With the imposition of fines in the millions against large US companies, EU data protection authorities took a stand in September: which GDPR regulations Meta and Clearview AI have violated and what other companies can learn from this.
1. Meta Platforms Ireland Ltd: 91 million euros (Ireland)
On September 26, 2024, the Irish Data Protection Commission (DPC) imposed a fine of 91 million euros on Meta Platforms Ireland Limited (MPIL).
In March 2019, MPIL informed the DPC that passwords of social media users were inadvertently stored in plain text. The passwords were neither encrypted nor otherwise cryptographically protected. Unauthorized third parties did not have access to the passwords.
The incident triggered an investigation by the DPC. This focused on the question of whether MPIL had taken appropriate security precautions when processing user passwords and whether the company had complied with its obligations under the GDPR, in particular with regard to the documentation and reporting of data breaches.
The DPC's investigation revealed several violations of the GDPR:
- Article 33(1) GDPR - MPIL did not immediately inform the DPC about the data breach in connection with the storage of user passwords in plain text.
- Article 33(5) GDPR - MPIL did not adequately document the data breach in connection with the storage of user passwords in plain text.
- Article 5(1)(f) GDPR - MPIL did not take appropriate technical and organizational measures to ensure the security of user passwords, which compromised the integrity and confidentiality of the data.
- Article 32(1) GDPR - MPIL has not carried out a sufficient risk assessment
Source: DPC press release on the fine imposed on Meta Platforms Ireland Limited
2. Clearview AI: 30.5 million euros (Netherlands)
The Dutch data protection authority "Autoriteit Persoonsgegevens" (AP) has imposed a fine totaling 30.5 million euros on the US company Clearview AI Inc.
Clearview AI offers facial recognition software based on a database of more than 30 billion photos. These photos come from public sources on the internet such as social networks, news sites and public databases. Clearview AI uses this data to offer various services to identify people.
In its investigation, the Data Protection Authority found that Clearview AI processed personal data of individuals residing in the Netherlands without a lawful basis. In particular, Clearview AI processed biometric data - a particularly sensitive category of personal data - without proper authorization or legal basis.
Clearview AI's violations concern several provisions of the General Data Protection Regulation, including
- Articles 5 and 6 GDPR: Clearview AI has processed personal data without a lawful basis. This violates the principle of lawfulness, which is intended to ensure that processing is only carried out on a lawful basis.
- Article 9 GDPR: The processing of biometric data such as facial images without explicit consent or other legal basis violates the prohibition on the processing of special categories of personal data.
- Articles 12 and 14 GDPR: Clearview AI did not sufficiently inform data subjects about the processing of their personal data. Information obligations are an essential part of the GDPR to ensure transparency and the rights of data subjects.
- Article 15 GDPR: Clearview AI has failed to comply with data subjects' requests for access to data held about them.
- Article 27 GDPR: Clearview AI has not appointed a representative in the European Union, although this is mandatory for companies that are not established in the EU but process data of EU citizens.
The fine is made up of the various infringements of the GDPR. In addition to the financial sanctions, Clearview AI was obliged by the AP to remedy the ongoing infringements. This includes in particular the cessation of the unlawful processing of personal data and the appointment of a representative in the European Union.
Source: Fining notice from Autoriteit Persoonsgegevens against Clearview AI
3. TD Bank: 27,760,000 US dollars (USA)
On September 11, 2024, the Consumer Financial Protection Bureau (CFPB) issued a penalty notice against TD Bank, N.A. for serious violations of the Fair Credit Reporting Act (FCRA) and the Consumer Financial Protection Act (CFPA). TD Bank was sentenced to pay a fine of 20 million US dollars. In addition, compensation of 7.76 million US dollars was determined for affected consumers.
The CFPB's examination report uncovered several violations by TD Bank related to inadequate processing of loan and deposit accounts. In particular, the violations involved incomplete or inaccurate reporting of credit information to consumer credit reporting agencies (CRAs). This had serious consequences for the consumers concerned.
