Facebook's German unit has paid a fine of 51,000 euros for not properly appointing a data protection officer under the EU General Data Protection Regulation, a fine that may perk the ears of companies that have not yet done so under their GDPR obligations. 

The Hamburg Commissioner for Data Protection and Freedom of Information issued the fine against Facebook’s German subsidiary in December 2019. The Hamburg DPA’s annual report states it learned in March 2019 through a complaint that while Facebook appointed its data protection team from its Ireland headquarters as a DPO for all European subsidiaries, it did not communicate that to the authority.

The regulator said the fine should be considered a warning for other companies, noting the appointment of a DPO and notifying the local supervisory authority are obligations it takes seriously, its report states.

“Facebook Germany is a company with an annual turnover of around $35 million, whose business — in contrast to the parent company — is not the processing of personal data of users. Given the negligence of the breach and the fact that Facebook only failed to notify an already appointed data protection officer, the sanction is to be considered significantly dissuasive,” said Hamburg Commissioner for Data Protection and Freedom of Information Press Officer Martin Schemm, adding Facebook did not appeal the fine and payment has been made. “It is due to Facebook’s professional handling of the infringement that the fine was not significantly higher.”

Companies should be aware that even minor violations of privacy law can result in fines and brand damage, said Dyann Heward-Mills, CIPP/E, CIPP/US, CIPM, chief executive officer of London-based data protection consultants Heward Mills.

“It is important that multinational companies that operate in various jurisdictions understand and comply with the GDPR and the various nuances of data protection laws in the EU jurisdictions where they operate,” Heward-Mills said.

As new laws are enacted in other parts of the world, businesses also need to be prepared to allocate the necessary resources to comply and from the time of implementation, she said.

“The financial and reputational risks associated with investigations and fines related to data protection violations are considerable. Businesses operating in an ever-changing landscape of data protection laws should be mindful of the challenges and seek to mitigate risks,” she said.

However, Allen & Overy Partner and IAPP Germany/DACH Country Leader Country Leader Ulrich Baumgartner said a $50,500 fine for such a violation as this is “over the top and that’s due to Facebook.”

“They sort of took the hard line because it was Facebook. I wouldn’t rule out, however, that regulators in Germany would agree that they would not easily refrain from fining if there is a clear breach,” he said.

Baumgartner said companies should comply with all requirements under the GDPR, even the more administrative obligations. “That is clearly something that everybody needs to do,” he said, adding that when it comes to a large technology company like Facebook, regulators will “use every opportunity they can to harm these companies, whenever they can, on a national level.”

“For Facebook and others, that means whatever they do in Germany via their German entities, that it is high risk, that it’s scrutinized, and, as you can see here from this case, they will take the chance if they get it to impose a fine.”

Photo by Glen Carrie on Unsplash