August seems to have been a relatively quiet month for GDPR (General Data Protection Regulation) fines: according to the GDPR Enforcement Tracker, there were 20 in August totalling €271,600, although, as ever, it’s worth noting that not all supervisory authorities publicise the action they take and other incidents might come to light later. These numbers, then, are a minimum.
In this blog, as ever, we round up some of the most interesting GDPR compliance failures of recent weeks. This time: daily GDPR fines of 1 million Norwegian kroner for Meta Platforms, a fine of €22,500 for the Irish DOH (Department of Health) and a warning for the Lazzaro Spallanzani National Institute for Infectious Diseases.
Meta appeals Datatilsynet fine of 1 million kroner per day
Meta Platforms has asked a Norwegian court to overturn an order by the country’s data protection authority, Datatilsynet, fining it 1 million kroner (approximately €87,000) per day since 14 August for processing personal data in violation of the GDPR.
The fines are due to continue until 3 November.
On 17 July, Datatilsynet imposed a temporary ban on the owner of Facebook and Instagram “carrying out behavioural advertising based on the surveillance and profiling of users in Norway” – a practice Datatilsynet considered unlawful, based on a January decision by the Irish DPC (Data Protection Commission), Meta’s lead supervisory authority in the EU, and a subsequent ruling by the CJEU (Court of Justice of the European Union).
On 29 August, Reuters reports, Christian Reusch, a lawyer representing Meta Platforms, told the Oslo district court that the company had “already committed to ask for consent” from its users when using their personal data to determine the advertising content they saw, and that Datatilsynet had used an “expedited process” that didn’t give the company time to respond to the decision.
According to Reuters, the regulator told the court the following day “that it was unclear when, and how, Meta would seek consent from users and that, in the meantime, users’ rights were being violated”.
The commodification of personal data is central to big tech companies’ business models, with behavioural advertising – personalised advertising targeting individuals based on analysis of their online behaviour – a key source of revenue.
If the Norwegian Court finds in favour of Meta, Datatilsynet could still refer its decision to the EDPB (European Data Protection Board) and if the EDPB agrees with Datatilsynet’s ruling, the scope of the decision would expand to the rest of the EEA, which would have considerable implications for big tech companies operating in Europe.
Irish Department of Health fined €22,500
The Irish DPC (Data Protection Commission) has fined the DOH (Department of Health) €22,500 following an inquiry into the Department’s processing of personal data in relation to 29 litigation cases.
According to the DPC, it instigated its inquiry “following public allegations in 2021 that the Department had unlawfully collected and processed personal data about plaintiffs and their families in special educational needs litigation”.
The DPC’s investigation found that the DOH had lawfully asked the HSE (Health Services Executive) for information about services provided to plaintiffs, but had also “included broadly worded questions asking the HSE to share ‘any other issues HSE feels worth mentioning’”, which resulted in the HSE providing “sensitive information about the private lives of plaintiffs and their families”.
This included details about their “jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff”.
There was no lawful basis for the Department to process this information and it was found to have infringed the GDPR’s principle of data minimisation by doing so.
The investigation also found that the DOH had infringed the GDPR’s transparency requirements because its privacy notice “did not convey the extent of information sharing that took place between the Department and the HSE”, and that it had failed in its obligation to process personal data securely, as required by Article 32(1), by not imposing suitable internal access restrictions in relation to the plaintiffs’ files.
As well as the €22,500 fine, the DOH was banned from processing the information in question and issued with a reprimand.
Italian data protection authority issues warning to institute for infectious diseases
Italy’s Garante per la protezione dei dati personali has ruled that Lazzaro Spallanzani National Institute for Infectious Diseases violated the GDPR’s requirements relating to processing personal data when trying to determine who to prioritise for monkeypox vaccinations.
Several complaints were made against the Institute regarding its vaccination procedure, which required people to fill in a questionnaire before they could book a vaccination and send their response to an internal email address.
According to GPRHub, the questionnaire included several questions about patients’ sexuality and sex life. Health data and data about data subjects’ sexual orientation and sex life are special category data, as defined by Article 9 of the GDPR, which requires data controllers to take extra measures when processing it.
Although the Institute’s collection of data was deemed lawful, the lack of transparency about the processing was unlawful: Article 13 requires data controllers to provide data subjects with certain information about how their data is being processed. The Institute was found to have failed to provide this information.
Its use of an internal email address to collect questionnaires was also deemed to have offered an insufficient level of security, in contravention of Article 5’s requirement for appropriate technical and organisational security measures.
Accordingly, the Garante found the Institute in breach of Articles 13, 5(1)(a) and 5(1)(f) of the GDPR.
It classified the violation as minor and issued the controller a warning, under Article 52(2)(b) and 83(2).
Reflect – review – refresh
Whatever your current GDPR practices look like, it’s important to remember that GDPR compliance is an ongoing process.
To ensure you continue to meet your data processing obligations, you need to regularly reflect on the requirements that affect your organisation, review your data processing activities and then refresh your compliance programme accordingly.
IT Governance has been at the forefront of GDPR compliance solutions since it was introduced. In the past five years:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
- Our parent organisation, GRC International Group, has been made an official partner of the European Centre for Certification and Privacy to support the implementation of Europrivacy™/® data protection services.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.
