is a minor update of DPA, and they have released aggregate numbers on that for a while. Fines are levied in a tiny minority of cases. Warnings are far more common, as is steady escalation. The expectation here is the proportions will remain the same under GDPR.
On weed, actually no, because the default action for weed for the vast majority is just a warning. So no, it isn't clear that getting fined without warning first happens quite frequently, because that's also simply not true. You're very unlikely to see a court without a warning first.
It is not a minor update[1]. The Information Commissioner's Office is extremely aware and vexed, given the current state of affairs, that Data Protection Act 2018, needs to be aligned as closely to the GDPR to allow for information to flow freely after Brexit (Article 45)[2][3].
Furthermore, ICO has not been the epitome of a regulatory body enforcing the law to it's fullest extent, for which it has had the remit for ─ by stopping business' doing a runner or imposing maximum fines, neither has it had a good record on collecting the fines issued. Although, it has made a meal of some of the high profile rain-making cases which have already been in the public eye. It is ironic that there are no real details forthcoming from ICO and one has to resort to FoI requests to get any information on it's previous escapades under DPA 98![4]
That is an entirely different issue. GDPR is effectively an update of DPA 1998 that it replaces. Most is the same, definitions and scope are widened and modernised. A company that had implemented DPA(1998) was most of the way there for GDPR(2016). If you're going to get pedantic, DPA 1998 is one of the many implementations of EU's DPD 1995 as there is a fundamental difference between EU Regulation and EU Directive.
Clearly I am not calling GDPR (2016) a minor update of a subsequent law UK DPA (2018). That is UK's implementation of GDPR, which thanks to the stupidity that is Brexit may indeed have some issues interrelating with the EU. Probably the least of our issues, but still...
UK ICO's stance is fairly well known, but I don't think they can be held responsible for businesses that liquidate in the face of fine. That seems more likely to be an issue of UK company law.
>UK ICO's stance is fairly well known, but I don't think they can be held responsible for businesses that liquidate in the face of fine. That seems more likely to be an issue of UK company law.
You are confusing ICO's stance and responsibility with it's reluctance to enforce powers, which have already been granted to them by the government, in order to pursue negligent cases and collect fines under the UK law.
The Insolvency Service has general powers to investigate both insolvent and active companies, including those companies that undertake direct marketing activities. If a director has deliberately acted to the detriment of the company and/or its creditors, action may be taken against the directors under the Insolvency Act 1986 or the Company Directors Disqualification Act (CDDA) 1986.
That's the Insolvency Service, which isn't ICO, and presumably they (IS) would have to instigate action. I've no idea how it interrelates with ICO's powers, but I'm completely outside my knowledge here.
No one is saying warnings are required. I said I expected one was given, because 1) it appears to be the common practice, and 2) it is the reasonable thing to do. So I doubt that this person would have been fined without a warning, but indeed, I have no way of knowing. That said, I'm open to the idea that perhaps the law should stipulate a warning, but perhaps the language around proportionality/reasonableness is sufficient.
The absence of the mention of a warning in this context implies that there wasn’t one.
Why? Many of these summaries aren't official justifications of the fine, they're news clippings. What leads you to believe that if a warning was issued, the news would always mention it? They're not trying to justify the fine, they're trying to inform the public, and they can never include every detail, they always have to leave stuff out. What leads you to believe the news always mentions warnings if issued?
I don’t understand why anyone, even those in favor of GDPR, would attempt to refute the black and white text of the law.
Literally no one in this thread has attempted that, and you incessantly repeating this strawman is why you're being repeatedly downvoted.
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive
When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
A) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentional or negligent character of the infringement;
e) any relevant previous infringements by the controller or processor;
i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
> (otherwise you wouldn’t be downvoting it, right?)
You're assigning a strawman to your downvotes. OP said "I expect" (not "There must have been"), and it is the usual procedure. It's not a _requirement_ as some bigger or more deliberate infringements may warrant an instant fine.
It is not a requirement, which is why nobody should have any expectation that they or anyone else will receive one before being slapped with a heavy fine.
It does not explicitly require warnings, but Art. 83 (https://gdpr-info.eu/art-83-gdpr/) requires that the authority, when deciding whether to impose a fine, takes into account a number of things. It would be hard to argue for an instant fine if the things listed in the article were favorable in a specific case.
It shouldn't need to be explicit when the enforcement agency has the discretion of deciding appropriate action and whether or not to prosecute. Otherwise there's no discretion and they become rubber-stamp agency. By the same token UK law doesn't include warnings in the Acts for offences that almost always get a warning or caution on first offence, e.g. possession of class B drugs.
When you get to actual penalties, all EU law has the principle of proportionality under it, and has since about the sixties. I know it's written into some treaty or other. There's been countless appeals to the EU courts that some penalty or other was disproportionate.
Can you show that it is an outlier for a law to not require warnings to be given? I can think of many laws (road rules, all of criminal law) which don't require warnings to be given, but instead warnings are up to the discretion of police officers or courts.
Also, the EU is not the US. There is a very different culture and jurisprudence when it comes to proportionality of laws. If the GDPR was a US law, then I would also be concerned about the penalty guidelines. But it's not a US law, so bringing a US-centric mindset to the discussion causes misunderstandings.
Can you show that it is an outlier for a law to not require warnings to be given?
No, my initial comment on this issue was in reply to someone that said "I expect there would have been a warning given in that case before assessing a fine." [1]. This is an oft-repeated and entirely baseless sentiment that HN's resident GDPR defenders love to cite - it shows up in every one of these threads. That is why I was making it clear that in fact no warnings are required, and indeed as time goes on, few warnings are likely to be given.
> "I expect there would have been a warning given in that case before assessing a fine." [...] That is why I was making it clear that in fact no warnings are required
They didn't say warnings were required, they said that warnings were the norm. You haven't provided counter-examples to that claim, you're arguing against a straw-man argument that "warnings are required by the GDPR".
As an example outside GDPR, it is not required to give children warnings when they commit petty crimes (such as shoplifting) but that is the overwhelming norm in most countries. In this analogy, you're arguing that "most children don't get put in juvenile detention for shoplifting and get warnings instead" isn't true because there isn't a provision in the criminal code saying that children need to be given warnings.
