Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany.
"The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list."
Poor guy.
This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.
Without knowing the details, I can't say whether a €2000 fine was disproportionately onerous or a slap on the wrist.
https://www.businessinsider.com/nhs-trust-fined-for-leaking-...
The ICO might well consider a similar breach worthy of a bigger fine now.
It's almost like laws can work.
This is where Outlook with their *@outlook.com and apple’s new system really do shine.
Commiserations to those affected :(
https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...
He was fined solely based upon the email addresses being visible to all recipients, not because of the content of his mails, said a spokesperson. However, he was a repeat offender in terms of privacy, who in the past was warned, then fined for similar stuff.
I'm a little bit torn on that one. The fine seems excessive for what he did (and the email addresses seem to be a list of already public journalist and press contacts) and it certainly looks like somebody in the govt got annoyed and threw the book at the guy in retaliation. Then again, he had ample warnings, and choose to ignore those warnings.
But using CC instead of BCC causes a massive leak of personal information, especially when either the subject being discussed or the people on the list are sensitive. In my life this has mostly been annoyance at large org stuff, but my wife has had this happen with a sensitive medical practice and we were not in the US so HIPAA did not apply.
I don't think fines are the only solution, of course. But I think fines should be on the table and it's easy to me imagine a circumstance where 2k euro would be appropriate.
The argument back then was that they were overreacting, that we didn't understand how Europe works, that you'd only get fined after repeated warnings about violating procedures etc.
I'm sure the private person was dumb for doing what he did, but that doesn't invalidate the general point: unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet that might be used by EU citizens.
The benefits, whatever they might be, just don't justify the risks.
This site makes no mention of warnings and escalations, and ICO at least doesn't normally announce that for individual cases. Though they do put out aggregate stats. When they have fines are clearly shown as arising in a small minority of cases.
DOT
sounds good
Seems like an appropriate fine. Or do you think I should be allowed to collect 150 e-mail addresses, then e-mail them out to all 150 other people, after some of them told me not to do that?
[1] https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...
The sender is also non-repentant and is running some sort of hate campaign.
This isn’t a one time slip up, it’s a 10 times slip up and chances are there were a lot of warnings this guy didn’t want to listen to. So he was hit where it hurts. Poor guy, it’s like he was caught speeding ten times and then got fined.
In Poland we actually have a sort-of tradition, AFAIK started by one of computer security portals, where if you find yourself on the receiving end of such CC-instead-of-BCC, you kindly tell the company responsible that this can and should be picked up with data protection regulators, and it would be nice if they e.g. paid ~500-2k EUR equivalent to a charity of their choice.
I'm totally 100% in support of this against companies. Less so about private individuals, though a 150-people newsletter is kind of thought-out and organized thing, and then 2k EUR in Germany is probably less than a monthly paycheck. A hard hit, but survivable without loss of life quality.
The linked article suggests that the guy was sending out angry political rants and criminal accusations to thousands of people a day, which adds a further twist.
Nothing I've heard about this case sounds to me like an innocent mistake that a reasonable effort was made to correct.
I've accidentally smacked people on the street before (gesturing, probably). That's technically a crime, but it'd be crazy to prosecute me for a little mistake like that. But it's not crazy that hitting people is a crime and that people do get prosecuted for it in egregious cases.
I personally think ~$15 per leaked email is a reasonable fine. I bet this guy and everyone else who reads this article won't accidentally leak emails again, and that's great.
In fact, I'd argue that leaking an email that exposes a private association with a mailing list to other unknown people has much clearer potential for damage than any of the privacy issues that big companies get fined for. And yes, CC leaks do happen (not a lot, in my experience), but I'm personally upset about it every time - much more so than when I find out Google didn't get my consent before recording half of my internet activity. Just because the violation is something that "happens a lot" because it can be done by accident by a careless individual doesn't mean it's less serious.
If a behavior is harmful and we want to stop it, but it's difficult to prove direct damages and therefore civil suits have been ineffective at curbing the behavior, then it seems like a reasonable public policy to impose fines on engaging in the behavior without requiring actual damages be proven in court.
