The data protection authorities were also active in August and imposed some very high fines. The fine of 290 million euros imposed by the Dutch data protection authority on the ride-hailing company Uber caused quite a stir. In August, it is also worth taking a look at the fines imposed in Belgium, Sweden and Spain with interesting details. The investigations against the fashion company Uniqlo Europe in Spain show why the negligent mistake of a single employee can be expensive for a company.
1. Uber: 290 million euros (Netherlands)
The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has imposed a fine of 290 million euros on the ride-hailing service Uber. The reason for the fine: inadequate protection of personal data of European cab drivers that was transferred to Uber's US headquarters.
The investigation by the data protection authority followed complaints from more than 170 French Uber drivers. They had complained to the French human rights organization Ligue des droits de l'Homme (LDH) about Uber's data protection practices. The LDH then filed a complaint with the French data protection authority. As Uber's European headquarters are located in the Netherlands, the Dutch data protection authority was responsible for the investigation.
Among other things, Uber had collected sensitive information such as account and driver's license data, location data, photos, payment information, identification documents and, in some cases, criminal and medical data from drivers in Europe and stored it on servers in the USA.
The transfer of this sensitive data took place over a period of more than two years. The necessary protective measures required by the GDPR were not implemented. The data protection authority classifies Uber's breach as serious.
Source: Fines imposed on Uber by the Autoriteit Persoonsgegevens
2. T-Mobile US: 60 million US dollars
The Committee on Foreign Investment in the U.S. (CFIUS) has imposed a fine of 60 million dollars (around 55 million euros) on the mobile communications company T-Mobile US.
The company failed to prevent and report unauthorized access to sensitive data, senior US officials told Reuters on August 14. In addition, T-Mobile US did not report some breaches quickly enough, which made the agency's investigation more difficult.
In a statement, T-Mobile explained that the merger with the US mobile communications company Sprint had led to technical problems that were quickly resolved. Specifically, there were some cases of unauthorized access to sensitive data between August 2020 and June 2021. According to the company, a small number of requests from investigating authorities were affected.
T-Mobile US has already been fined millions for the second time this year. The FCC had already imposed a fine of 80 million dollars (around 74.7 million euros) in April because the company had not adequately protected its customers' location data.
Reading tip: Current penalties for data protection violations in the USA
3. Apoteket AB and Apohem AB: SEK 37 million and SEK 8 million (Sweden)
The Swedish data protection authority Integritetsskyddsmyndigheten (IMY) has imposed fines of SEK 37 million (around EUR 3.26 million) on Apoteket AB and SEK 8 million (around EUR 705,000) on Apohem AB. The companies had used the Meta pixel on their websites and transmitted personal data relevant to data protection law to Meta over a longer period of time.
Apoteket and Apohem had used Meta's Meta Pixel analytics tool on their websites from January 2010 to April 2022 to improve their marketing on Facebook and Instagram. The erroneous transmission of personal data was caused by the companies activating a new sub-function of the Meta pixel.
The activation of the "Advanced Matching" (AAM) function of the Meta Pixel resulted in more data being processed and transmitted to Meta than originally intended. Among other things, the companies transmitted data on the purchase of over-the-counter medicines, self-tests and treatments for sexually transmitted diseases and sex toys. Such data can provide information about a person's health or sex life and is therefore subject to special protection under Art. 9 GDPR.
IMY's investigation revealed that the companies had not taken appropriate technical and organizational measures to ensure an adequate level of protection for their customers' personal data. It was only after the incident that both companies took several measures to improve compliance with data protection regulations. These included a comprehensive review of the cookies and analytics tools used, the implementation of employee training and the creation of a new function to monitor compliance with data protection regulations in the marketing department.
Source: Notice of fine Integritetsskyddsmyndigheten against Apoteket AB
Source: Notice of fine Integritetsskyddsmyndigheten against Apohem AB
4th Uniqlo Europe: 270,000 euros (Spain)
A mishap with consequences: A former employee of the Japanese fashion company Uniqlo requested that his payslip for July 2022 be sent to him. In addition to his own payslip, the PDF file sent to him contained the payslips of 446 other employees.
The investigation by the Spanish data protection authority Agencia Española de Protección de Datos (AEPD) revealed that the data breach had been caused by an error in HR. However, this error was neither reported internally nor recognized in time. It was only when UNIQLO was informed of the AEPD's complaint in April 2023 that the company recognized the incident as a security breach. Furthermore, the affected employees were not notified immediately. The notification was not made until May 4, 2023, after Uniqlo was informed of the complaint. Uniqlo stated that it had received no indication that the data had been compromised or otherwise misused. Nevertheless, the company advised affected employees to remain vigilant and monitor their bank accounts for unusual activity.
The AEPD found that Uniqlo had violated several provisions of the GDPR:
- Article 5(1)(f) GDPR: UNIQLO breached the principle of confidentiality and integrity by disclosing the personal data of 447 employees through improper transmission. The unauthorized disclosure of this sensitive information constitutes a serious breach, in particular as the data was not encrypted and was transmitted by email, increasing the risk of access by unauthorized third parties.
- Article 32 GDPR: UNIQLO had not taken appropriate technical and organizational measures to ensure an adequate level of protection. Despite the introduction of a security portal and an information security manual, the implementation of security protocols was clearly insufficient to prevent such a data breach. The training and data protection awareness of employees was not sufficient to minimize the risk of human error.
The fact that an employee committed the error does not relieve the company of its responsibility. According to the case law of the Spanish Supreme Court (STS No. 188/2022), a company remains liable even if the breach is due to the negligence of an employee.
The fine originally imposed by the AEPD totaling 450,000 euros was reduced to 270,000 euros. Uniqlo has acknowledged the violation and has since taken measures to prevent such an incident from occurring in the future.
Source: Notice of fine Agencia Española de Protección de Datos
5. telecommunications company: 100,000 euros (Belgium)
On August 23, 2024, the Chambre Contentieuse of the Belgian data protection authority (Autorité de Protection des Données, APD) imposed a fine of 100,000 euros on an unnamed telecommunications company.
The company only responded 14 months after receiving a request for information from a customer. The delayed response led to the APD launching an investigation following a complaint from the person concerned.
The Chambre Contentieuse found that the company had violated Articles 12 and 15 of the GDPR by not properly granting the data subject's right of access.
Article 15 of the GDPR guarantees data subjects the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, as well as access to those data and additional information.
According to Article 12 of the GDPR, controllers must take measures to facilitate the exercise of data subjects' rights and respond to requests "without undue delay and in any event within one month".
However, the defendant had not responded to the request for information within the period provided for in Art. 12 para. 3 GDPR. Furthermore, the information requested was only provided to the complainant after repeated requests and during the ongoing proceedings.
When calculating the fine, it was taken into account that the violation of the right to information is generally to be classified as a serious violation. The delay in responding to the request for information by more than 14 months was assessed as a continuing violation. It was also taken into account that a satisfactory response was only provided under pressure from the authority.