> indeed as time goes on, few warnings are likely to be given.
This is an example of the "baseless sentiment" that you claimed you're trying to fight against. On what basis do you claim to know (or even conjecture) that "few warnings are likely to be given" in the future?
There are many examples of GDPR warnings being given. To me, it seems to be the norm -- if you have an actual counterexample (other than pointing out that warnings aren't required, despite now basically admitting that legally-mandated warning stages aren't common and so that entire line of argument seems to be a non-sequitur) I'd love to see it.
They didn't say warnings were required, they said that warnings were the norm.
Sadly, it appears that warnings are not the norm. When you organize the data on this site by the size of fine, you’ll notice that none of the top 10 received any warning.
Ignoring that we don't know how complete the one-paragraph summaries of the cases are (many of the links are not in English) -- how is looking at the top 10 largest fines a fair sample? Surely taking 10 random samples is a much better selection?
It seems possible that the largest fines were for the most severe transgressions, or for companies that are large enough to know better. In fact, the topmost example of Google's Android penalty is a prime example of both factors. So it's possible there is a statistical bias for larger fines to be for more severe cases where warnings make less sense.
There is no section of the GDPR that requires warnings to be given. This should not be a surprise or shocking to you. If there were required warnings for first-offenders then really heinous data leaks by first-offenders would not be punished.
There is no provision in road rules that says police officers should give warnings -- for exactly the same reason. Instead, it's purely up to the discretion of the police officer whether you get a warning or not. GDPR acts in exactly the same manner, but instead of it being individual police officers it's officers appointed for that role.
> What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
It's not in GDPR because it's part of EU law. Two parties to a case need to attempt to fix it before going to court. In the UK this is why you have letters before action setting out what you think your case is, how you want it to be fixed, and what you'll do if it isn't fixed. You don't just leap to issuing court papers straight away.
And yet this site details numerous examples of GDPR fines being issued without any warning. So clearly this law that you claim requires warnings does not actually do so when it comes to GDPR.
>What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
Edit: the downvotes on this are coming in fast. Because you are downvoting it, you must know of a specific section of GDPR that requires warnings to be issued (otherwise you wouldn’t be downvoting it, right?). So, along with your downvote, please reply to this comment with a link to the specific section that requires warnings, and I will be happy to say that I am wrong.
Nothing in the GDPR requires compulsory fines for every infraction. In fact, if you had read Chapter VI, Section 2, Article 58, 2(a)[0], you would know this.
I’m not sure what that has to do with this discussion. We are discussing whether or not GDPR requires warnings before fines are allowed to be issued. The answer is no, it does not require them, and the text you linked to does not disprove this simple, undeniable fact.
Incorrect. You're moving the goal posts. Let's stay on the topic-at-hand, yeah?
The OC comment was:
>I expect there would have been a warning given in that case before assessing a fine.
To which your initial retort was:
>What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
When you started receiving the downvote storm is when you challeneged for proof that the GDPR requires warnings.
I gave a response that supports the OC's position, that a warning could and would be expected; not because of requirement but because it is up to the discretion of the supervisory authority.
After all, the initial challenge that was given to the OC was, "What makes you expect this?" was it not?
Now, it's your turn to disprove that a warning would be expected. I'll wait...
One cannot expect a warning if a warning isn’t required. You may hope to get a warning, but unless it is required you should not expect it. There are numerous cases listed on the website we are discussing where, in fact, no warning was issued. Had those individuals/companies read the comments in this thread prior to receiving fines, they would have been wondering why they received no warning, since everyone claims they should “expect” their self-appointed, benevolent, data overlords to give them a warning first. Unfortunately for them, all of you are incorrect that they should “expect” to receive warnings. Why? Because they are not required, and not only that, warnings don’t even appear to be the norm.
Not any website. If it is purely private and non-commercial you don't have to.
Also, it doesn't have to be "all your personal information". Your Name is required and an address where you could be served with court papers. A P.O. box is not required, but the address where your company is located is fine. It doesn't have to be your private home address. An email address is required, but that again doesn't have to be your private one. It just has to work. A few other things are required, e.g. where your LLC is registered if it is an LLC.
> If it is purely private and non-commercial you don't have to.
Unfortunately, this does not include a lot of websites that most people would classify as private. For example, a blog still needs an Impressum.
In addition, you will even be classified as commercial, and therefore require an Impressum, if you don't make any money, for example if you use ads to (try to) pay the hosting cost.
> A P.O. box is not required
In fact, you'll have to pay a fine of usually 5000€ if you use a P.O. box without a summonable address.
I've got an imprint, including my mobile phone number, on my partly personal, partly business website for about 15 years now. In this time I have not received any calls or unwanted mail on this address. Not a single one in all those years.
Maybe your website is not popular enough. I had a website a few years ago (not anymore) and since then I receive about one call per week of "Microsoft" employees asking me to install some backdoor software.
Well, I can't complain about visitors and views and the resulting business out of that. Maybe I'm just very lucky, but it's not such a big deal as OP wants it to be.
You also need to make the links obvious. The light grey on white they do on that page likely isn't compliant, and neither is their privacy information ;)
Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany.
"The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list."
Poor guy.
This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.
Without knowing the details, I can't say whether a €2000 fine was disproportionately onerous or a slap on the wrist.
https://www.businessinsider.com/nhs-trust-fined-for-leaking-...
The ICO might well consider a similar breach worthy of a bigger fine now.
It's almost like laws can work.
This is where Outlook with their *@outlook.com and apple’s new system really do shine.
Commiserations to those affected :(
https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...
He was fined solely based upon the email addresses being visible to all recipients, not because of the content of his mails, said a spokesperson. However, he was a repeat offender in terms of privacy, who in the past was warned, then fined for similar stuff.
I'm a little bit torn on that one. The fine seems excessive for what he did (and the email addresses seem to be a list of already public journalist and press contacts) and it certainly looks like somebody in the govt got annoyed and threw the book at the guy in retaliation. Then again, he had ample warnings, and choose to ignore those warnings.
It really is analogous to most govt fines e.g. speeding tickets: the government (the police) gives you a ticket, and if you pay it then OK, no court involved, but if you challenge it then the courts get involved.
