Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany.
"The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list."
Poor guy.
This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.
Without knowing the details, I can't say whether a €2000 fine was disproportionately onerous or a slap on the wrist.
https://www.businessinsider.com/nhs-trust-fined-for-leaking-...
The ICO might well consider a similar breach worthy of a bigger fine now.
This is where Outlook with their *@outlook.com and apple’s new system really do shine.
Commiserations to those affected :(
https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...
He was fined solely based upon the email addresses being visible to all recipients, not because of the content of his mails, said a spokesperson. However, he was a repeat offender in terms of privacy, who in the past was warned, then fined for similar stuff.
I'm a little bit torn on that one. The fine seems excessive for what he did (and the email addresses seem to be a list of already public journalist and press contacts) and it certainly looks like somebody in the govt got annoyed and threw the book at the guy in retaliation. Then again, he had ample warnings, and choose to ignore those warnings.
But using CC instead of BCC causes a massive leak of personal information, especially when either the subject being discussed or the people on the list are sensitive. In my life this has mostly been annoyance at large org stuff, but my wife has had this happen with a sensitive medical practice and we were not in the US so HIPAA did not apply.
I don't think fines are the only solution, of course. But I think fines should be on the table and it's easy to me imagine a circumstance where 2k euro would be appropriate.
The argument back then was that they were overreacting, that we didn't understand how Europe works, that you'd only get fined after repeated warnings about violating procedures etc.
I'm sure the private person was dumb for doing what he did, but that doesn't invalidate the general point: unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet that might be used by EU citizens.
The benefits, whatever they might be, just don't justify the risks.
Seems like an appropriate fine. Or do you think I should be allowed to collect 150 e-mail addresses, then e-mail them out to all 150 other people, after some of them told me not to do that?
[1] https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...
The sender is also non-repentant and is running some sort of hate campaign.
This isn’t a one time slip up, it’s a 10 times slip up and chances are there were a lot of warnings this guy didn’t want to listen to. So he was hit where it hurts. Poor guy, it’s like he was caught speeding ten times and then got fined.
In Poland we actually have a sort-of tradition, AFAIK started by one of computer security portals, where if you find yourself on the receiving end of such CC-instead-of-BCC, you kindly tell the company responsible that this can and should be picked up with data protection regulators, and it would be nice if they e.g. paid ~500-2k EUR equivalent to a charity of their choice.
I'm totally 100% in support of this against companies. Less so about private individuals, though a 150-people newsletter is kind of thought-out and organized thing, and then 2k EUR in Germany is probably less than a monthly paycheck. A hard hit, but survivable without loss of life quality.
The linked article suggests that the guy was sending out angry political rants and criminal accusations to thousands of people a day, which adds a further twist.
Nothing I've heard about this case sounds to me like an innocent mistake that a reasonable effort was made to correct.
I've accidentally smacked people on the street before (gesturing, probably). That's technically a crime, but it'd be crazy to prosecute me for a little mistake like that. But it's not crazy that hitting people is a crime and that people do get prosecuted for it in egregious cases.
I personally think ~$15 per leaked email is a reasonable fine. I bet this guy and everyone else who reads this article won't accidentally leak emails again, and that's great.
Yes, proof of weaponized gdpr use indeed (for very specific filtering cases of gdpr use).
So if a EU citizen's email id was part of the list, will it be liable for action according to GDPR?
Well, against people who publicly share private info of 150 other people who trusted them those emails. 2K euros is not that huge money in Germany, it's not like they'll loose their house over it, and that certainly is a practice that needs to be stopped. Just being an amateur is not an excuse when you deal with other peoples' data.
What didn't they like about this person, and what proved that to you? And what proved that was the impetus for this fine?
"The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent."
Such a website can have many uses:
- Show the average people why privacy is important with concrete examples
- Find previous rulings for people in a specific situation
- Stop(reduce.) the "there is no way we're going to be sued for that" by the company's managers
Little things I can tell on the top of my head:
- the height of the fines is basically random, that makes scrolling cognitively heavy imo. Having (...) to click to expand long descriptions sounds fair I think
- it's not possible to link to a row (useful for giving examples to people)
- long descriptions deserve multiple paragraphs, they are hard to read as-is.
I was thinking the opposite. The fines listed are so low, that from a purely financial perspective complying doesn't seem to make much sense. I would estimate all GDPR compliance efforts I've been involved in to be more costly than the largest fine issued in Germany.
But then look at this example from Germany:
> Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.
The company emailed the authority asking for advice on how to deal with a service provider who didn't want to cooperate with GDPR, then the authority ignored his request, forwarded their information to another authority, which then fined them for the exact thing which they was asking for advice on.
Yes, the fine has apparently been withdrawn, but how much time, money, and mental capacity did Kolibri Image have to spend dealing with this before the authority decided to drop it?
What you are seeing is french newspapers being especially interested in fines for big corporations, this is without a doubt a direct result of the current political situation in France.
all of France's fines were against large corporationsI've tried to read two articles on it and they don't make sense.
