250K Euros to LaLiga for their app that tries to find bars illegally broadcasting their games by sampling user's microphones once a minute. I remember when it was discovered what it was doing thinking this must be a massive GDPR issue. I'm a little bit surprised that the fine is this low:
"The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent."
To whoever did this: thanks!
Such a website can have many uses:
- Show the average people why privacy is important with concrete examples
- Find previous rulings for people in a specific situation
- Stop(reduce.) the "there is no way we're going to be sued for that" by the company's managers
Little things I can tell on the top of my head:
- the height of the fines is basically random, that makes scrolling cognitively heavy imo. Having (...) to click to expand long descriptions sounds fair I think
- it's not possible to link to a row (useful for giving examples to people)
- long descriptions deserve multiple paragraphs, they are hard to read as-is.
If you look back at comments as GDPR was first coming into effect, you saw a lot of comments here along the lines of 'The EU doesn't want to fine anyone. They want you to become compliant, and will help you do so, and you won't be fined unless you were intentionally being non-compliant'
But then look at this example from Germany:
> Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.
The company emailed the authority asking for advice on how to deal with a service provider who didn't want to cooperate with GDPR, then the authority ignored his request, forwarded their information to another authority, which then fined them for the exact thing which they was asking for advice on.
Yes, the fine has apparently been withdrawn, but how much time, money, and mental capacity did Kolibri Image have to spend dealing with this before the authority decided to drop it?
It's interesting how enforcement changes between countries. For instance, all the fines in Austria where for CCTV and dashcam use, all of France's fines were against large corporations, and the single fine Italy imposed was on the "Movimento 5 Stelle" political party.
The ICO maintains an official list of fines in the UK https://ico.org.uk/action-weve-taken/enforcement/?facet_type...
Can anyone explain the N26 case to me?
I've tried to read two articles on it and they don't make sense.
It seems they stored data on users who closed their account to prevent money laundering, which is apparently fine if the bank actually blocks operation of those accounts according to one article.
But somehow this was not the case for those old accounts that were closed? How can you close an account but it's still an operational account? Like, was it still possible to send money to it etc.?
My guess is that the article is wrong and this was simply about them preventing legitimate users to close and then reopen a new account.
I have a hard time believing they were not allowed to keep that data for some time after acccount closing. It seems to be more about how it was used.
At the time of the GDPRpocalypse last year, there were a lot of discussions here, and a lot of FUD being slung around about how if your US website wasn't 100% GDPR-compliant you'd be handcuffed if you set foot in an EU airport bla bla bla, or that minor infractions would incur the maximum penalty of millions of euro, bankrupting your awesome adtech startup bla bla bla. Most of it was fueled by the clash between US and EU jurisprudence, the legal systems are actually pretty different.
Some of us argued that no, this is not the apocalypse, the law says that fines will be proportionate, and the various national agencies will work with you to ensure you are compliant. And unless you willfully do the kind of shady shit the law is meant to protect against, you're fine.
Seems we were right. This list looks pretty sane to me, with one exception.
250k€ for using the microphones of all users of an app to spy and determine if they were in a pub that showed football matches without a license. Fuck yeah.
400k€ for a hospital that had effectively unrestricted access to all patient files for all staff. Yes. What would the HIPAA-equivalent fine be?
1400€ for a police officer abusing systems doing lookups for personal gain. Yes.
170k€ for a school district allowing public access to personal data of all minor-aged students. Yes, yes, yes.
The one exception is the fine on Google in France. This is purely a political bullshit game over control and loss of control.
Something I often see in discussions about GDPR on HN is that the law is vague. A hugely valuable comment on a previous GDPR discussion (which unfortunately I've been unable to track down) pointed out a marked difference in style between US and EU law. In the US, laws are usually very detailed and explicit about what will happen in all cases. If that's what someone is expecting, EU law is indeed very vague - because the underlying idea is that judges are trusted to interpret law in the context of constitutions, precedent and so on. EU citizens are much more used to this kind of language, so many of the discussions on here are people shouting past each other because there's a more fundamental issue about the way laws are phrased. If you're in the US and want to quibble with the language, please bear in mind the broader context of EU law. And if you're in the EU please bear in mind that people in the US are used to much more explicit legal language. If we all did that some of the discussions on HN about GDPR might be more meaningful.
The other thing that seems to happen a lot is that people are looking for a stick - any stick - to beat GDPR with. The current top-voted comment - https://news.ycombinator.com/item?id=20279249 - is a prime example. These lists of fines often don't give context (which, to be clear, is a failing of the list too) and often when you dig into these things you'll find that the ruling is entirely sensible. People need to give a bit more credit to legal systems than to think "Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany" could possible be true. If a fine seems ridiculous, do a bit of digging before you take a short summary at face value, and you won't be left with egg on your face when people point out what actually happened.
