GDPR Penalties Prove Why Compliance Isn't Enough—And Why Companies Need Clarity

from the when-trying-to-comply-is-evidence-of-failing-to-comply dept

The legal uncertainty created by the General Data Protection Regulation (GDPR) is becoming so common, it’s starting to go unnoticed. In yet another recent example, Poland’s data protection authority (DPA), UODO (“Urząd Ochrony Danych Osobowych” in Polish), fined a European company over €220,000 for failing to comply with a GDPR requirement that companies provide individuals with privacy notices. While it hasn’t drawn considerable attention, this case could have considerable implications for many other European companies. The sanction cuts through expectations that data protection authorities (DPAs) will play a constructive role of both regulators and advisors under the GDPR, and it illustrates that the need to clarify the European privacy law is ever more urgent.

Bisnode, a European digital marketing company that specializes in data analytics, had collected and processed personal data from publicly available registers on six million individuals to provide creditworthiness scores to banks. The company used its access to the email addresses of about 679,000 users to inform them of the processing of their personal data—to which, out of a sample of 90,000 users, only 10 percent objected. But the operational costs of sending letters to the remaining 5.7 million users whose emails were unavailable would amount to €8 million of postal charges, an estimate which did not even include the related administrative costs. As a result, the company decided to publish a general statement on its website to alert the remaining data subjects. However, the Polish DPA decided that Bisnode did not go far enough in upholding its obligations under the GDPR.

The decision to sanction this company is misguided and sets a worrying precedent for two reasons. First, this penalty is a direct consequence of the privacy law’s vague provisions and misleading language, which EU policymakers must urgently clarify. Under Article 14 of the GDPR, organizations collecting and processing personal data must provide privacy notices directly to data subjects. But this obligation does not apply in case providing this information is “impossible, or would involve a disproportionate effort.” The Polish company thought it had fulfilled its obligations under the GDPR, as the exorbitant cost of reaching out to the remaining users could trigger this exception. But while accepting the company’s calculations, UODO regulators did not assess that €8 million would constitute a sufficiently “disproportionate effort.” What is more, because the GDPR is not prescriptive about how companies must provide users with information, UODO claimed that the law does not oblige them to inform users specifically via registered post. Hence UODO considered that a public statement was insufficient because the company could have used other solutions such as sending SMS messages, even though Bisnode did not have telephone numbers for everyone and the costs of doing so would have been high.

Second, this decision calls for a clarification of the role of DPAs under the GDPR. The company had taken a number of proactive steps to comply with the GDPR, yet UODO saw it as nothing more than proof that it was aware of its obligations and thus had intentionally violated them. DPAs should not impose penalties when there is ambiguity in the rules and companies are making an honest effort to comply. Instead, DPAs should play the role of educators so as to facilitate companies’ complex journey towards compliance. Before imposing penalties, they should take into account whether companies acted in good faith when establishing compliance strategies, the extent to which they have implemented compliance procedures internally, and the degree of interpretability of the provisions in question.

Many EU companies have yet to comply with the privacy law and do not expect that they ever will. EU policymakers should realize that the privacy law’s strict and complex requirements may be the main reason why. But the Polish decision shows that compliance may not even be enough. Companies cannot interpret unclear regulations, so they will continue to face unpredictable decisions. Even if a company appeals a decision, it will take time before the final outcome establishes jurisprudence.

EU policymakers and data protection authorities should focus on clarifying the legislation, specifying the technical requirements to provide information, and take into account the costs and difficulties compliance may impose on companies in some cases. Otherwise European businesses will continue to face difficulties interpreting and complying with the GDPR.

Eline Chivot is a senior policy analyst at the Center for Data Innovation, based in Brussels. Daniel Castro is the director of the Center for Data Innovation and vice president of the Information Technology and Innovation Foundation.

Filed Under: data protection, eu, gdpr, penalties, privacy
Companies: bisnode


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Mason Wheeler (profile), 8 May 2019 @ 11:58am

    from the not-helping-your-case dept.

    So let me get this straight: the EU busted a credit bureau on GDPR grounds, and you think that's a bad thing?!?

    That's not how this works. If you want people to believe that the GDPR is bad, you have to show how it's harming sympathetic targets that didn't deserve it. A ruling like this, however technically flawed it may be, is more likely to draw cheers from the audience.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 8 May 2019 @ 12:48pm

      Re: from the not-helping-your-case dept.

      A ruling like this, however technically flawed it may be, is more likely to draw cheers from the audience.

      A point we make over and over again is that a huge problem is that people cheer on any damage to unsympathetic defendants/companies -- without recognizing how that will impact everyone else. Complaining about using this as an example only exacerbates that problem, and suggests we should allow awful precedents to be set, just because we don't like the company.

      You can't honestly believe that's a good idea.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 May 2019 @ 12:54pm

        Re: Re: from the not-helping-your-case dept.

