GDPR Penalties Prove Why Compliance Isn't Enough—And Why Companies Need Clarity
from the when-trying-to-comply-is-evidence-of-failing-to-comply dept
The legal uncertainty created by the General Data Protection Regulation (GDPR) is becoming so common, it’s starting to go unnoticed. In yet another recent example, Poland’s data protection authority (DPA), UODO (“Urząd Ochrony Danych Osobowych” in Polish), fined a European company over €220,000 for failing to comply with a GDPR requirement that companies provide individuals with privacy notices. While it hasn’t drawn considerable attention, this case could have considerable implications for many other European companies. The sanction cuts through expectations that data protection authorities (DPAs) will play a constructive role of both regulators and advisors under the GDPR, and it illustrates that the need to clarify the European privacy law is ever more urgent.
Bisnode, a European digital marketing company that specializes in data analytics, had collected and processed personal data from publicly available registers on six million individuals to provide creditworthiness scores to banks. The company used its access to the email addresses of about 679,000 users to inform them of the processing of their personal data—to which, out of a sample of 90,000 users, only 10 percent objected. But the operational costs of sending letters to the remaining 5.7 million users whose emails were unavailable would amount to €8 million of postal charges, an estimate which did not even include the related administrative costs. As a result, the company decided to publish a general statement on its website to alert the remaining data subjects. However, the Polish DPA decided that Bisnode did not go far enough in upholding its obligations under the GDPR.
The decision to sanction this company is misguided and sets a worrying precedent for two reasons. First, this penalty is a direct consequence of the privacy law’s vague provisions and misleading language, which EU policymakers must urgently clarify. Under Article 14 of the GDPR, organizations collecting and processing personal data must provide privacy notices directly to data subjects. But this obligation does not apply in case providing this information is “impossible, or would involve a disproportionate effort.” The Polish company thought it had fulfilled its obligations under the GDPR, as the exorbitant cost of reaching out to the remaining users could trigger this exception. But while accepting the company’s calculations, UODO regulators did not assess that €8 million would constitute a sufficiently “disproportionate effort.” What is more, because the GDPR is not prescriptive about how companies must provide users with information, UODO claimed that the law does not oblige them to inform users specifically via registered post. Hence UODO considered that a public statement was insufficient because the company could have used other solutions such as sending SMS messages, even though Bisnode did not have telephone numbers for everyone and the costs of doing so would have been high.
Second, this decision calls for a clarification of the role of DPAs under the GDPR. The company had taken a number of proactive steps to comply with the GDPR, yet UODO saw it as nothing more than proof that it was aware of its obligations and thus had intentionally violated them. DPAs should not impose penalties when there is ambiguity in the rules and companies are making an honest effort to comply. Instead, DPAs should play the role of educators so as to facilitate companies’ complex journey towards compliance. Before imposing penalties, they should take into account whether companies acted in good faith when establishing compliance strategies, the extent to which they have implemented compliance procedures internally, and the degree of interpretability of the provisions in question.
Many EU companies have yet to comply with the privacy law and do not expect that they ever will. EU policymakers should realize that the privacy law’s strict and complex requirements may be the main reason why. But the Polish decision shows that compliance may not even be enough. Companies cannot interpret unclear regulations, so they will continue to face unpredictable decisions. Even if a company appeals a decision, it will take time before the final outcome establishes jurisprudence.
EU policymakers and data protection authorities should focus on clarifying the legislation, specifying the technical requirements to provide information, and take into account the costs and difficulties compliance may impose on companies in some cases. Otherwise European businesses will continue to face difficulties interpreting and complying with the GDPR.
Eline Chivot is a senior policy analyst at the Center for Data Innovation, based in Brussels. Daniel Castro is the director of the Center for Data Innovation and vice president of the Information Technology and Innovation Foundation.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data protection, eu, gdpr, penalties, privacy
Companies: bisnode
Reader Comments
Subscribe: RSS
View by: Time | Thread
from the not-helping-your-case dept.
So let me get this straight: the EU busted a credit bureau on GDPR grounds, and you think that's a bad thing?!?
That's not how this works. If you want people to believe that the GDPR is bad, you have to show how it's harming sympathetic targets that didn't deserve it. A ruling like this, however technically flawed it may be, is more likely to draw cheers from the audience.
[ link to this | view in chronology ]
Re: from the not-helping-your-case dept.
A ruling like this, however technically flawed it may be, is more likely to draw cheers from the audience.
