On Nov. 21 , the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) imposed the first fine under the GDPR in Germany. The fine was imposed on a social media company for a violation of its data security obligations. This is not the first GDPR-related fine in Europe which has become publicly known: the Austrian DPA imposed a €4,800 fine for illegal video surveillance activities, and a €400,000 fine was imposed in Portugal on a hospital after staff members illicitly accessed patient data. However, the current example from Germany provides further insights into how DPAs intend to use their new, heightened fining powers under GDPR.

Background

After a hacking attack on the social media company “Knuddels.de” in September this year, large amounts of users' personal data were compromised. The company reported that about 808,000 email addresses and passwords were affected, and that the attack ultimately resulted in the unauthorized disclosure of personal data of its users.

Following the hack, and upon becoming aware of the disclosure of personal data, the company reported the incident to the competent authority — the LfDI — in accordance with the GDPR’s breach notification requirements. Notably, there is no indication that the company unreasonably delayed its notification. Moreover, the company subsequently informed the concerned users directly about the incident.

Fine for storing passwords in plain text

During the course of the following investigation of the data breach it became apparent that the passwords of the users had been stored in unencrypted, plaintext format by the social media platform. The LfDI found that the company thereby infringed its obligation to guarantee the security of personal data under Article 32 (1)(a) of the GDPR. IAPP readers will no doubt be aware that this provision includes a requirement pseudonymise or encrypt personal data, but only “as appropriate.”

In its official press release, the LfDI stated: “By storing the passwords in plain text, the company knowingly violated its obligation to ensure data security pursuant to Art. 32 para. 1 lit a DS-GVO when processing personal data.”

However, it is unclear in the present case whether the LfDI applied a special German data protection provision (Section 43(4) German Federal Data Protection Act. That provision prevents facts disclosed in a data breach notification from being used in proceedings for administrative fines without the explicit consent of the data controller. The head of the LfDI, Stefan Brink, had repeatedly expressed his doubts as to whether the provision conforms to European law.

Relatively low fine

At first glance, the fine of 20,000 Euro imposed by the LfDI in the current case is relatively low, especially considering the maximum potential fine which could have been handed down under the GDPR — 10 million Euro or up to 2 percent of an organization’s total worldwide annual turnover.

However, according to the LfDI, the company benefited significantly from the fact that it contacted the LfDI directly after the hack and informed users immediately and comprehensively about the attack. The LfDI also highlighted the company's “exemplary cooperation” with its authority and the significant improvement of its level of IT security in the aftermath of the hack and investigation. Furthermore, LfDI took into account the company’s significant investment in the aftermath of the breach in updating its IT security measures, which totaled in the six-figure Euro range.

Brink said: “As a DPA it is not important for the LfDI to compete for the highest possible fines. What counts in the end is the improvement of data protection and data security for the users concerned.”

To read the official press statement of the LfDI (in German), click here.