        In fact, it's likely that they're starting with highly unsympathetic targets to get the precedent set to the sound of cheers. They do it enough, by the time they start attacking sympathetic targets, people will shrug and say "well, they broke the law, what did they expect?"

        reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 8 May 2019 @ 12:55pm

      Re: from the not-helping-your-case dept.

      Techdirt posts a lot of stories about unsympathetic people being subjected to unfair treatment by governmental entities. If I can see the problem with police confiscating a heroin dealer's car, I can see the problem with sanctioning a credit bureau for thinking that an 8 million euro cost satisfies the definition of "disproportionate effort."

      reply to this | link to this | view in chronology ]

      • icon
        Eldakka (profile), 8 May 2019 @ 11:22pm

        Re: Re: from the not-helping-your-case dept.

        I can see the problem with sanctioning a credit bureau for thinking that an 8 million euro cost satisfies the definition of "disproportionate effort."

        I think to get a better understanding of whether it is disproportionate or not we'd need to know the revenue of the company involved. Here we are only given an absolute figure, not the 'proportion' that this figure represents of the companies revenue, on which to base a 'disproportionate' scenario on. You can't determing that with only the one number. I mean, if its a 1 million/year company, then it is disproportionate. However, if it is a 100 million euro/year company, then a one-off 8 million euro charge I would not view as disproportionate.

        reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 9 May 2019 @ 8:50am

      Re: from the not-helping-your-case dept.

      A ruling like this, however technically flawed it may be, is more likely to draw cheers from the audience.

      I'd like to think Techdirt's audience is smarter than that.

      reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 9 May 2019 @ 9:08am

        Re: Re: from the not-helping-your-case dept.

        He's not talking about the TD audience, he's talking about the gullible unwashed masses.

        And he's right.

        Look at all the laws sold to the public that will "only be used against bad guys".

        RICO was only going to be used against organized crime. Now it's used to steal wallets on traffic stops.

        Hell, look at the income tax - it was sold as only applying to the richest 6%.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 May 2019 @ 12:21pm

    10 percent‽

    The company used its access to the email addresses of about 679,000 users to inform them of the processing of their personal data—to which, out of a sample of 90,000 users, only 10 percent objected.

    What do you mean "only"? The article said they got 12,000 objections, which is HUGE for an opt-out system. The usual expection is that "nobody" will read the legalese associated with an account and that very few people will ever take the time to go through some formal process of objecting (which is precisely why companies design opt-out systems). This proves otherwise.

    Were these people part of an organized protest or what? That's 13.3% of people who received the presumably-boring-looking legal notice (despite spam filtering, address changes, etc.), then took the time to read and even respond to it. It's almost like we're talking about another planet. Marketers would kill for that response rate in other circumstances, and it absolutely justifies sending letters to everyone else. (Or, you know, not doing the things that people find objectionable.)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 May 2019 @ 12:27pm

    Let me see if I understand your point correctly. I burger breaks in to my file cabinet, steals a bunch of person data and then is only fined €220,000 for their criminal activity. A more appropriate sentence would be 5 to 10 in a place the sun don't shine.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 8 May 2019 @ 12:47pm

      Re:

      I burger breaks in to my file cabinet, steals a bunch of person data and then is only fined €220,000 for their criminal activity.

      Help me out here. How does one "steal" personal data?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 May 2019 @ 12:59pm

        Re: Re:

        I like how we aren't even talking about meat sandwiches breaking and entering.

        reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 8 May 2019 @ 1:11pm

        Re: Re:

        Interesting point.

        "Identity Theft" - is it theft?

        Is it "different" if you "steal" my identity to get credit cards instead of using that "stolen" information to cast votes on the FCC's page?

        reply to this | link to this | view in chronology ]

        • icon
          Anonymous Anonymous Coward (profile), 8 May 2019 @ 1:20pm

          Re: Re: Re:

          Taking data is like downloading a video file, the original is still in place, that is unless you stole a wallet or something.

          Now using that information is not like copyright infringement. If I watch the movie, no one is harmed (don't get started on the creators, if I would never buy that video, they are not harmed). But with identity, the use does harm. Ruins credit score, creates debts in your name that are not yours, hurts reputation by posting to the FCC when you believe the opposite of what was posted in your name, etc..

          reply to this | link to this | view in chronology ]

        • icon
          Jeroen Hellingman (profile), 9 May 2019 @ 3:54am

          Re: Re: Re:

          Identity theft is a misnomer invented by banks to shift the blame to innocent victims of what used to be called fraud.

          reply to this | link to this | view in chronology ]

        • icon
          Stephen T. Stone (profile), 9 May 2019 @ 6:11am

          A more accurate term would be “identity fraud”, but as pointed out in a comment beneath mine, such a term is…unacceptable to financial institutions.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 May 2019 @ 2:04pm

        Re: Re:

        If someone steals a folder full of printed pages that contain personal information (the file cabinet example) that is theft. That it happens to be personal info on the paperwork that was stolen is a bit of a stretch to call that "identity theft" but hey, whatever.

        reply to this | link to this | view in chronology ]

        • icon
          Bamboo Harvester (profile), 8 May 2019 @ 5:26pm

          Re: Re: Re:

          I've never followed an identity theft case. No idea what section of law it actually falls under. I suspect it's one of the "misrepresentation" areas, like using a fake ID at a bar.