But more generally, the government should and does get priority access to the courts already. Criminal courts exist solely to serve the government; you cannot bring criminal suits as a citizen yourself, only civil suites. Also, e.g. in Germany the government and legislatures (federal and state) get priority access to e.g. the constitutional (supreme) court. A mere mortal cannot just file suit directly in the constitutional court, but has to go through the lower instances first (unless there is something similar to a class action petition, showing a sizable chunk of the population sees the same issue and wants it decided). Members of the parliaments and IIRC of the cabinet are allowed to file suit in the constitutional court directly. The reasoning here is that if it was allowed for citizens to petition the highest court directly, then the court would do nothing else than write rejection letters for bullshit petitions. While the govt and legislatures incl the parliamentary opposition of course represent the people (in theory) and aren't stupid morons wasting the courts time (in theory).
PS: Google was already fined €50M for GDPR violations, and there is probably more of those in their future. Facebook got fined €10M so far, IIRC, also with more to come. And don't forget the billions of Euros worth of antitrust fines against Google and Microsoft, e.g.
But using CC instead of BCC causes a massive leak of personal information, especially when either the subject being discussed or the people on the list are sensitive. In my life this has mostly been annoyance at large org stuff, but my wife has had this happen with a sensitive medical practice and we were not in the US so HIPAA did not apply.
I don't think fines are the only solution, of course. But I think fines should be on the table and it's easy to me imagine a circumstance where 2k euro would be appropriate.
The argument back then was that they were overreacting, that we didn't understand how Europe works, that you'd only get fined after repeated warnings about violating procedures etc.
I'm sure the private person was dumb for doing what he did, but that doesn't invalidate the general point: unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet that might be used by EU citizens.
The benefits, whatever they might be, just don't justify the risks.
This site makes no mention of warnings and escalations, and ICO at least doesn't normally announce that for individual cases. Though they do put out aggregate stats. When they have fines are clearly shown as arising in a small minority of cases.
https://iapp.org/news/a/germanys-first-fine-under-the-gdpr-o...
Which goes to show why the regulators get the discretion to decide appropriate action from warning only to maximum fine. Without context and aggravating and mitigating factors we can't know, which was my point. If a penalty is disproportionate there's well worn appeal tracks.
Other comments seem to point to the small case in OP comment being some guy running a list to harass people, which seems like a huge aggravating factor to me. Maybe he got one warning, maybe in context he didn't deserve even that.
True. But I doubt that even the most ruthlessly efficient GDPR enforcement authority could multiple enforcement requests between mid July and end July.
There's potential time for quite a few ignored warnings before prosecution, but I don't know and can't find out from here if or if not.
Very likely that they just ignored it.
DOT
sounds good
I agree it's a difficult problem and it's hard to define boundaries, but some level of competence is welcome when handling data that belongs to other people.
If you start some internet service, I expect you not to lose my data (in some lame way, s.h.), just like I expect my car mechanic not to destroy my engine.
edit: to give it context, I closed my programming website with thousands of active users that I had for almost 20 years because of GDPR, I'm not a big fan of it, but what I like even less is when complete incompetence when handling personal data results in zero consequences
All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.
The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.
>profit off people's personal data
Have you "decided to create a business around destroying the environment" and "profit off CO2 emissions" because your office is heated in the winter? GDPR is not specific to the adtech or data brokerage industries.
It was purely a hobby affair that was a net loss, but Google ads ($10 per month) reduced the cost somewhat.
Those ads probably made it a for profit business.
I shut the thing down before GDPR, but if I hadn’t it surely would have been an excellent reason to do so.
Those are the kind of websites that you lose.
I consider that a loss.
It is doable, if you have the lawyers and the time. But that's not a degree of scrutiny you want to gamble your life savings on for a personal project.
I might need it later is not a clear reason!
HN doesn't need to know or share your username to post your comment, it is clearly possible to run a message board without usernames, and conversations could be maintained by generating a random pseudonym for each thread.
Pure FUD.
EDIT: Downvotes don't change reality. The OP is spreading FUD.
Edit: unless the website was actually abusing users privacy in which case I'm glad it is gone.
Now he has "decided to build a business around profiting from the abuse of personal data" and the consensus in this thread looks on his destruction with glee.
This is typical FUD. GDPR allows backups. Right to be deleted doesn't mean grovelling through backups. If those snapshots are rotated out after e.g. 3 months he is fine.
And regarding sanitizing altitude. Again pure FUD. There is no way that that would be a problem.
Of course if he stores the data in a personally identifying way and then is either incompetent or abusive then he could attract a fine...
In the real world GDPR enables such websites because users can trust that he has to follow some minimum standards.
>After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency.
So maybe if his backup regime were precisely specified in his privacy policy. But even a conflicting legal requirement is no defense, here.
Regarding minimization, 4 other cases:
>During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller.
>Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
> The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller.
> The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance
"Of course if he stores the data in a personally identifying way..." GDPR cares not for identifying but for identifiable. It's GPS data. If someone uploads data pertaining to their home, workplace, frequent travel routes, etc. then it is definitely identifiable.
Regarding FUD, it seems FUD is exactly what the DPAs intend, since they are punishing rather than helping when asked for advice!
>Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider.
https://kolibri-image.com/causa-datenschutz/
Google translate:
https://translate.google.com/translate?hl=&sl=de&tl=en&u=htt...
tl;dr
The Data Protection Authority of Hessen suggested Kolibri Image to draft their own data processing agreement and get Packlink, located in Madrid, to sign it. [1]
Kolibri Image then stated that they would "leave things as they are", which was incorrectly interpreted to mean that they'd use Packlink without an agreement instead of not using Packlink in the future.
In addition, Kolibri Image forgot to update one of their six data processing agreements on various websites which still mentioned Packlink, so their clarification of the matter was not believed.
Finally, the case was dropped because it (partially?) happened before the 24th of Mai.
[1] Drafting a data processing agreement for Packlink is of course not very practical because who knows how they handles their data and why would Packlink sign it in the first place if they don't want to offer a data processing agreement. In addition, the cost of drafting and translating the agreement is much more expensive than the savings from using Packlink as a shipping processor.
