Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR
Here’s a more detailed analysis of the GDPR fine of 20,000€ levied against a German flirting site, knuddels.de. Dr. Henrik Hanssen and Dr. Stefan Schuppert write:
In the first fine issued by a German data protection authority under the European General Data Protection Regulation (“GDPR”), on 21 November 2018 the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for a violation of its data security obligations under Art. 32 of the GDPR. The company’s very good cooperation with the LfDI was key to avoiding a higher level of fines.
According to the press statement of the LfDI (in German), the Company contacted the LfDI with a data breach notification following a hacker attack in the summer of 2018. The attack resulted in the unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses.
After becoming aware of the incident, the Company immediately informed its users about the attack in a comprehensive and fully transparent manner (as per Art. 34 GDPR). In the proceedings with the LfDI, following the notification of the data breach to the regulator (as per Art. 33 GDPR), the Company disclosed its data processing and company structures as well as its own security failures to the LfDI in an “exemplary manner.” During this investigation, the LfDI became aware that the Company had stored the passwords in plain text and in an unencrypted format, which helped facilitate the attack.
Read more of their analysis on Hogan Lovells Chronicle of Data Protection. The analysis concludes with a few take-home lessons, including the value of cooperation and transparency.
The latter is something that this site has been particularly critical about in reviewing the incident response of a number of U.S. entities when breaches are disclosed. Consider the recent disclosure by Amazon, who did not explain anything about the “technical error” that resulted in customers’ names and email addresses being exposed and who simply ignored my inquiries to @Amazon and @AmazonHelp.
As consumers, we have no idea for how long this “technical” problem occurred, whether bad actors may have scraped our data, and whether our email addresses could be linked to our wish lists or orders on the site.
Will EU regulators look at the Amazon incident and decide to make an example of Amazon in terms of obligations under Article 34 of the GDPR?