(And if it's easy to innocently accidentally engage in the behavior, it seems reasonable to first issue warnings, and then impose fines if the behavior continues repeatedly.)
Yes, proof of weaponized gdpr use indeed (for very specific filtering cases of gdpr use).
So if a EU citizen's email id was part of the list, will it be liable for action according to GDPR?
Well, against people who publicly share private info of 150 other people who trusted them those emails. 2K euros is not that huge money in Germany, it's not like they'll loose their house over it, and that certainly is a practice that needs to be stopped. Just being an amateur is not an excuse when you deal with other peoples' data.
What didn't they like about this person, and what proved that to you? And what proved that was the impetus for this fine?
"The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent."
Such a website can have many uses:
- Show the average people why privacy is important with concrete examples
- Find previous rulings for people in a specific situation
- Stop(reduce.) the "there is no way we're going to be sued for that" by the company's managers
Little things I can tell on the top of my head:
- the height of the fines is basically random, that makes scrolling cognitively heavy imo. Having (...) to click to expand long descriptions sounds fair I think
- it's not possible to link to a row (useful for giving examples to people)
- long descriptions deserve multiple paragraphs, they are hard to read as-is.
I was thinking the opposite. The fines listed are so low, that from a purely financial perspective complying doesn't seem to make much sense. I would estimate all GDPR compliance efforts I've been involved in to be more costly than the largest fine issued in Germany.
But then look at this example from Germany:
> Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.
The company emailed the authority asking for advice on how to deal with a service provider who didn't want to cooperate with GDPR, then the authority ignored his request, forwarded their information to another authority, which then fined them for the exact thing which they was asking for advice on.
Yes, the fine has apparently been withdrawn, but how much time, money, and mental capacity did Kolibri Image have to spend dealing with this before the authority decided to drop it?
Relevant passage: "Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor."
The article is a bit hard to understand, but it seems that someone asked Kolibri to provide information on how 3rd party information was kept secured. Kolibri declined to answer saying that it was another contractor who was doing it. Reading between the lines, Kolibri seems to have asked for guidance on what to do, but did not receive guidance.
I have to say that I'm even less inclined to be sympathetic. It's a pretty blatant disregard for the GDPR. If you want guidance at that level, hire a lawyer. But in reality, there is no need for a lawyer: it is completely obvious that you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be a bit more clear, I don't know what the authority could do to help resolve the compliance issue other than to say, "Yes, you have to comply with the law. Sorry that you thought you didn't have to". Is a 5000 euro fine justified -- even without having given guidance. IMHO, yes, however you can see that they thought they were in error and hence are reviewing the fine. The other blurb made it seem as if the compliance issue was only discovered because Kolibri asked what they should do. This article makes it more clear that it's just a normal complaint with a company doing everything in its power to avoid doing anything.
What you are seeing is french newspapers being especially interested in fines for big corporations, this is without a doubt a direct result of the current political situation in France.
all of France's fines were against large corporationsI've tried to read two articles on it and they don't make sense.
It seems they stored data on users who closed their account to prevent money laundering, which is apparently fine if the bank actually blocks operation of those accounts according to one article.
But somehow this was not the case for those old accounts that were closed? How can you close an account but it's still an operational account? Like, was it still possible to send money to it etc.?
My guess is that the article is wrong and this was simply about them preventing legitimate users to close and then reopen a new account.
I have a hard time believing they were not allowed to keep that data for some time after acccount closing. It seems to be more about how it was used.
Then the user signed up again, enabling the same account.
The user then saw their old data hadn't in fact been deleted, and complained to the regulator.
>>Eine schwarze Liste für ehemalige Kundinnen und Kunden, gegen die keine Verdachtsmomente bestehen, ist rechtswidrig.
translated with deepl: >>A blacklist for former customers against whom there is no suspicion is unlawful.
Some of us argued that no, this is not the apocalypse, the law says that fines will be proportionate, and the various national agencies will work with you to ensure you are compliant. And unless you willfully do the kind of shady shit the law is meant to protect against, you're fine.