In any case, I agree that fining after asking for advice is not a friendly move.
You make a fix in the email system that accidentally emails everybody at the same time? (It almost happened.) Oops. There's your exposure to some nice fine.
You don't need to be abusing somebody's privacy to be concerned about legal exposure. Just like there are asshole companies, there are asshole users as well who can make your life miserable.
Any hobbyist who doesn't take this kind of exposure into consideration is naive.
https://www.lexology.com/library/detail.aspx?g=d8d0c69a-620e...
Seems like an appropriate fine. Or do you think I should be allowed to collect 150 e-mail addresses, then e-mail them out to all 150 other people, after some of them told me not to do that?
[1] https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...
The sender is also non-repentant and is running some sort of hate campaign.
This isn’t a one time slip up, it’s a 10 times slip up and chances are there were a lot of warnings this guy didn’t want to listen to. So he was hit where it hurts. Poor guy, it’s like he was caught speeding ten times and then got fined.
In Poland we actually have a sort-of tradition, AFAIK started by one of computer security portals, where if you find yourself on the receiving end of such CC-instead-of-BCC, you kindly tell the company responsible that this can and should be picked up with data protection regulators, and it would be nice if they e.g. paid ~500-2k EUR equivalent to a charity of their choice.
I'm totally 100% in support of this against companies. Less so about private individuals, though a 150-people newsletter is kind of thought-out and organized thing, and then 2k EUR in Germany is probably less than a monthly paycheck. A hard hit, but survivable without loss of life quality.
The linked article suggests that the guy was sending out angry political rants and criminal accusations to thousands of people a day, which adds a further twist.
Nothing I've heard about this case sounds to me like an innocent mistake that a reasonable effort was made to correct.
I've accidentally smacked people on the street before (gesturing, probably). That's technically a crime, but it'd be crazy to prosecute me for a little mistake like that. But it's not crazy that hitting people is a crime and that people do get prosecuted for it in egregious cases.
I personally think ~$15 per leaked email is a reasonable fine. I bet this guy and everyone else who reads this article won't accidentally leak emails again, and that's great.
In fact, I'd argue that leaking an email that exposes a private association with a mailing list to other unknown people has much clearer potential for damage than any of the privacy issues that big companies get fined for. And yes, CC leaks do happen (not a lot, in my experience), but I'm personally upset about it every time - much more so than when I find out Google didn't get my consent before recording half of my internet activity. Just because the violation is something that "happens a lot" because it can be done by accident by a careless individual doesn't mean it's less serious.
If a behavior is harmful and we want to stop it, but it's difficult to prove direct damages and therefore civil suits have been ineffective at curbing the behavior, then it seems like a reasonable public policy to impose fines on engaging in the behavior without requiring actual damages be proven in court.
(And if it's easy to innocently accidentally engage in the behavior, it seems reasonable to first issue warnings, and then impose fines if the behavior continues repeatedly.)
Yes, proof of weaponized gdpr use indeed (for very specific filtering cases of gdpr use).
So if a EU citizen's email id was part of the list, will it be liable for action according to GDPR?
Well, against people who publicly share private info of 150 other people who trusted them those emails. 2K euros is not that huge money in Germany, it's not like they'll loose their house over it, and that certainly is a practice that needs to be stopped. Just being an amateur is not an excuse when you deal with other peoples' data.
What didn't they like about this person, and what proved that to you? And what proved that was the impetus for this fine?
"The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent."
Such a website can have many uses:
My wish for that website is that in the future, the data is more easily readable and "big-data exploitable" (good luck with that)Little things I can tell on the top of my head:
Also, I think negative rulings would be useful as well, though could send a different political message, so that's author's choice.I was thinking the opposite. The fines listed are so low, that from a purely financial perspective complying doesn't seem to make much sense. I would estimate all GDPR compliance efforts I've been involved in to be more costly than the largest fine issued in Germany.
But then look at this example from Germany:
> Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.
The company emailed the authority asking for advice on how to deal with a service provider who didn't want to cooperate with GDPR, then the authority ignored his request, forwarded their information to another authority, which then fined them for the exact thing which they was asking for advice on.
Yes, the fine has apparently been withdrawn, but how much time, money, and mental capacity did Kolibri Image have to spend dealing with this before the authority decided to drop it?
Relevant passage: "Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor."
The article is a bit hard to understand, but it seems that someone asked Kolibri to provide information on how 3rd party information was kept secured. Kolibri declined to answer saying that it was another contractor who was doing it. Reading between the lines, Kolibri seems to have asked for guidance on what to do, but did not receive guidance.
I have to say that I'm even less inclined to be sympathetic. It's a pretty blatant disregard for the GDPR. If you want guidance at that level, hire a lawyer. But in reality, there is no need for a lawyer: it is completely obvious that you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be a bit more clear, I don't know what the authority could do to help resolve the compliance issue other than to say, "Yes, you have to comply with the law. Sorry that you thought you didn't have to". Is a 5000 euro fine justified -- even without having given guidance. IMHO, yes, however you can see that they thought they were in error and hence are reviewing the fine. The other blurb made it seem as if the compliance issue was only discovered because Kolibri asked what they should do. This article makes it more clear that it's just a normal complaint with a company doing everything in its power to avoid doing anything.
To be specific, this is mandated explicitly by the GDPR:
> the controller shall [ensure] to be able to demonstrate that processing is performed in accordance with this Regulation. [art.24]
> Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees [art.28]
> Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller [art.28]
[art.24] https://gdpr-info.eu/art-24-gdpr/
[art.28] https://gdpr-info.eu/art-28-gdpr/
In this case, the other company is also in Europe (Spain), so by law must abide by GDPR. It seems they didn't have a contract ready, and Kolibri didn't want to spend money on translating/creating a contract to Spanish.
From what I read from Kolibri themselves (https://kolibri-image.com/causa-datenschutz/), the "processing" was a company that bundles DHL package orders to get batch pricing. You send them the information, they send the order (together with other orders) to DHL, DHL picks up the package and you save on postage. Apparently, Kolibri wasn't sure whether that's actually data processing (but did mention them using the company for this particular reason in their privacy information, according to the Bavarian officials, it isn't). They asked the German branch of the company who said they wouldn't need a contract and subsequently referred them to HQ in Spain. They asked the Hessian official to make the company's German branch comply with GDPR and sign a data processing contract. Instead, the Hessians forwarded it to Hamburg.
