On 22 November 2018, the Baden-Württenberg Data Protection Authority (LfDI) announced, with a press release available here in German, of having imposed a € 20.000 sanction on the chat site Knuddels.de, for breach of Art. 32 of the GDPR.
Knuddels is an online chat service that was popular in the 2000s, before the Facebook era. In September, Knuddels (literally “cuddles”), suffered the leak of almost 2 million usernames and passwords and more than 800 thousand e-mail addresses, in addition to places of residence and other types of data. The investigators believe that this massive data breach was caused by the lack of adequate security measures for data protection (for example, it seems that passwords were stored in plaintext).
The hackers then published the stolen data of the users online, on the sharing/hosting sites Pastebin and Mega. Once the unauthorized access had been detected, Knuddels promptly informed its users and the Data Protection Authority of the incident and strengthened its IT infrastructure to increase data security.
According to the German privacy watchdog, the violation of Article 32 of the GDPR, which addresses the security of data processing, was caused by the lack of appropriate measures aimed at protecting user data.
Knuddels’ collaborative behaviour during the unfortunate incident played a key role in deciding the amount of the penalty. In essence, the LfDI used the stick and carrot approach: it sanctioned Knuddels, but at the same time it ‘rewarded’ it with a light sanction. In a notice, the Data Protection Authority said that: “Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack.”
This is the first sanction being imposed in Germany in accordance with the GDPR, and as such it sends a clear message throughout Europe as regards the concrete application of GDPR sanctions. However, doubts remain regarding the dissuasive power of a penalty that is much lower than the the maximum administrative sanction that the Regulation prescribes in Article 83 (4) for this type of violations, which is €10.000.000 or, for undertakings, up to 2% of the total annual worldwide turnover (whichever is higher).
On the other hand, it sends out a different message: collaboration and transparency pay off. And this could prove to be a much more persuasive tool than the threat of severe penalties.
Until now, there have only been two other similar cases in Europe. The first case was that of the Portuguese hospital of Barreiro, which received a € 400.000 fine by the Comissão Nacional de Proteção de Dados (CNPD), the Portuguese Data Protection Authority, because unauthorized and non-medical staff had access to the patients’ medical records without their consent. In this case the CNPD, although Portugal has not yet implemented the GDPR at national level, has nevertheless based the sanction on its principles and provisions.
In particular, there are three different sanctions: two penalties amounting to €150.000 each for violating the principles of integrity, confidentiality and data minimization, and one amounting to €100.000 for not having implemented an adequate level of security in the processing of data.
The second case in Europe, was that of the Austrian Data Protection Authority (Datenschutzbehörde), which sentenced an entrepreneur to pay €4,800 for installing video surveillance cameras out of his store that recorded part of the sidewalk, in violation of the basic principles of data processing.
We are yet to see if the other Data Protection Authorities in Europe will follow the German example and and how they will interpret the application of GDPR sanctions.
Silvia Stefanelli
Alice Giannini