In July 2017, I wrote about GDPR and HITEC and asked if the past could predict the future. At the time, GDPR had not yet gone into effect. Now that it has been active for over a year, let’s take stock at what’s occurred.
First, a quick refresher: GDPR implements a two-tiered approach to categorizing violations and related fines. The most significant breaches can result in a fine of up to 4 percent of a company’s annual global revenue, or €20 million (whichever is greater).
These higher-tier violations include failing to obtain the necessary level of customer consent to process data, failing to permit data subjects to exercise their rights including as to data erasure and portability, and transferring personal data outside the EU without appropriate safeguards.
For less serious violations, which include failing to maintain records of customer consent or failing to notify the relevant parties when a data breach has occurred, the maximum fine is limited to 2 percent of annual global revenue, or €10 million (whichever is greater).
Rising Complaints & Notifications
The first year’s snapshot from May 2019 of the Data Protection Commission (DPC) demonstrates that GDPR has given rise to a significant increase in contacts with the DPC over the past 12 months:
- 6,624 complaints were received.
- 5,818 valid data security breaches were notified.
- Over 48,000 contacts were received through the DPC’s Information and Assessment Unit.
- 54 investigations were opened.
- 1,206 Data Protection Officer notifications were received.
In my first article, I discussed Memorial Healthcare System’s breach and resulting settlement of $5.5 Million USD. Now, let’s look at the first round of investigations under GDPR.
High-Profile Breaches: 2018-19 Edition
Marriott. In December 2018, news of Marriott’s massive breach hit. Upon receiving Marriott’s breach report in September 2018, the International Commissioner’s Office (ICO) — the UK’s GDPR supervisory authority — launched an investigation.
When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated, as well as complaints about GDPR violations from consumers.
In July 2019, the ICO announced that it plans to fine the hotel chain $123 million USD. Marriott said it plans to appeal the decision.
Bergen, Denmark. One file in the wrong place landed the municipality of Bergen in Denmark in trouble. Computer files containing login credentials for 35,000 students and employees were insufficiently secured and accessed.
Per the European Data Protection Board, “the lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.” As a result, the Norwegian Data Protection Authority fined the municipality of Bergen
British Airways. This is the largest fine to date, with an overwhelming price tag of £183.4m or $223.4M USD. After an extensive investigation, the ICO concluded that information was compromised by “poor security arrangements” at British Airways. This relates to security around log in, payment card, and travel booking details, as well name and address information.
Sergic. France’s data protection agency, CNIL, found that real estate company Sergic knew of a vulnerability in its website for many months and did not protect user data. This data contained identity cards, tax notices, account statements and other personal details. The fall out? A €400,000 fine (roughly $445,000 USD).
Haga Hospital. Now looking at healthcare, Haga Hospital in the Netherlands was hit with a €460,000 fine ($510,000 USD) for breaching data confidentiality. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.
In my previous article, I wrote, “other industries you may not think about, such as airlines, car rentals and hotels which allow booking from the internet may be impacted. Will the HITECH Act fines become the harbinger of much larger fines to come?”
We can see that this prediction was spot on. Some of the largest fines to date are pointing at airlines and hotels and the travel industry. I predict in the next year, we will start to really see the various agencies in the EU continue to ramp up fines, including cross border/international ones.
CCPA is Almost Upon Us
Now, for the U.S.: California’s new Consumer Privacy Act (CCPA) goes into effect in January 2020. Will the state start rolling fines out like those imposed under GDPR?
If you’re an international company withany U.S. based customers, it’s pretty likely that you’ll have Californians in your database. The CCPA focuses almost entirely on data collection and privacy, giving Californians the right to access their personal information, ask whether it’s being collected or sold, say no to it being collected or sold and still receive the same service or price even if they do say no.
Come January 2020, you’ll either have to meticulously segment your database by state to create separate procedures for Californian citizens (and EU ones for that matter), or you’ll have to implement different data collection and privacy procedures for all your customers going forward.
With all of the new privacy rules coming and fines that are already starting to hit from GDPR, what will you do to maintain all the laws of the world to keep your customers safe?