Kolibri claims to have stopped using that company after hearing back from the Hessians, but forgotten to remove them from the privacy information on one website. If they are to be believed, they were told "you can't use them without a contract" and stopped using them.
The fine has since been withdrawn and the case was closed.
What you are seeing is french newspapers being especially interested in fines for big corporations, this is without a doubt a direct result of the current political situation in France.
I've tried to read two articles on it and they don't make sense.
It seems they stored data on users who closed their account to prevent money laundering, which is apparently fine if the bank actually blocks operation of those accounts according to one article.
But somehow this was not the case for those old accounts that were closed? How can you close an account but it's still an operational account? Like, was it still possible to send money to it etc.?
My guess is that the article is wrong and this was simply about them preventing legitimate users to close and then reopen a new account.
I have a hard time believing they were not allowed to keep that data for some time after acccount closing. It seems to be more about how it was used.
Then the user signed up again, enabling the same account.
The user then saw their old data hadn't in fact been deleted, and complained to the regulator.
>>Eine schwarze Liste für ehemalige Kundinnen und Kunden, gegen die keine Verdachtsmomente bestehen, ist rechtswidrig.
translated with deepl: >>A blacklist for former customers against whom there is no suspicion is unlawful.
Some of us argued that no, this is not the apocalypse, the law says that fines will be proportionate, and the various national agencies will work with you to ensure you are compliant. And unless you willfully do the kind of shady shit the law is meant to protect against, you're fine.
Seems we were right. This list looks pretty sane to me, with one exception.
250k€ for using the microphones of all users of an app to spy and determine if they were in a pub that showed football matches without a license. Fuck yeah.
400k€ for a hospital that had effectively unrestricted access to all patient files for all staff. Yes. What would the HIPAA-equivalent fine be?
1400€ for a police officer abusing systems doing lookups for personal gain. Yes.
170k€ for a school district allowing public access to personal data of all minor-aged students. Yes, yes, yes.
The one exception is the fine on Google in France. This is purely a political bullshit game over control and loss of control.
Arguably, and so far.
There are sites that just block requests from the EU, there's a difficult-to-measure chilling effect on small businesses, and just because nobody's been hanged over it in year one doesn't mean it won't be abused, oppressive, or have other negative unintended consequences in the future.
food safety regulations have a chilling effect on businesses that would try and sell arsenic-laced food.
dumping poisonous byproducts of a manufacturing process in a river will also net you a stomping by the society, another instance of a chilling effect of regulations.
i'm happy with these chilling effects, they relieve me of the need for constant vigilance. they enable our society to function. we do not need to fear for our mental of physical health and (private) lives all the time, we can focus on higher-order things instead.
Some did, at least for the first year. But some haven't.
The only sites that I've seen with this are local US news sites that don't even have to follow GDPR.
The other thing that seems to happen a lot is that people are looking for a stick - any stick - to beat GDPR with. The current top-voted comment - https://news.ycombinator.com/item?id=20279249 - is a prime example. These lists of fines often don't give context (which, to be clear, is a failing of the list too) and often when you dig into these things you'll find that the ruling is entirely sensible. People need to give a bit more credit to legal systems than to think "Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany" could possible be true. If a fine seems ridiculous, do a bit of digging before you take a short summary at face value, and you won't be left with egg on your face when people point out what actually happened.
For all the breathless reporting of how GDPR would ruin companies financially by levying fines on worldwide revenue, there is exactly one fine listed that exceeds 400k EUR. Granted, it's 50MM EUR to Google, but that's still a drop in the bucket compared to Google's worldwide revenue.
On the other hand, commenters below have pointed out that some private individuals have received fines in the hundreds to thousands of EUR for actions such as "using Cc instead of Bcc in emails" and "using a dashcam". I agree that these are privacy lapses but it's pretty unfortunate to see the power of the state used for these purposes rather than bringing serial data privacy abusers in line.
And the rules about international coordination mean other countries have to wait for Ireland in many cases.
Also there is this rule, that primarily responsibility is in the country where the corporation has their European legal headquarters, and for many the tis Ireland and the Irish government prefers getting 0.5% in taxes for those corporations over having issues with them and having them move to Malta or something.
I wish they would tell what the harm of both of those actually was.
The law regarding dash cams (if there is an explicit one, I don't know enough about the situation in Austria) might just declare it a privacy violation, and thus defer to the enforcement mechanisms created by GDPR.
> The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
- A police officer was fined for using his department's tools to get someone's private phone number for his personal use
- A rental agency was fined for leaving renter's private data (ids, etc) open to the public for six months after being notified of the vulnerability
- A company was fined because they were continuously filming their employees at work without explanation
- A political candidate misusing private citizen data for campaign purposes.
- Rental car companies tracking drivers by GPS without notifying them
- Hospital staff having fake doctor profiles to view unrestricted patient data
This is convincing me that GDPR is a great success.
[0] https://ico.org.uk/action-weve-taken/enforcement/
> The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
https://ico.org.uk/action-weve-taken/enforcement/?facet_type...
https://ico.org.uk/about-the-ico/news-and-events/news-and-bl...
On the other hand, what is permitted is dashcams with shock sensors and trigger buttons. The shock sensor gives you a good reason (very high probability of a crash).
Using the trigger button is okay if either there was a crash (or something illegal) or if you mask out any identifiable details about the car and person involved afterwards.
Generally, recording public spaces is illegal, if you setup a security camera on your property, you have to make sure it's not filming outside your property in an unreasonable manner (you may be allowed to film the sidewalk, for instance, if you suspect someone is salting your garden out of revenge, but only until you have proof and then you have to make sure to delete all non-essential footage).
Privacy in public space is an important right that doesn't exist in the US.
So you get their written consent, ask them if it is okay or take the risk that they will e.g. see themselves in your movie and force you to take it down. This fits with the general feeling that filming another person without asking is seen as extremely rude.
The key here is that people need to be recognizable, so pictures of crowds usually don’t count.