It seems they stored data on users who closed their account to prevent money laundering, which is apparently fine if the bank actually blocks operation of those accounts according to one article.
But somehow this was not the case for those old accounts that were closed? How can you close an account but it's still an operational account? Like, was it still possible to send money to it etc.?
My guess is that the article is wrong and this was simply about them preventing legitimate users to close and then reopen a new account.
I have a hard time believing they were not allowed to keep that data for some time after acccount closing. It seems to be more about how it was used.
Then the user signed up again, enabling the same account.
The user then saw their old data hadn't in fact been deleted, and complained to the regulator.
>>Eine schwarze Liste für ehemalige Kundinnen und Kunden, gegen die keine Verdachtsmomente bestehen, ist rechtswidrig.
translated with deepl: >>A blacklist for former customers against whom there is no suspicion is unlawful.
Some of us argued that no, this is not the apocalypse, the law says that fines will be proportionate, and the various national agencies will work with you to ensure you are compliant. And unless you willfully do the kind of shady shit the law is meant to protect against, you're fine.
Seems we were right. This list looks pretty sane to me, with one exception.
250k€ for using the microphones of all users of an app to spy and determine if they were in a pub that showed football matches without a license. Fuck yeah.
400k€ for a hospital that had effectively unrestricted access to all patient files for all staff. Yes. What would the HIPAA-equivalent fine be?
1400€ for a police officer abusing systems doing lookups for personal gain. Yes.
170k€ for a school district allowing public access to personal data of all minor-aged students. Yes, yes, yes.
The one exception is the fine on Google in France. This is purely a political bullshit game over control and loss of control.
Arguably, and so far.
There are sites that just block requests from the EU, there's a difficult-to-measure chilling effect on small businesses, and just because nobody's been hanged over it in year one doesn't mean it won't be abused, oppressive, or have other negative unintended consequences in the future.
food safety regulations have a chilling effect on businesses that would try and sell arsenic-laced food.
dumping poisonous byproducts of a manufacturing process in a river will also net you a stomping by the society, another instance of a chilling effect of regulations.
i'm happy with these chilling effects, they relieve me of the need for constant vigilance. they enable our society to function. we do not need to fear for our mental of physical health and (private) lives all the time, we can focus on higher-order things instead.
The only sites that I've seen with this are local US news sites that don't even have to follow GDPR.
The other thing that seems to happen a lot is that people are looking for a stick - any stick - to beat GDPR with. The current top-voted comment - https://news.ycombinator.com/item?id=20279249 - is a prime example. These lists of fines often don't give context (which, to be clear, is a failing of the list too) and often when you dig into these things you'll find that the ruling is entirely sensible. People need to give a bit more credit to legal systems than to think "Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany" could possible be true. If a fine seems ridiculous, do a bit of digging before you take a short summary at face value, and you won't be left with egg on your face when people point out what actually happened.
For all the breathless reporting of how GDPR would ruin companies financially by levying fines on worldwide revenue, there is exactly one fine listed that exceeds 400k EUR. Granted, it's 50MM EUR to Google, but that's still a drop in the bucket compared to Google's worldwide revenue.
On the other hand, commenters below have pointed out that some private individuals have received fines in the hundreds to thousands of EUR for actions such as "using Cc instead of Bcc in emails" and "using a dashcam". I agree that these are privacy lapses but it's pretty unfortunate to see the power of the state used for these purposes rather than bringing serial data privacy abusers in line.
And the rules about international coordination mean other countries have to wait for Ireland in many cases.
Also there is this rule, that primarily responsibility is in the country where the corporation has their European legal headquarters, and for many the tis Ireland and the Irish government prefers getting 0.5% in taxes for those corporations over having issues with them and having them move to Malta or something.
I wish they would tell what the harm of both of those actually was.
> The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
- A police officer was fined for using his department's tools to get someone's private phone number for his personal use
- A rental agency was fined for leaving renter's private data (ids, etc) open to the public for six months after being notified of the vulnerability
- A company was fined because they were continuously filming their employees at work without explanation
- A political candidate misusing private citizen data for campaign purposes.
- Rental car companies tracking drivers by GPS without notifying them
- Hospital staff having fake doctor profiles to view unrestricted patient data
This is convincing me that GDPR is a great success.
> The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
https://ico.org.uk/action-weve-taken/enforcement/?facet_type...
https://ico.org.uk/about-the-ico/news-and-events/news-and-bl...
Insane.
This is slowly but surely being eroded also in Germany. Multiple cities are trialling full video surveillance to stop the terrorists.
e.g: Some USA towns have near 100% video surveillance through the Amazon doorbell cameras (Ring) of the town's inhabitants. Some content is publicly available, cops can also request it.
Then Amazon is posting captured video as Facebook advertisements to identify suspected thieves.
https://www.vice.com/en_us/article/pajm5z/amazon-home-survei...
Yesterday I was walking on the side of the road and some girl was half way hanging out of the passenger window recording a video of the scenery. I was able to see her from a few hundred feet away.