Seems we were right. This list looks pretty sane to me, with one exception.
250k€ for using the microphones of all users of an app to spy and determine if they were in a pub that showed football matches without a license. Fuck yeah.
400k€ for a hospital that had effectively unrestricted access to all patient files for all staff. Yes. What would the HIPAA-equivalent fine be?
1400€ for a police officer abusing systems doing lookups for personal gain. Yes.
170k€ for a school district allowing public access to personal data of all minor-aged students. Yes, yes, yes.
The one exception is the fine on Google in France. This is purely a political bullshit game over control and loss of control.
Arguably, and so far.
There are sites that just block requests from the EU, there's a difficult-to-measure chilling effect on small businesses, and just because nobody's been hanged over it in year one doesn't mean it won't be abused, oppressive, or have other negative unintended consequences in the future.
food safety regulations have a chilling effect on businesses that would try and sell arsenic-laced food.
dumping poisonous byproducts of a manufacturing process in a river will also net you a stomping by the society, another instance of a chilling effect of regulations.
i'm happy with these chilling effects, they relieve me of the need for constant vigilance. they enable our society to function. we do not need to fear for our mental of physical health and (private) lives all the time, we can focus on higher-order things instead.
Some did, at least for the first year. But some haven't.
The only sites that I've seen with this are local US news sites that don't even have to follow GDPR.
The other thing that seems to happen a lot is that people are looking for a stick - any stick - to beat GDPR with. The current top-voted comment - https://news.ycombinator.com/item?id=20279249 - is a prime example. These lists of fines often don't give context (which, to be clear, is a failing of the list too) and often when you dig into these things you'll find that the ruling is entirely sensible. People need to give a bit more credit to legal systems than to think "Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany" could possible be true. If a fine seems ridiculous, do a bit of digging before you take a short summary at face value, and you won't be left with egg on your face when people point out what actually happened.
For all the breathless reporting of how GDPR would ruin companies financially by levying fines on worldwide revenue, there is exactly one fine listed that exceeds 400k EUR. Granted, it's 50MM EUR to Google, but that's still a drop in the bucket compared to Google's worldwide revenue.
On the other hand, commenters below have pointed out that some private individuals have received fines in the hundreds to thousands of EUR for actions such as "using Cc instead of Bcc in emails" and "using a dashcam". I agree that these are privacy lapses but it's pretty unfortunate to see the power of the state used for these purposes rather than bringing serial data privacy abusers in line.
And the rules about international coordination mean other countries have to wait for Ireland in many cases.
Also there is this rule, that primarily responsibility is in the country where the corporation has their European legal headquarters, and for many the tis Ireland and the Irish government prefers getting 0.5% in taxes for those corporations over having issues with them and having them move to Malta or something.
I wish they would tell what the harm of both of those actually was.
> The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
- A police officer was fined for using his department's tools to get someone's private phone number for his personal use
- A rental agency was fined for leaving renter's private data (ids, etc) open to the public for six months after being notified of the vulnerability
- A company was fined because they were continuously filming their employees at work without explanation
- A political candidate misusing private citizen data for campaign purposes.
- Rental car companies tracking drivers by GPS without notifying them
- Hospital staff having fake doctor profiles to view unrestricted patient data
This is convincing me that GDPR is a great success.
> The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
https://ico.org.uk/action-weve-taken/enforcement/?facet_type...
https://ico.org.uk/about-the-ico/news-and-events/news-and-bl...
On the other hand, what is permitted is dashcams with shock sensors and trigger buttons. The shock sensor gives you a good reason (very high probability of a crash).
Using the trigger button is okay if either there was a crash (or something illegal) or if you mask out any identifiable details about the car and person involved afterwards.
Generally, recording public spaces is illegal, if you setup a security camera on your property, you have to make sure it's not filming outside your property in an unreasonable manner (you may be allowed to film the sidewalk, for instance, if you suspect someone is salting your garden out of revenge, but only until you have proof and then you have to make sure to delete all non-essential footage).