Certain architects can also forbid circulation of photographed versions of their building if it is central subject of the photograph — but I only know of one such thing.
Note that this all was enshrined in law way before GDPR.
Unless you stick your camera into other people’s faces without asking or plan to distribute your images on a bigger scale you will probably manage without ever hearing about these laws.
The act of recording isn't the problem but the retention of the data records. If you have no need to keep a recording of a day's video for any purposes, then that falls under the provisions of likely being exploited data (e.g.: being used to build a profile of a person's travels throughout the day, week, year, etc.).
In the sense of the allowances, it's about balancing the need of the data's use (e.g.: in car accidents) versus the privacy impacts to other individuals (e.g.: you post your dashcam footage to YouTube and don't obfuscate faces or license plates).
An example of this, pre-GDPR, was when Google was forced to obfuscate faces and license plates in Google Maps for Street View.
Insane.
This is slowly but surely being eroded also in Germany. Multiple cities are trialling full video surveillance to stop the terrorists.
e.g: Some USA towns have near 100% video surveillance through the Amazon doorbell cameras (Ring) of the town's inhabitants. Some content is publicly available, cops can also request it.
Then Amazon is posting captured video as Facebook advertisements to identify suspected thieves.
https://www.vice.com/en_us/article/pajm5z/amazon-home-survei...
Otherwise any fool can say that we should abolish privacy to punish group because they're bad. And indeed they've been saying that for decades.
These laws were changed in ~2018 in Austria.
That's one way to implement it, one can come up with many others.
There is a difference between taking a picture of your kid with someone in the background, and intentionally taking a picture of that person. And turns out that in practice, the law is able to distinguish those two even though technically they're quite similar.
Of course... different strokes. That’s why different countries exist.
If you view the world from the point of view of [rights I have] vs [rights I don't have], you may as well be a happy pig in a cage. This worldview is in fact fascist, because it implies that the state should "give" you rights (giving you this type of right means taking away someone's freedom).
The opposite view is giving you the freedom to do anything as long as you don't attack someone (physically) or steal from them. If you want to prohibit something you must have good reasons, not "let's give everyone rights" or "it makes people feel bad".
Having a "right to not be insulted" means that you don't have the freedom to insult. i.e. you have no freedom of speech. If you put emphasis on the "right", you view the world like the pig in a cage, if you put emphasis on the freedom side, the opposite.
(also probably existing law, not GDPR specifically: video surveillance has been fairly strictly regulated for a while)
I suspect something broader was involved here.
[0] Article 2(2): "This Regulation does not apply to the processing of personal data [...] by a natural person in the course of a purely personal or household activity"
For example, I recall reading about cases of renters finding out that the landlord has installed hidden cameras in the bedrooms and showers.
Yesterday I was walking on the side of the road and some girl was half way hanging out of the passenger window recording a video of the scenery. I was able to see her from a few hundred feet away.
Eventually the car intersected with me and I was in the line of sight of the video for a second or 2. Of course I made a stupid pose to photo bomb her video which I found hilarious while continuing my walk home.
But under GDPR, is she technically in violation for recording me without my consent? I can't imagine how any of that could really be enforced. What about all of those Youtubers who happen to record people in a busy place like NYC or Vegas. Do they really get written consent from 400-500 people in the background for 10 seconds of video?
In Germany for instance dashcams are perfectly legal, you only have conditions on what you can do with that footage afterwards, for instance posting it on Youtube or social media is a big no-no, and unlike Austria you're likely to get a warning in Germany instead of a fine [1].
[0] https://helpv2.orf.at/stories/1717004/index.html
[1] https://www.derstandard.de/story/2000092017999/erst-vier-str...
Note that laws written this way usually distinguish “taking photos” from “surveillance” - so mounting the camera on a street corner immediately changes the legal context. This may be why dash cams fall into the surveillance category in some places.
Panoramarecht means that the girl can film into a crowd or public space for her own reasons if she wants to. As long as she doesn't put one person in the center of the image or focuses on them in other ways, it's generally permitted.
There is also some more general law handling, if you posed for the picture, judges would generally agree that this constitutes consent to be recorded (a more recent case would the famous Angry German Hat Incident, in which a very angry right-wing man walked up to a camera team to complain about being recorded; the judge ruled that the camera team was justified in recording at first due to Panoramarecht and the man walking up to them, knowing they were recording, rightfully so, constituted consent to be recorded further).
Posing to a camera or walking up to it basically means consent in germany; you noticed the camera and you did take actions that would put you center in the image or make you a focus point.
2) As the linked news article says, Austria may be getting the balance between cautions and fines wrong, which is why they may face a case in EU.
> In Germany, for example, people use caution instead of punishment - which is why Austria may face an EU case.
Another EU country with a similar ban is Luxembourg.
How aware are EU drivers of these differences? Is it well known to those in places with less restrictive rules that their cameras could get them in a lot of trouble if they take them with them when they take a road trip that passes through other EU countries?
[1] https://www.express.co.uk/life-style/cars/998528/Dash-cam-ca...
At the end of March I drove across Europe from south of Spain, and had summer tyres on. The weather conditions were good, so I was fairly confident I would be ok without winter tyres, but a lot of European countries have laws requiring then at certain points of the year.
I knew in my destination country you needed winter tyres until April 1st, but I couldn't find anything clear on all the countries in-between. Austria was actually the toughest, my understanding is their laws are you need winter tires if the road conditions dictate you need them. In some cases snow chains can be used, but not on highways. But this was based on reading English forum posts from 10 years ago, so I have no idea if it's still correct. I tried to find something clear from an official authority (probably doesn't help I don't speak German) or an automobile association website, but couldn't.
Domain is owned by https://cronon.net/
> It was a camera recording the use of a car from the driver's point of view, which is illegal. Two people were reprimanded for using surveillance cameras for their own home without permission.
I assume "driver's point of view" means looking out of the front windshield? Is this not how dash cams are meant to be used? (On second though perhaps this is a translation issue... the article was in German). And then I assume the surveillance cameras were mounted outside and recorded people in public?