Eventually the car intersected with me and I was in the line of sight of the video for a second or 2. Of course I made a stupid pose to photo bomb her video which I found hilarious while continuing my walk home.
But under GDPR, is she technically in violation for recording me without my consent? I can't imagine how any of that could really be enforced. What about all of those Youtubers who happen to record people in a busy place like NYC or Vegas. Do they really get written consent from 400-500 people in the background for 10 seconds of video?
In Germany for instance dashcams are perfectly legal, you only have conditions on what you can do with that footage afterwards, for instance posting it on Youtube or social media is a big no-no, and unlike Austria you're likely to get a warning in Germany instead of a fine [1].
[0] https://helpv2.orf.at/stories/1717004/index.html
[1] https://www.derstandard.de/story/2000092017999/erst-vier-str...
Note that laws written this way usually distinguish “taking photos” from “surveillance” - so mounting the camera on a street corner immediately changes the legal context. This may be why dash cams fall into the surveillance category in some places.
Panoramarecht means that the girl can film into a crowd or public space for her own reasons if she wants to. As long as she doesn't put one person in the center of the image or focuses on them in other ways, it's generally permitted.
There is also some more general law handling, if you posed for the picture, judges would generally agree that this constitutes consent to be recorded (a more recent case would the famous Angry German Hat Incident, in which a very angry right-wing man walked up to a camera team to complain about being recorded; the judge ruled that the camera team was justified in recording at first due to Panoramarecht and the man walking up to them, knowing they were recording, rightfully so, constituted consent to be recorded further).
Posing to a camera or walking up to it basically means consent in germany; you noticed the camera and you did take actions that would put you center in the image or make you a focus point.
2) As the linked news article says, Austria may be getting the balance between cautions and fines wrong, which is why they may face a case in EU.
> In Germany, for example, people use caution instead of punishment - which is why Austria may face an EU case.
Another EU country with a similar ban is Luxembourg.
How aware are EU drivers of these differences? Is it well known to those in places with less restrictive rules that their cameras could get them in a lot of trouble if they take them with them when they take a road trip that passes through other EU countries?
[1] https://www.express.co.uk/life-style/cars/998528/Dash-cam-ca...
Domain is owned by https://cronon.net/
> It was a camera recording the use of a car from the driver's point of view, which is illegal. Two people were reprimanded for using surveillance cameras for their own home without permission.
I assume "driver's point of view" means looking out of the front windshield? Is this not how dash cams are meant to be used? (On second though perhaps this is a translation issue... the article was in German). And then I assume the surveillance cameras were mounted outside and recorded people in public?
Both of the possible scenarios here seem pretty benign and ordinary by US standards.
>The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
So, basically, only use open source datasets that come with contact information for every subject.
and
>The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
You can't just retain the database rows pertaining to accounts with current or likely litigation, but must choose the specific fields relevant to the nature of the dispute. Even the companies that successfully implemented propagation of deletion across their systems are probably going to get spanked for this one when some column in some backwater warehouse backup isn't strictly necessary for the precise claims in that account's lawsuit. Wow.
I hope this puts to bed suggestions that others were "overreacting" to GDPR, that there would be anything other than the meanest, most aggressive, most literal application to every case. Maybe this is a good thing! Maybe everyone needs the fear of God put into them. But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.
"the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data."
"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal."
"The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons."
"While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so."
This is precisely the kind of crap GDPR was meant to address, and I very much like the decision made here.
EDIT: If I'm Googling correctly and found the correct company, then here's an extra irony: they actually offered services and advice to companies in preparing for GDPR coming into force. It's safe to say they were fully aware of the obligations under law when they performed data mining on government databases of entrepreneurs.
--
What? No. Your first example talks about "open source datasets" -- no such thing exists for my personal data. If you've gathered my data you need to tell me why you gathered it. Dumping it into a dataset for other people to use is clearly not ok.
Your misdescribe your second example. Notice the company weren't fined just because they had the phone number. They were fined because they had the phone number, they were asked to delete it, and they declined to delete it. The company were not claiming they couldn't erase the phone number because it would be too hard. They were trying to say that they wouldn't erase it because they needed it for debt collection. The regulator disagreed.
Neither of these are good faith actors and these are exactly the kinds of data misuse I wanted GDPR to handle.
You can get liability insurance, but that's different (not legal fines but civil law damages).
http://www.enforcementtracker.com/?imprint
If you put a website online you've got to put all your personal information in it.
Also, it doesn't have to be "all your personal information". Your Name is required and an address where you could be served with court papers. A P.O. box is not required, but the address where your company is located is fine. It doesn't have to be your private home address. An email address is required, but that again doesn't have to be your private one. It just has to work. A few other things are required, e.g. where your LLC is registered if it is an LLC.
Unfortunately, this does not include a lot of websites that most people would classify as private. For example, a blog still needs an Impressum.
In addition, you will even be classified as commercial, and therefore require an Impressum, if you don't make any money, for example if you use ads to (try to) pay the hosting cost.
> A P.O. box is not required
In fact, you'll have to pay a fine of usually 5000€ if you use a P.O. box without a summonable address.