For example, TD Bank failed to correct incorrect or incomplete information about consumers' credit card accounts in a timely manner. In some cases, this resulted in consumers who had paid or settled their accounts in full continuing to be listed as defaulters. The bank also failed to conduct adequate and timely investigations when consumers disputed their credit information. This included both direct disputes filed by consumers themselves and indirect disputes filed through consumer reporting agencies. For many credit card accounts, the bank incorrectly reported the date of first default, resulting in negative entries remaining on consumers' credit reports for longer than permitted.
In addition to a civil fine of 20 million US dollars and compensation of 7.76 million US dollars for the consumers affected, TD Bank was given extensive conditions to improve its processes:
- The bank must ensure that incorrect information is corrected immediately.
- TD Bank needs to revise its dispute handling policies to ensure that investigations are conducted within the timeframes required by law.
- The bank must submit a comprehensive compliance plan with regular reporting to the Management Board within 90 days.
Source: Notice of fine from the Consumer Financial Protection Bureau against TD Bank
4th Enérgya-VM: 2.5 million euros (Spain)
The Spanish data protection authority "Agencia Española de Protección de Datos" (AEPD) has imposed a fine of EUR 2.5 million on Energya-VM Gestión de Energía, S.L.U. (hereinafter "Energya-VM").
As early as 2019, Energya-VM was made aware of misleading and possibly illegal practices by the external service provider Nivalco through third-party reports. Nivalco had been commissioned by Energya-VM to acquire new customers. It emerged that Nivalco was using personal data, including bank details and other sensitive information, without an appropriate legal basis to contact potential customers and persuade them to sign a contract with Energya-VM.
During its investigation, the AEPD found that Nivalco used the data of potential customers without informing them sufficiently in advance about the processing of their data (violation of Article 13 GDPR).
Energya-VM was deemed to be the controller of Nivalco's data processing under the GDPR, even though Nivalco was formally acting as a processor. The AEPD argued that Energya-VM exercised sufficient control over Nivalco's activities to be jointly responsible for the breaches.
Energya-VM was accused of not having taken sufficient measures to monitor Nivalco's compliance with data protection regulations. Despite repeated warnings and internal audits, no effective measures were taken to remedy the problematic practices. Energya-VM also failed to ensure that data subjects were informed transparently about the processing of their data, especially when first contacted by Nivalco.
In addition to the fine, Energya-VM was ordered to take immediate measures to improve its data protection practices. These measures included the introduction of stricter controls on the activities of its service providers.
Source: Notice of fine Agencia Española de Protección de Datos against Energya-VM
5. Cegedim Santé: 800,000 euros (France)
On September 5, 2024, the French data protection authority CNIL (Commission Nationale de l'Informatique et des Libertés) imposed a fine of 800,000 euros on the company Cegedim Santé. The fine is the result of a series of data protection violations in connection with the unlawful processing of sensitive health data.
Cegedim Santé develops and distributes software solutions for medical practices and health centers to manage appointments, patient records and prescriptions.
During inspections in 2021, the CNIL found that the company had collected and processed health data without the required authorization. The data collected was subsequently made available by Cegedim Santé for the preparation of studies and statistics in the healthcare sector. The health data was not anonymized, but merely pseudonymized. This means that it was technically possible to re-identify the data subjects, in particular by combining data from different sources.
The data processed by Cegedim Santé included a wide range of sensitive information, including year of birth, gender, allergies, medical history, height, weight, diagnoses, prescriptions, incapacity certificates and analysis results. This information was linked by a unique identifier that made it possible to track a patient's entire treatment history. Given the amount of data and the possibility of linking it to external sources, the CNIL recognized a high risk of patient re-identification.
The CNIL found that the data would be processed in this insufficiently pseudonymized form until at least 2022. As this involves sensitive health data, the CNIL considered this to be a particularly serious breach of data protection law.
Source: CNIL fine against Cegedim Santé