Both of the possible scenarios here seem pretty benign and ordinary by US standards.
https://edpb.europa.eu/about-edpb/board/members_en
>The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
So, basically, only use open source datasets that come with contact information for every subject.
and
>The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
You can't just retain the database rows pertaining to accounts with current or likely litigation, but must choose the specific fields relevant to the nature of the dispute. Even the companies that successfully implemented propagation of deletion across their systems are probably going to get spanked for this one when some column in some backwater warehouse backup isn't strictly necessary for the precise claims in that account's lawsuit. Wow.
I hope this puts to bed suggestions that others were "overreacting" to GDPR, that there would be anything other than the meanest, most aggressive, most literal application to every case. Maybe this is a good thing! Maybe everyone needs the fear of God put into them. But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.
"the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data."
"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal."
"The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons."
"While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so."
This is precisely the kind of crap GDPR was meant to address, and I very much like the decision made here.
EDIT: If I'm Googling correctly and found the correct company, then here's an extra irony: they actually offered services and advice to companies in preparing for GDPR coming into force. It's safe to say they were fully aware of the obligations under law when they performed data mining on government databases of entrepreneurs.
--
[0] - https://uodo.gov.pl/en/553/1009
What? No. Your first example talks about "open source datasets" -- no such thing exists for my personal data. If you've gathered my data you need to tell me why you gathered it. Dumping it into a dataset for other people to use is clearly not ok.
Your misdescribe your second example. Notice the company weren't fined just because they had the phone number. They were fined because they had the phone number, they were asked to delete it, and they declined to delete it. The company were not claiming they couldn't erase the phone number because it would be too hard. They were trying to say that they wouldn't erase it because they needed it for debt collection. The regulator disagreed.
Neither of these are good faith actors and these are exactly the kinds of data misuse I wanted GDPR to handle.
You can get liability insurance, but that's different (not legal fines but civil law damages).
What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
Edit: the downvotes on this are coming in fast. Because you are downvoting it, you must know of a specific section of GDPR that requires warnings to be issued (otherwise you wouldn’t be downvoting it, right?). So, along with your downvote, please reply to this comment with a link to the specific section that requires warnings, and I will be happy to say that I am wrong.
We detached this subthread from https://news.ycombinator.com/item?id=20279385 and marked it off-topic.
Also, you claim that you marked it as “off topic” even though it clearly wasn’t.
I meant that we marked it off-topic internally in our system, not that that would be visible publicly. Sorry for the confusion.
If, out of all the cases that we do know whether warnings were issued, warnings were in fact issued in the vast majority of them (or even 100% of the known cases), then for a case where we don't know and have no reason to believe is special, isn't the reasonable assumption that it's not special and is no different from the other cases?
The point is, and no one has been able to refute this, that warnings are not required under GDPR. Even if they have issued warnings in most cases thus far, it is still early days. As these actions under GDPR become more common, there is no guarantee that even those countries that have been issuing warnings first will continue to do so. The enforcement of regulations that have the potential to generate massive revenue streams for government entities tends to become increasingly aggressive and creative as time goes on.
I don’t understand why anyone, even those in favor of GDPR, would attempt to refute the black and white text of the law. No warnings are required under GDPR, and thus the potential exists for fines to be issued without warning. There is no argument or opinion to be interjected here. This is a binary fact. Are warnings required? No, warnings are not required. It’s that simple.
It's why we have regulators, judges and magistrates - to apply judgement and proportionality. Sure there's a few headline cases of some absurdly harsh sentence - and just about always the details reveal there were a lot of very damning circumstances that make the sentence seem pretty reasonable.
Do US judges rubber stamp a maximum sentence each and every time? No. Does every visit by police result in prosecution? No. Is every warning and scaling mechanism offenders get in the US expressed perfectly in statute? No. Otherwise you would have fired all the judges as surplus to requirements.
You're just spreading FUD. Understand the legal system in Europe before spreading such rubbish.
So, by comparing this to legal situations where “it never happens” you are purposely misrepresenting the risk of receiving a fine under GDPR without any type of warning. While having an eighth of weed rarely if ever results in a 5 year sentence in the U.K., clearly not receiving a warning before being fined occurs quite frequently. You have made a false equivalence between these two things.
https://gdpr-info.eu/art-58-gdpr/
https://gdpr-info.eu/art-83-gdpr/
You also need to remember that if the regulator has got it wrong there is a remedy available for the person being fined.
About cannabis: generally the first offence will receive a warning unless there are aggravating factors. Police are expected to take an escalating approach: 1st offence = warning, 2nd offence = penalty notice for disorder (which doesn't result in a criminal record if it's paid), 3rd offence = arrest followed by caution or charge and prosecution.
Article 83 is basically a long list of reasons to avoid giving a fine but to give a warning instead.
ICO haven't yet released aggregate figures for GDPR, it's too soon. GDPR is a minor update of DPA, and they have released aggregate numbers on that for a while. Fines are levied in a tiny minority of cases. Warnings are far more common, as is steady escalation. The expectation here is the proportions will remain the same under GDPR.
On weed, actually no, because the default action for weed for the vast majority is just a warning. So no, it isn't clear that getting fined without warning first happens quite frequently, because that's also simply not true. You're very unlikely to see a court without a warning first.
It is not a minor update[1]. The Information Commissioner's Office is extremely aware and vexed, given the current state of affairs, that Data Protection Act 2018, needs to be aligned as closely to the GDPR to allow for information to flow freely after Brexit (Article 45)[2][3].
Furthermore, ICO has not been the epitome of a regulatory body enforcing the law to it's fullest extent, for which it has had the remit for ─ by stopping business' doing a runner or imposing maximum fines, neither has it had a good record on collecting the fines issued. Although, it has made a meal of some of the high profile rain-making cases which have already been in the public eye. It is ironic that there are no real details forthcoming from ICO and one has to resort to FoI requests to get any information on it's previous escapades under DPA 98![4]
[1] https://www.dpocentre.com/difference-dpa2018-and-gdpr/
[2] https://gdpr-info.eu/art-45-gdpr/
[3] https://ico.org.uk/for-organisations/data-protection-and-bre...
[4] https://www.theregister.co.uk/2018/05/25/millions_of_pounds_...
Clearly I am not calling GDPR (2016) a minor update of a subsequent law UK DPA (2018). That is UK's implementation of GDPR, which thanks to the stupidity that is Brexit may indeed have some issues interrelating with the EU. Probably the least of our issues, but still...