          I am curious about if there IS a difference based on "use".

          If I "steal" a person's identity to impersonate that person to get credit in their name, is it legally different than if I do it to use their name... pretty much as a "bot" on a mass mailing.

          Either way, I'm misrepresenting myself as that person. In the first case I'm truly causing harm as you noted.

          In the second case, actual harm might be harder to prove. If I did the mailing stunt to a pile of child porn sites is it "worse" than if I did it to the FCC's complaint page?

          Legally - obviously the porn example is worse. But in the eyes of the law?

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 May 2019 @ 4:09pm

    MONEY, MONEY, MONEY

    Now the real reason for the GDPR really comes out, it's all about getting money, out of their hands and into ours. There is no real concern for privacy, they are only looking for the next catchphrase to glom onto in order to extract more money out of the public and corporations.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 May 2019 @ 11:19pm

    This posting is so incredible dumb that I do not know where to start. I feel like I could spend a whole days responding to it but I don't have that time.

    First of all I like the comment above mentioning about the opt-out rate of the persons who were actually contacted.

    So just to get things right ("Bisnode, a European digital marketing company ... data analytics ... provide creditworthiness scores to banks.") we are speaking about profiling, right. So we might consider reading Art. 22 of the GDPR and notice for a moment that the bar for processing personal data raised somewhat.

    Another thing that's important for me: "But the operational costs of sending letters to the remaining 5.7 million users whose emails were unavailable would amount to €8 million of postal charges, an estimate which did not even include the related administrative costs."
    I will put this in other words: "When the company recognized that it didn't have a valid business case anymore they decided to give a fuck about the law."

    -- "Second, this decision calls for a clarification of the role of DPAs under the GDPR."
    The role is clear.

    -- "DPAs should not impose penalties when there is ambiguity in the rules and companies are making an honest effort to comply."
    And the company decides what this "honest" means, right? No, it is the DPA. The company is free to object the DPA's decision, right? You missed this point?

    -- "Instead, DPAs should play the role of educators so as to facilitate companies’ complex journey towards compliance."
    Not neccessary (and completly stupid idea). Companies are free to have as much Data Protection Officers as they like to educate them.

    -- "But the Polish decision shows that compliance may not even be enough."
    You should start to consider that they did not comply.

    -- "Companies cannot interpret unclear regulations, so they will continue to face unpredictable decisions."
    That's wrondg. They interpret unclear regulations all the time ... and (surprise!) always in their favour.

    Finally I would like to ask a question: If the GDPR is so basically wrong, why can't you present examples with a real case?

    Have fun!

    reply to this | link to this | view in chronology ]

  • icon
    Ben (profile), 9 May 2019 @ 12:51am

    There are companies out there with not-insignificant numbers of data subjects who have complied with the requirement to send out privacy notices to every single one of them. I know because I work for one of them. We have clients all over the world so goodness knows how much the postage cost for those whose email address is not on our records.
    So the credit agency in question really has no excuse. It is possible to meet the requirements of Article 14 of the GDPR.

    reply to this | link to this | view in chronology ]

  • icon
    Jeroen Hellingman (profile), 9 May 2019 @ 3:50am

    Works as designed

    Although the GDPR has a couple of issues in relation with freedom of press, this case shows that the rules are working as intended. Credit rating agencies are of a fairly dubious nature, and their business practices often harm people with very little legal recourse. To a large extend, the GDPR can help to reign in those dubious practices, as most of the grounds under the GDPR that allows a company to process personal information are lacking. Since they have no direct relationship with the individuals they collect information about, they cannot justify it with 'needed to fulfil contract'; they most certainly lack 'freely given permission'; and with most agencies, there is also no 'legal obligation' to keep the information. I also don't think 'required to protect own significant interest' applies here. The only problem with the GDPR in this respect is that regulators in several countries are rather slow to act...

    reply to this | link to this | view in chronology ]

  • icon
    ysth (profile), 9 May 2019 @ 1:13pm

    Elizabeth Warren's plans to break up all of the big internet companies doesn't

    plan doesn't or plans don't

    reply to this | link to this | view in chronology ]

  • icon
    spamvictim (profile), 10 May 2019 @ 9:45am

    This is not a bug

    It is definitely not a bug in the GDPR that it makes it difficult or impractical to scrape data off the net and sell it. Everyone affected by GDPR had literally years of warning. If it turned out that the company couldn't afford to maintain their scraped database and comply, that is a failure of their business plan, not of the GDPR.
    Surely you can do better than this.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.