Perhaps this shouldn't be surprising, but what this site makes clear to me is that GDPR enforcement is more lax on major companies than many people expected, and more severe on private individuals.
For all the breathless reporting of how GDPR would ruin companies financially by levying fines on worldwide revenue, there is exactly one fine listed that exceeds 400k EUR. Granted, it's 50MM EUR to Google, but that's still a drop in the bucket compared to Google's worldwide revenue.
On the other hand, commenters below have pointed out that some private individuals have received fines in the hundreds to thousands of EUR for actions such as "using Cc instead of Bcc in emails" and "using a dashcam". I agree that these are privacy lapses but it's pretty unfortunate to see the power of the state used for these purposes rather than bringing serial data privacy abusers in line.
Interesting one from Spain, accessing user's microphones to crowdsource publicbroadcast violations:
> The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
Glad to see some enforcement. Reputable companies have used resources ensuring compliance. Good to see it hasn't been wasted.
Does anyone know of a similar list for ADA violations?
Many people are complaining about some fines, but here are some others I see that are evidence of this working extremely well:
- A police officer was fined for using his department's tools to get someone's private phone number for his personal use
- A rental agency was fined for leaving renter's private data (ids, etc) open to the public for six months after being notified of the vulnerability
- A company was fined because they were continuously filming their employees at work without explanation
- A political candidate misusing private citizen data for campaign purposes.
- Rental car companies tracking drivers by GPS without notifying them
- Hospital staff having fake doctor profiles to view unrestricted patient data
This is convincing me that GDPR is a great success.
Weird there's no fines in UK.
The fact that someone was fined for using a dashcam is beyond absurd.
No HTTPS?
Why are there so many violators marked as "unknown"? Is that from the sanction being redacted or the aggregator's lack of information? The header paragraph states that not all violations are made public, but the ones that are made public can also be redacted?
How come The Netherlands does not appear in the list?
A was curious about the dashcam fine so I looked it up and it seems some vary ordinary usages of cameras are violating GDPR:
> It was a camera recording the use of a car from the driver's point of view, which is illegal. Two people were reprimanded for using surveillance cameras for their own home without permission.
I assume "driver's point of view" means looking out of the front windshield? Is this not how dash cams are meant to be used? (On second though perhaps this is a translation issue... the article was in German). And then I assume the surveillance cameras were mounted outside and recorded people in public?
Both of the possible scenarios here seem pretty benign and ordinary by US standards.
Maybe I’m just looking at a wrong place but can you tell me what currency is used in fines? I’m assuming it’s EUR but wanted to double check.
looks like there may be a data entry error for Czech Data Protection Auhtority (UOOU) summaries. they may have mis-spelled authority.
There sure are a lot of political parties, and not many big tech companies in that list.
What do you do if e.g. Instagram ignores your GDPR requests? I have sent them multiple emails about misuse of my personal data and they only replied with a template that didn't address my emails?
Two of these are much more intense than I would have guessed:
>The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
So, basically, only use open source datasets that come with contact information for every subject.
and
>The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
You can't just retain the database rows pertaining to accounts with current or likely litigation, but must choose the specific fields relevant to the nature of the dispute. Even the companies that successfully implemented propagation of deletion across their systems are probably going to get spanked for this one when some column in some backwater warehouse backup isn't strictly necessary for the precise claims in that account's lawsuit. Wow.
I hope this puts to bed suggestions that others were "overreacting" to GDPR, that there would be anything other than the meanest, most aggressive, most literal application to every case. Maybe this is a good thing! Maybe everyone needs the fear of God put into them. But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.
Does enforcement changes behavior? I guess the time will tell. But I do expect some insurance companies start selling GDPR coverage policies soon.
Oh wow
Is this meant to help increase IT investment in the EU? If so, it may not work. The message people get is "GTFO".
I expect there would have been a warning given in that case before assessing a fine.
What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
Edit: the downvotes on this are coming in fast. Because you are downvoting it, you must know of a specific section of GDPR that requires warnings to be issued (otherwise you wouldn’t be downvoting it, right?). So, along with your downvote, please reply to this comment with a link to the specific section that requires warnings, and I will be happy to say that I am wrong.
Germany and this ridiculous requirement:
http://www.enforcementtracker.com/?imprint
If you put a website online you've got to put all your personal information in it.
Wow. Here's an crazy one:
Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany.
"The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list."
Poor guy.
This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.