UK ICO's stance is fairly well known, but I don't think they can be held responsible for businesses that liquidate in the face of fine. That seems more likely to be an issue of UK company law.
You are confusing ICO's stance and responsibility with it's reluctance to enforce powers, which have already been granted to them by the government, in order to pursue negligent cases and collect fines under the UK law.
The Insolvency Service has general powers to investigate both insolvent and active companies, including those companies that undertake direct marketing activities. If a director has deliberately acted to the detriment of the company and/or its creditors, action may be taken against the directors under the Insolvency Act 1986 or the Company Directors Disqualification Act (CDDA) 1986.
It is not. Those terms have enough legal leeway to drive a truck through.
Why? Many of these summaries aren't official justifications of the fine, they're news clippings. What leads you to believe that if a warning was issued, the news would always mention it? They're not trying to justify the fine, they're trying to inform the public, and they can never include every detail, they always have to leave stuff out. What leads you to believe the news always mentions warnings if issued?
I don’t understand why anyone, even those in favor of GDPR, would attempt to refute the black and white text of the law.
Literally no one in this thread has attempted that, and you incessantly repeating this strawman is why you're being repeatedly downvoted.
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive
When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
A) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentional or negligent character of the infringement;
e) any relevant previous infringements by the controller or processor;
i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
You're assigning a strawman to your downvotes. OP said "I expect" (not "There must have been"), and it is the usual procedure. It's not a _requirement_ as some bigger or more deliberate infringements may warrant an instant fine.
When you get to actual penalties, all EU law has the principle of proportionality under it, and has since about the sixties. I know it's written into some treaty or other. There's been countless appeals to the EU courts that some penalty or other was disproportionate.
I think that’s all anyone needs to know.
Also, the EU is not the US. There is a very different culture and jurisprudence when it comes to proportionality of laws. If the GDPR was a US law, then I would also be concerned about the penalty guidelines. But it's not a US law, so bringing a US-centric mindset to the discussion causes misunderstandings.
No, my initial comment on this issue was in reply to someone that said "I expect there would have been a warning given in that case before assessing a fine." [1]. This is an oft-repeated and entirely baseless sentiment that HN's resident GDPR defenders love to cite - it shows up in every one of these threads. That is why I was making it clear that in fact no warnings are required, and indeed as time goes on, few warnings are likely to be given.
[1] https://news.ycombinator.com/item?id=20279385
They didn't say warnings were required, they said that warnings were the norm. You haven't provided counter-examples to that claim, you're arguing against a straw-man argument that "warnings are required by the GDPR".
As an example outside GDPR, it is not required to give children warnings when they commit petty crimes (such as shoplifting) but that is the overwhelming norm in most countries. In this analogy, you're arguing that "most children don't get put in juvenile detention for shoplifting and get warnings instead" isn't true because there isn't a provision in the criminal code saying that children need to be given warnings.
> indeed as time goes on, few warnings are likely to be given.
This is an example of the "baseless sentiment" that you claimed you're trying to fight against. On what basis do you claim to know (or even conjecture) that "few warnings are likely to be given" in the future?
There are many examples of GDPR warnings being given. To me, it seems to be the norm -- if you have an actual counterexample (other than pointing out that warnings aren't required, despite now basically admitting that legally-mandated warning stages aren't common and so that entire line of argument seems to be a non-sequitur) I'd love to see it.
Sadly, it appears that warnings are not the norm. When you organize the data on this site by the size of fine, you’ll notice that none of the top 10 received any warning.
It seems possible that the largest fines were for the most severe transgressions, or for companies that are large enough to know better. In fact, the topmost example of Google's Android penalty is a prime example of both factors. So it's possible there is a statistical bias for larger fines to be for more severe cases where warnings make less sense.
There is no provision in road rules that says police officers should give warnings -- for exactly the same reason. Instead, it's purely up to the discretion of the police officer whether you get a warning or not. GDPR acts in exactly the same manner, but instead of it being individual police officers it's officers appointed for that role.
It's not in GDPR because it's part of EU law. Two parties to a case need to attempt to fix it before going to court. In the UK this is why you have letters before action setting out what you think your case is, how you want it to be fixed, and what you'll do if it isn't fixed. You don't just leap to issuing court papers straight away.
Edit: the downvotes on this are coming in fast. Because you are downvoting it, you must know of a specific section of GDPR that requires warnings to be issued (otherwise you wouldn’t be downvoting it, right?). So, along with your downvote, please reply to this comment with a link to the specific section that requires warnings, and I will be happy to say that I am wrong.
Nothing in the GDPR requires compulsory fines for every infraction. In fact, if you had read Chapter VI, Section 2, Article 58, 2(a)[0], you would know this.
[0] - https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
The OC comment was:
>I expect there would have been a warning given in that case before assessing a fine.
To which your initial retort was:
>What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
When you started receiving the downvote storm is when you challeneged for proof that the GDPR requires warnings.
I gave a response that supports the OC's position, that a warning could and would be expected; not because of requirement but because it is up to the discretion of the supervisory authority.
After all, the initial challenge that was given to the OC was, "What makes you expect this?" was it not?
Now, it's your turn to disprove that a warning would be expected. I'll wait...
http://www.enforcementtracker.com/?imprint
If you put a website online you've got to put all your personal information in it.
Also, it doesn't have to be "all your personal information". Your Name is required and an address where you could be served with court papers. A P.O. box is not required, but the address where your company is located is fine. It doesn't have to be your private home address. An email address is required, but that again doesn't have to be your private one. It just has to work. A few other things are required, e.g. where your LLC is registered if it is an LLC.
Unfortunately, this does not include a lot of websites that most people would classify as private. For example, a blog still needs an Impressum.
In addition, you will even be classified as commercial, and therefore require an Impressum, if you don't make any money, for example if you use ads to (try to) pay the hosting cost.
> A P.O. box is not required
In fact, you'll have to pay a fine of usually 5000€ if you use a P.O. box without a summonable address.
If you have ads you make money. Just possibly less then you spent on hosting.
And yes that should have read "A P.O. is not sufficent.". Sorry for that mistake.