A point we make over and over again is that a huge problem is that people cheer on any damage to unsympathetic defendants/companies -- without recognizing how that will impact everyone else. Complaining about using this as an example only exacerbates that problem, and suggests we should allow awful precedents to be set, just because we don't like the company.
You can't honestly believe that's a good idea.
[ link to this | view in chronology ]
Re: Re: from the not-helping-your-case dept.
In fact, it's likely that they're starting with highly unsympathetic targets to get the precedent set to the sound of cheers. They do it enough, by the time they start attacking sympathetic targets, people will shrug and say "well, they broke the law, what did they expect?"
[ link to this | view in chronology ]
Re: from the not-helping-your-case dept.
Techdirt posts a lot of stories about unsympathetic people being subjected to unfair treatment by governmental entities. If I can see the problem with police confiscating a heroin dealer's car, I can see the problem with sanctioning a credit bureau for thinking that an 8 million euro cost satisfies the definition of "disproportionate effort."
[ link to this | view in chronology ]
Re: Re: from the not-helping-your-case dept.
I think to get a better understanding of whether it is disproportionate or not we'd need to know the revenue of the company involved. Here we are only given an absolute figure, not the 'proportion' that this figure represents of the companies revenue, on which to base a 'disproportionate' scenario on. You can't determing that with only the one number. I mean, if its a 1 million/year company, then it is disproportionate. However, if it is a 100 million euro/year company, then a one-off 8 million euro charge I would not view as disproportionate.
[ link to this | view in chronology ]
Re: from the not-helping-your-case dept.
I'd like to think Techdirt's audience is smarter than that.
[ link to this | view in chronology ]
Re: Re: from the not-helping-your-case dept.
He's not talking about the TD audience, he's talking about the gullible unwashed masses.
And he's right.
Look at all the laws sold to the public that will "only be used against bad guys".
RICO was only going to be used against organized crime. Now it's used to steal wallets on traffic stops.
Hell, look at the income tax - it was sold as only applying to the richest 6%.
[ link to this | view in chronology ]
10 percent‽
What do you mean "only"? The article said they got 12,000 objections, which is HUGE for an opt-out system. The usual expection is that "nobody" will read the legalese associated with an account and that very few people will ever take the time to go through some formal process of objecting (which is precisely why companies design opt-out systems). This proves otherwise.
Were these people part of an organized protest or what? That's 13.3% of people who received the presumably-boring-looking legal notice (despite spam filtering, address changes, etc.), then took the time to read and even respond to it. It's almost like we're talking about another planet. Marketers would kill for that response rate in other circumstances, and it absolutely justifies sending letters to everyone else. (Or, you know, not doing the things that people find objectionable.)
[ link to this | view in chronology ]
Let me see if I understand your point correctly. I burger breaks in to my file cabinet, steals a bunch of person data and then is only fined €220,000 for their criminal activity. A more appropriate sentence would be 5 to 10 in a place the sun don't shine.
[ link to this | view in chronology ]
Re:
I burger breaks in to my file cabinet, steals a bunch of person data and then is only fined €220,000 for their criminal activity.
Help me out here. How does one "steal" personal data?
[ link to this | view in chronology ]
Re: Re:
I like how we aren't even talking about meat sandwiches breaking and entering.
[ link to this | view in chronology ]
Re: Re: Re:
It's an iBurger. It's not really meat, just electronically simulated meat.
[ link to this | view in chronology ]
Oh, like Juggernaut from Deadpool 2.
[ link to this | view in chronology ]
Re: Re:
Interesting point.
"Identity Theft" - is it theft?
Is it "different" if you "steal" my identity to get credit cards instead of using that "stolen" information to cast votes on the FCC's page?
[ link to this | view in chronology ]
Re: Re: Re:
Taking data is like downloading a video file, the original is still in place, that is unless you stole a wallet or something.
Now using that information is not like copyright infringement. If I watch the movie, no one is harmed (don't get started on the creators, if I would never buy that video, they are not harmed). But with identity, the use does harm. Ruins credit score, creates debts in your name that are not yours, hurts reputation by posting to the FCC when you believe the opposite of what was posted in your name, etc..
[ link to this | view in chronology ]
Re: Re: Re:
Identity theft is a misnomer invented by banks to shift the blame to innocent victims of what used to be called fraud.
[ link to this | view in chronology ]
A more accurate term would be “identity fraud”, but as pointed out in a comment beneath mine, such a term is…unacceptable to financial institutions.
[ link to this | view in chronology ]
Or a comment above mine. Jeez, I have a bad sense of direction.
