The five highest fines in September 2024

Which GDPR regulations Meta and Clearview AI have violated and what other companies can learn from the fines.
Categories:

With the imposition of fines in the millions against large US companies, EU data protection authorities took a stand in September: which GDPR regulations Meta and Clearview AI have violated and what other companies can learn from this.

1. Meta Platforms Ireland Ltd: 91 million euros (Ireland)

On September 26, 2024, the Irish Data Protection Commission (DPC) imposed a fine of 91 million euros on Meta Platforms Ireland Limited (MPIL).

In March 2019, MPIL informed the DPC that passwords of social media users were inadvertently stored in plain text. The passwords were neither encrypted nor otherwise cryptographically protected. Unauthorized Third did not have access to the passwords.

The incident triggered an investigation by the DPC. This focused on the question of whether MPIL was involved in the Processing of user passwords and whether the company had taken appropriate security precautions to fulfill its obligations under the GDPR in particular with regard to the Documentation and reporting of data breaches.

The DPC investigation revealed several violations of the GDPR:

  • Article 33(1) GDPR - MPIL did not immediately inform the DPC about the data breach in connection with the storage of user passwords in plain text.
  • Article 33(5) GDPR - MPIL did not adequately document the data breach in connection with the storage of user passwords in plain text.
  • Article 5(1)(f) GDPR - MPIL has not taken appropriate technical and organizational measures to ensure the security of the user passwords, which could result in the Integrity and Confidentiality of the data was impaired.
  • Article 32(1) GDPR - The MPIL has not carried out an adequate risk assessment.


Source: DPC press release on the fine imposed on Meta Platforms Ireland Limited

2. Clearview AI: 30.5 million euros (Netherlands)

The Dutch data protection authority "Autoriteit Persoonsgegevens" (AP) has filed a complaint against the US company Clearview AI Inc. Fine totaling 30.5 million euros were imposed.

Clearview AI offers facial recognition software that is based on a database of more than 30 billion Photos based. This Photos originate from public sources on the Internet such as social networks, news sites and public databases. Clearview AI uses this data to offer various personal identification services.

In its investigation, the data protection authority found that Clearview AI personal data of individuals residing in the Netherlands without a lawful basis. In particular, Clearview AI processed biometric data - a particularly sensitive category of personal data - without proper authorization or legal basis.

Clearview AI's violations concern several provisions of the General Data Protection Regulation, including

  • Articles 5 and 6 GDPRClearview AI has personal data processed without a legal basis. This violates the principle of lawfulness, which is intended to ensure that the Processing only on a permissible basis.
  • Article 9 GDPRThe Processing biometric data such as facial images without explicit Consent or any other legal basis violates the prohibition of Processing special categories of personal data.
  • Articles 12 and 14 GDPRClearview AI has not sufficiently informed the persons concerned about the Processing of your personal data. Duty to inform are an essential part of the GDPRto Transparency and to guarantee the rights of the data subjects.
  • Article 15 GDPRClearview AI has failed to comply with data subjects' requests for access to the data stored about them.
  • Article 27 GDPRClearview AI has not appointed a representative in the European Union, although this is mandatory for companies that are not established in the EU but process data of EU citizens.


The fine is made up of the various violations of the GDPR together. In addition to the financial sanctions, Clearview AI was obliged by the AP to remedy the ongoing violations. In particular, this includes the cessation of unlawful Processing personal data and the appointment of a representative in the European Union.

Source: Fining notice from Autoriteit Persoonsgegevens against Clearview AI

3. TD Bank: 27,760,000 US dollars (USA)

On September 11, 2024, the Consumer Financial Protection Bureau (CFPB) issued a penalty notice against TD Bank, N.A. for serious violations of the Fair Credit Reporting Act (FCRA) and the Consumer Financial Protection Act (CFPA). TD Bank was sentenced to pay a fine of 20 million US dollars. In addition, compensation of 7.76 million US dollars was ordered for affected consumers.

The CFPB's examination report uncovered several violations by TD Bank related to inadequate processing of loan and deposit accounts. In particular, the violations involved incomplete or inaccurate reporting of credit information to consumer credit reporting agencies (CRAs). This had serious consequences for the consumers concerned.