Privacy in public space is an important right that doesn't exist in the US.
So you get their written consent, ask them if it is okay or take the risk that they will e.g. see themselves in your movie and force you to take it down. This fits with the general feeling that filming another person without asking is seen as extremely rude.
The key here is that people need to be recognizable, so pictures of crowds usually don’t count.
Certain architects can also forbid circulation of photographed versions of their building if it is central subject of the photograph — but I only know of one such thing.
Note that this all was enshrined in law way before GDPR.
Unless you stick your camera into other people’s faces without asking or plan to distribute your images on a bigger scale you will probably manage without ever hearing about these laws.
The act of recording isn't the problem but the retention of the data records. If you have no need to keep a recording of a day's video for any purposes, then that falls under the provisions of likely being exploited data (e.g.: being used to build a profile of a person's travels throughout the day, week, year, etc.).
In the sense of the allowances, it's about balancing the need of the data's use (e.g.: in car accidents) versus the privacy impacts to other individuals (e.g.: you post your dashcam footage to YouTube and don't obfuscate faces or license plates).
An example of this, pre-GDPR, was when Google was forced to obfuscate faces and license plates in Google Maps for Street View.
Insane.
This is slowly but surely being eroded also in Germany. Multiple cities are trialling full video surveillance to stop the terrorists.
e.g: Some USA towns have near 100% video surveillance through the Amazon doorbell cameras (Ring) of the town's inhabitants. Some content is publicly available, cops can also request it.
Then Amazon is posting captured video as Facebook advertisements to identify suspected thieves.
https://www.vice.com/en_us/article/pajm5z/amazon-home-survei...
These laws were changed in ~2018 in Austria.
(also probably existing law, not GDPR specifically: video surveillance has been fairly strictly regulated for a while)
I suspect something broader was involved here.
[0] Article 2(2): "This Regulation does not apply to the processing of personal data [...] by a natural person in the course of a purely personal or household activity"
Yesterday I was walking on the side of the road and some girl was half way hanging out of the passenger window recording a video of the scenery. I was able to see her from a few hundred feet away.
Eventually the car intersected with me and I was in the line of sight of the video for a second or 2. Of course I made a stupid pose to photo bomb her video which I found hilarious while continuing my walk home.
But under GDPR, is she technically in violation for recording me without my consent? I can't imagine how any of that could really be enforced. What about all of those Youtubers who happen to record people in a busy place like NYC or Vegas. Do they really get written consent from 400-500 people in the background for 10 seconds of video?
In Germany for instance dashcams are perfectly legal, you only have conditions on what you can do with that footage afterwards, for instance posting it on Youtube or social media is a big no-no, and unlike Austria you're likely to get a warning in Germany instead of a fine [1].
[0] https://helpv2.orf.at/stories/1717004/index.html
[1] https://www.derstandard.de/story/2000092017999/erst-vier-str...
Note that laws written this way usually distinguish “taking photos” from “surveillance” - so mounting the camera on a street corner immediately changes the legal context. This may be why dash cams fall into the surveillance category in some places.
Panoramarecht means that the girl can film into a crowd or public space for her own reasons if she wants to. As long as she doesn't put one person in the center of the image or focuses on them in other ways, it's generally permitted.
There is also some more general law handling, if you posed for the picture, judges would generally agree that this constitutes consent to be recorded (a more recent case would the famous Angry German Hat Incident, in which a very angry right-wing man walked up to a camera team to complain about being recorded; the judge ruled that the camera team was justified in recording at first due to Panoramarecht and the man walking up to them, knowing they were recording, rightfully so, constituted consent to be recorded further).
Posing to a camera or walking up to it basically means consent in germany; you noticed the camera and you did take actions that would put you center in the image or make you a focus point.
2) As the linked news article says, Austria may be getting the balance between cautions and fines wrong, which is why they may face a case in EU.
> In Germany, for example, people use caution instead of punishment - which is why Austria may face an EU case.
Another EU country with a similar ban is Luxembourg.
How aware are EU drivers of these differences? Is it well known to those in places with less restrictive rules that their cameras could get them in a lot of trouble if they take them with them when they take a road trip that passes through other EU countries?
[1] https://www.express.co.uk/life-style/cars/998528/Dash-cam-ca...
At the end of March I drove across Europe from south of Spain, and had summer tyres on. The weather conditions were good, so I was fairly confident I would be ok without winter tyres, but a lot of European countries have laws requiring then at certain points of the year.
I knew in my destination country you needed winter tyres until April 1st, but I couldn't find anything clear on all the countries in-between. Austria was actually the toughest, my understanding is their laws are you need winter tires if the road conditions dictate you need them. In some cases snow chains can be used, but not on highways. But this was based on reading English forum posts from 10 years ago, so I have no idea if it's still correct. I tried to find something clear from an official authority (probably doesn't help I don't speak German) or an automobile association website, but couldn't.
Domain is owned by https://cronon.net/
> It was a camera recording the use of a car from the driver's point of view, which is illegal. Two people were reprimanded for using surveillance cameras for their own home without permission.
I assume "driver's point of view" means looking out of the front windshield? Is this not how dash cams are meant to be used? (On second though perhaps this is a translation issue... the article was in German). And then I assume the surveillance cameras were mounted outside and recorded people in public?
Both of the possible scenarios here seem pretty benign and ordinary by US standards.
>The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
So, basically, only use open source datasets that come with contact information for every subject.
and
>The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
You can't just retain the database rows pertaining to accounts with current or likely litigation, but must choose the specific fields relevant to the nature of the dispute. Even the companies that successfully implemented propagation of deletion across their systems are probably going to get spanked for this one when some column in some backwater warehouse backup isn't strictly necessary for the precise claims in that account's lawsuit. Wow.
I hope this puts to bed suggestions that others were "overreacting" to GDPR, that there would be anything other than the meanest, most aggressive, most literal application to every case. Maybe this is a good thing! Maybe everyone needs the fear of God put into them. But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.
"the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data."
"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal."
"The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons."
"While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so."
This is precisely the kind of crap GDPR was meant to address, and I very much like the decision made here.
EDIT: If I'm Googling correctly and found the correct company, then here's an extra irony: they actually offered services and advice to companies in preparing for GDPR coming into force. It's safe to say they were fully aware of the obligations under law when they performed data mining on government databases of entrepreneurs.
--
What? No. Your first example talks about "open source datasets" -- no such thing exists for my personal data. If you've gathered my data you need to tell me why you gathered it. Dumping it into a dataset for other people to use is clearly not ok.
Your misdescribe your second example. Notice the company weren't fined just because they had the phone number. They were fined because they had the phone number, they were asked to delete it, and they declined to delete it. The company were not claiming they couldn't erase the phone number because it would be too hard. They were trying to say that they wouldn't erase it because they needed it for debt collection. The regulator disagreed.
Neither of these are good faith actors and these are exactly the kinds of data misuse I wanted GDPR to handle.
You can get liability insurance, but that's different (not legal fines but civil law damages).
http://www.enforcementtracker.com/?imprint
If you put a website online you've got to put all your personal information in it.
Also, it doesn't have to be "all your personal information". Your Name is required and an address where you could be served with court papers. A P.O. box is not required, but the address where your company is located is fine. It doesn't have to be your private home address. An email address is required, but that again doesn't have to be your private one. It just has to work. A few other things are required, e.g. where your LLC is registered if it is an LLC.
Unfortunately, this does not include a lot of websites that most people would classify as private. For example, a blog still needs an Impressum.
In addition, you will even be classified as commercial, and therefore require an Impressum, if you don't make any money, for example if you use ads to (try to) pay the hosting cost.
> A P.O. box is not required
In fact, you'll have to pay a fine of usually 5000€ if you use a P.O. box without a summonable address.
If you have ads you make money. Just possibly less then you spent on hosting.
And yes that should have read "A P.O. is not sufficent.". Sorry for that mistake.