In the run-up to the General Data Protection Regulation ("GDPR"), privacy specialists ruffled feathers across Europe with statements about fines which would, potentially, be enormous. Companies, government institutions and even sports associations initiated intensive implementation processes. On the GDPR's first anniversary, the prophets of doom were not so sure of themselves. The authorities turned out to reticent about imposing fines. Despite the long preparation period, organisations were given time to get their affairs in order. The fining policy rules that were issue by the Dutch Data Protection Authority ("DDPA") also provided a measure of reassurance. So there was cause to put things into perspective.
Although we still do not expect the DDPA to shoot from the hip, it has become apparent, since early July, that privacy regulations should indeed be taken seriously. British Airways was fined no less than GBP 183 million by the ICO, the UK's privacy watchdog, due to a significant data breach that was caused by poor security. The HagaZiekenhuis hospital was also fined EUR 460,000 by the DDPA due to the "Barbie incident".
British Airways
On 8 July, the ICO published the news that it had imposed a fine of GBP 183 million on British Airways. The reason for this was a security incident where visitors were routed to a fraudulent website. The incident affected the personal data of half a million customers. An investigation by the ICO showed that the breach had been caused by poor security within the company.
If the DDPA had investigated this incident, it seems that, based on its fining policy rules, it would 'only' have been able to impose a fine of EUR 120,000 to EUR 500,000 (the basic fine being EUR 310,000), unless there were extraordinary circumstances that would have rendered the fine inappropriate. After all, the breach falls within the second category of fine of Article 2 of the fining policy rules.
It is highly likely that British Airways' size played a role in determining the fine. However, in light of the Dutch policy rules, the fine imposed is still a substantial amount.
Marriott
Marriott, the international hotel chain, received a hefty fine from the ICO too. The ICO imposed a fine of nearly GBP 100 million - again for a security incident. The incident, which probably occurred in the period between 2014 and 2018, affected the personal data of over 339 million individuals.
Here, too, the fine is considerably higher than it would have been if the DDPA had imposed it on the basis of the fining policy rules.
The Barbie incident
Slowly but surely, fines are being imposed in the Netherlands, too. On 16 July 2019, the DDPA announced that it had imposed a fine of EUR 460,000 on the HagaZiekenhuis hospital in June, because it had not sufficiently protected its patients' files. It had already been established that the hospital had security issues, when word got out that dozens of staff members had had unauthorised access to a reality-TV star's patient file (who goes by the name "Barbie"). The hospital must in any case ensure that:
- there are regular checks on who accesses which file; and
- there is at least two-factor authentication in place.
The HagaZiekenhuis has since announced that it will lodge an appeal against the fine.
What's ahead?
More fines will undoubtedly follow. In that regard, it is interesting to see what our neighbouring countries are doing.
In Belgium, for example, a fine was imposed on a natural person - a mayor - because he allegedly used personal data for election purposes when he had received that data by reason of his office.
In Germany and Austria, too, natural persons can receive fines for breaching privacy legislation. For example, using dashcams is prohibited on public roads. The use of dashcams has already resulted in fines.
This shows that, even though there is only one regulation, the situation can be very different from one country to another.
In the run-up to the General Data Protection Regulation ("GDPR"), privacy specialists ruffled feathers across Europe with statements about fines which would, potentially, be enormous. Companies, government institutions and even sports associations initiated intensive implementation processes. On the GDPR's first anniversary, the prophets of doom were not so sure of themselves. The authorities turned out to reticent about imposing fines. Despite the long preparation period, organisations were given time to get their affairs in order. The fining policy rules that were issue by the Dutch Data Protection Authority ("DDPA") also provided a measure of reassurance. So there was cause to put things into perspective.
Although we still do not expect the DDPA to shoot from the hip, it has become apparent, since early July, that privacy regulations should indeed be taken seriously. British Airways was fined no less than GBP 183 million by the ICO, the UK's privacy watchdog, due to a significant data breach that was caused by poor security. The HagaZiekenhuis hospital was also fined EUR 460,000 by the DDPA due to the "Barbie incident".
British Airways
On 8 July, the ICO published the news that it had imposed a fine of GBP 183 million on British Airways. The reason for this was a security incident where visitors were routed to a fraudulent website. The incident affected the personal data of half a million customers. An investigation by the ICO showed that the breach had been caused by poor security within the company.
If the DDPA had investigated this incident, it seems that, based on its fining policy rules, it would 'only' have been able to impose a fine of EUR 120,000 to EUR 500,000 (the basic fine being EUR 310,000), unless there were extraordinary circumstances that would have rendered the fine inappropriate. After all, the breach falls within the second category of fine of Article 2 of the fining policy rules.
It is highly likely that British Airways' size played a role in determining the fine. However, in light of the Dutch policy rules, the fine imposed is still a substantial amount.
Marriott
Marriott, the international hotel chain, received a hefty fine from the ICO too. The ICO imposed a fine of nearly GBP 100 million - again for a security incident. The incident, which probably occurred in the period between 2014 and 2018, affected the personal data of over 339 million individuals.
Here, too, the fine is considerably higher than it would have been if the DDPA had imposed it on the basis of the fining policy rules.
The Barbie incident
Slowly but surely, fines are being imposed in the Netherlands, too. On 16 July 2019, the DDPA announced that it had imposed a fine of EUR 460,000 on the HagaZiekenhuis hospital in June, because it had not sufficiently protected its patients' files. It had already been established that the hospital had security issues, when word got out that dozens of staff members had had unauthorised access to a reality-TV star's patient file (who goes by the name "Barbie"). The hospital must in any case ensure that:
- there are regular checks on who accesses which file; and
- there is at least two-factor authentication in place.
The HagaZiekenhuis has since announced that it will lodge an appeal against the fine.
What's ahead?
More fines will undoubtedly follow. In that regard, it is interesting to see what our neighbouring countries are doing.
In Belgium, for example, a fine was imposed on a natural person - a mayor - because he allegedly used personal data for election purposes when he had received that data by reason of his office.
In Germany and Austria, too, natural persons can receive fines for breaching privacy legislation. For example, using dashcams is prohibited on public roads. The use of dashcams has already resulted in fines.
This shows that, even though there is only one regulation, the situation can be very different from one country to another.