[ link to this | view in chronology ]
Re: Re:
If someone steals a folder full of printed pages that contain personal information (the file cabinet example) that is theft. That it happens to be personal info on the paperwork that was stolen is a bit of a stretch to call that "identity theft" but hey, whatever.
[ link to this | view in chronology ]
Re: Re: Re:
I've never followed an identity theft case. No idea what section of law it actually falls under. I suspect it's one of the "misrepresentation" areas, like using a fake ID at a bar.
I am curious about if there IS a difference based on "use".
If I "steal" a person's identity to impersonate that person to get credit in their name, is it legally different than if I do it to use their name... pretty much as a "bot" on a mass mailing.
Either way, I'm misrepresenting myself as that person. In the first case I'm truly causing harm as you noted.
In the second case, actual harm might be harder to prove. If I did the mailing stunt to a pile of child porn sites is it "worse" than if I did it to the FCC's complaint page?
Legally - obviously the porn example is worse. But in the eyes of the law?
[ link to this | view in chronology ]
MONEY, MONEY, MONEY
Now the real reason for the GDPR really comes out, it's all about getting money, out of their hands and into ours. There is no real concern for privacy, they are only looking for the next catchphrase to glom onto in order to extract more money out of the public and corporations.
[ link to this | view in chronology ]
This posting is so incredible dumb that I do not know where to start. I feel like I could spend a whole days responding to it but I don't have that time.
First of all I like the comment above mentioning about the opt-out rate of the persons who were actually contacted.
So just to get things right ("Bisnode, a European digital marketing company ... data analytics ... provide creditworthiness scores to banks.") we are speaking about profiling, right. So we might consider reading Art. 22 of the GDPR and notice for a moment that the bar for processing personal data raised somewhat.
Another thing that's important for me: "But the operational costs of sending letters to the remaining 5.7 million users whose emails were unavailable would amount to €8 million of postal charges, an estimate which did not even include the related administrative costs."
I will put this in other words: "When the company recognized that it didn't have a valid business case anymore they decided to give a fuck about the law."
-- "Second, this decision calls for a clarification of the role of DPAs under the GDPR."
The role is clear.
-- "DPAs should not impose penalties when there is ambiguity in the rules and companies are making an honest effort to comply."
And the company decides what this "honest" means, right? No, it is the DPA. The company is free to object the DPA's decision, right? You missed this point?
-- "Instead, DPAs should play the role of educators so as to facilitate companies’ complex journey towards compliance."
Not neccessary (and completly stupid idea). Companies are free to have as much Data Protection Officers as they like to educate them.
-- "But the Polish decision shows that compliance may not even be enough."
You should start to consider that they did not comply.
-- "Companies cannot interpret unclear regulations, so they will continue to face unpredictable decisions."
That's wrondg. They interpret unclear regulations all the time ... and (surprise!) always in their favour.
Finally I would like to ask a question: If the GDPR is so basically wrong, why can't you present examples with a real case?
Have fun!
[ link to this | view in chronology ]
Re:
you'll notice a trend where Mike and some of the posters bashing GDPR pick on some of the weaker comments.
[ link to this | view in chronology ]
There are companies out there with not-insignificant numbers of data subjects who have complied with the requirement to send out privacy notices to every single one of them. I know because I work for one of them. We have clients all over the world so goodness knows how much the postage cost for those whose email address is not on our records.
So the credit agency in question really has no excuse. It is possible to meet the requirements of Article 14 of the GDPR.
[ link to this | view in chronology ]
Works as designed
Although the GDPR has a couple of issues in relation with freedom of press, this case shows that the rules are working as intended. Credit rating agencies are of a fairly dubious nature, and their business practices often harm people with very little legal recourse. To a large extend, the GDPR can help to reign in those dubious practices, as most of the grounds under the GDPR that allows a company to process personal information are lacking. Since they have no direct relationship with the individuals they collect information about, they cannot justify it with 'needed to fulfil contract'; they most certainly lack 'freely given permission'; and with most agencies, there is also no 'legal obligation' to keep the information. I also don't think 'required to protect own significant interest' applies here. The only problem with the GDPR in this respect is that regulators in several countries are rather slow to act...
[ link to this | view in chronology ]
plan doesn't or plans don't
[ link to this | view in chronology ]
Re:
Oops, comment on wrong post
[ link to this | view in chronology ]
This is not a bug
It is definitely not a bug in the GDPR that it makes it difficult or impractical to scrape data off the net and sell it. Everyone affected by GDPR had literally years of warning. If it turned out that the company couldn't afford to maintain their scraped database and comply, that is a failure of their business plan, not of the GDPR.
Surely you can do better than this.
[ link to this | view in chronology ]