For example, TD Bank failed to correct incorrect or incomplete information on consumers' credit card accounts in a timely manner. In some cases, this resulted in consumers who had paid or settled their accounts in full continuing to be listed as defaulters.The bank also failed to conduct adequate and timely investigations when consumers disputed their credit information. This included both direct disputes filed by consumers themselves and indirect disputes filed through consumer reporting agencies.For many credit card accounts, the bank incorrectly reported the date of first default, resulting in negative entries remaining on consumers' credit reports for longer than permitted.

In addition to a civil fine of 20 million US dollars and compensation of 7.76 million US dollars for the consumers affected, TD Bank was given extensive conditions to improve its processes:

  • The bank must ensure that incorrect information is corrected immediately.
  • TD Bank needs to revise its dispute handling policies to ensure that investigations are conducted within the timeframes required by law.
  • The bank must submit a comprehensive compliance plan with regular reporting to the Management Board within 90 days.


Source: Notice of fine from the Consumer Financial Protection Bureau against TD Bank

4th Enérgya-VM: 2.5 million euros (Spain)

The Spanish data protection authority "Agencia Española de Protección de Datos" (AEPD) has initiated proceedings against Energya-VM Gestión de Energía, S.L.U. (hereinafter "Energya-VM"). Fine in the amount of 2.5 million euros.

As early as 2019, Energya-VM was made aware of misleading and possibly illegal practices by the external service provider Nivalco through third-party reports. Nivalco had been commissioned by Energya-VM to acquire new customers. It turned out that Nivalco personal dataincluding bank details and other sensitive information, without an appropriate legal basis, in order to contact potential customers and persuade them to sign a contract with Energya-VM.

In its investigation, the AEPD found that Nivalco used the data of potential customers without first informing them sufficiently about the Processing of their data (Infringement against Article 13 GDPR).

Energya-VM has been appointed as the controller for data processing by Nivalco in accordance with the GDPR although Nivalco was formally acting as a processor. The AEPD argued that Energya-VM exercised sufficient control over Nivalco's activities to be jointly responsible for the breaches.

Energya-VM was accused of not having taken sufficient measures to monitor Nivalco's compliance with data protection regulations. Despite repeated warnings and internal audits, no effective measures were taken to remedy the problematic practices. Energya-VM also failed to ensure that data subjects were transparently informed about the Processing of their data, in particular when they are first contacted by Nivalco.

In addition to the fine, Energya-VM was ordered to take immediate measures to improve its data protection practices. These measures included the introduction of stricter controls on the activities of its service providers.

Source: Notice of fine Agencia Española de Protección de Datos against Energya-VM

5. Cegedim Santé: 800,000 euros (France)

The French data protection authority CNIL (Commission Nationale de l'Informatique et des Libertés) imposed a fine of 800,000 euros on the company Cegedim Santé in a decision dated September 5, 2024. The fine is the result of a series of data protection violations in connection with the unlawful Processing more sensitive Health data.

Cegedim Santé develops and distributes software solutions for medical practices and health centers to manage appointments, patient records and prescriptions.

During inspections in 2021, the CNIL found that the company Health data collected and processed without the required authorization. The data collected was then made available by Cegedim Santé for the preparation of studies and statistics in the health sector. The Health data not anonymized, but merely pseudonymized. This means that it was technically possible to re-identify the data subjects, in particular by combining data from different sources.

The data processed by Cegedim Santé included a variety of sensitive information, including year of birth, gender, allergies, medical history, height, weight, diagnoses, prescriptions, certificates of incapacity for work and analysis results. This information was linked by a unique identifier that made it possible to track a patient's entire treatment history. Given the amount of data and the possibility of linking it to external sources, the CNIL recognized a high risk of patient re-identification.

The CNIL found that the data will be processed in this insufficiently pseudonymized form until at least 2022. As this involves sensitive Health data the CNIL considered this to be a particularly serious Infringement against the Data Protection Act.

Source: CNIL fine against Cegedim Santé

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts