Dear Readers,

this year we would like to introduce an additional concept to our blog in order to provide regular information also to our English-speaking readers. To do so we will upload in regular intervals (every 1-2 months) short overviews of interesting news, changes and decisions in matters of data protection.

If you would like to be provided with more details, don’t hesitate to contact us via the commentary function. We will also link to our blog posts (mostly in German), if we have already reported on this topic.

 What has happened lately?

1. New national data protection laws entered into force

Lichtenstein, Finland and Spain have implemented the GDPR into national law. The new Data Protection Acts entered into force in December (Spain) and January (Finland, Lichtenstein).

2. UK: Government publishes draft regulations amending privacy framework

The UK Government published in December 2018 the so called “Draft Regulations”, which seek to ensure that the legal framework for data protection within the UK continues to function correctly after exit day by amending the Data Protection Act 2018, the GDPR as it forms part of the law by virtue of the European Union (Withdrawal) Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The Draft Regulations are expected to come into force on exit day. They introduce a single instrument for general processing activities, known as the UK GDPR, which will maintain, among other things, the extra-territorial scope of the GDPR and extend this to also cover processing of UK residents‘ data by controllers and processors in the EEA. The Draft Regulations transfer to the Secretary of State and/or the Information Commissioner’s Office, a number of powers conferred by the GDPR to the European Commission, such as issuing adequacy decisions for third countries or authorizing binding corporate rules.

3. Fines

a) UK: The Information Commissioner’s Office (ICO) imposed a fine of £350, as well as an order to pay costs of £643.75 and a victim surcharge of £35, against a former employee at Fakenham Medical Practice, for unauthorized access to medical records. The former employee had illegally accessed the medical records of 231 patients during her period of employment.

b) Italy: Facebook has been fined almost £9m by Italian authorities for misleading users about how it used their data. The fine was handed for “misleadingly” encouraging people to sign up “without informing them in an immediate and adequate way” of how their data would be sold to third parties and for “aggressively” discouraging users from trying to limit how the company shared their personal information, by telling them that doing so risked them experiencing “significant limitations”.

c) Netherlands, UK, France: Uber Technologies Inc. was fined by the Dutch data protection authority (‚AP‘) and the Information Commissioner’s Office (‚ICO‘) of €600,000 and £385,000 for Uber’s data breach in 2016 that affected approximately 57 million individuals around the world. Also the French data protection authority (‚CNIL‘) had issued a fine of €400,000 to Uber France S.A.S in December 2018, since 1.4 million users in France were affected by the data breach of the parent company. The mentioned authorities highlighted that Uber failed to implement basic security measures and had not taken all necessary precautions for preventing unauthorised third party access to customer data, as well as its failure to notify the breach to the AP and the affected individuals within 72 hours from the discovery of the breach.

d) Germany: The German Data Protection Authority of Baden-Wuerttemberg (LfdI) imposed its first fine in Germany because of a violation of the data security measures prescribed under Art. 32 GDPR. In July 2018, hackers succeeded in stealing personal data from around 330,000 users, including passwords and E-Mail Addresses. The company had stored the passwords of its users unencrypted. The LfdL highlighted that the company knowingly violated its obligation to ensure data security in the processing of personal data pursuant to Art. 32 para. 1 lit a GDPR by storing the passwords in plain text.