> Warning: fopen(https://docs.google.com/spreadsheets/d/1s2eNqf5xpVX8j6LfnL6r...): Failed to open stream: Connection refused in /mnt/web308/b1/30/54257730/htdocs/enforcementtracker/index.php on line 1493 Fatal error: Uncaught TypeError: fgetcsv(): Argument #1 ($stream) must be of type resource, bool given in /mnt/web308/b1/30/54257730/htdocs/enforcementtracker/index.php:1496 Stack trace: #0 /mnt/web308/b1/30/54257730/htdocs/enforcementtracker/index.php(1496): fgetcsv(false) #1 {main} thrown in /mnt/web308/b1/30/54257730/htdocs/enforcementtracker/index.php on line 1496
Interesting to see the correlation between size of a company and their fine.
ORANGE spain for instance got a 200,000 EUR fine, but some local physician only got 1,500.
A review of what the GDPR is and what an expected fine is according to the law itself, this is exactly what you would expect to see. Its maximum penalty is related to the company's annual, worldwide revenue.
> The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
(emphasis theirs, well, bold not italics, but yeah.)
Meta/Facebook/WhatsApp was fined about 2.4 billion (6 out of top 10 fines), but still nowhere near close to the maximum (which would be about 54 billion).
The US law firms and compliance consultants were scaremongering a lot around these fines (after all, they got paid for consulting there and making sure this is as scary as possible).
To be fair, in the US regulations seem to be thought of as something enforced against smaller companies while larger companies can afford expensive lawyers to sidestep them. The difference is that EU privacy law can't easily be sidestepped because it specifically targets these large companies.
OTOH this might just be a case of "temporarily inconvenienced billionaire" logic or the same fear mongering as "if we raise minimum wage you won't be able to afford rent".
That was an error with potentially very grave consequences, but it seems the MoD handled it well once they were aware of it (“Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients”)
I don’t think a larger fine would have made them do better, so why make it higher?
That sounds like a fine that was the maximum under the pre-GDPR regime, rather than the GDPR-era penalty regime. If the offence took place before the new rules were in force, the old penalties apply, even if the case takes some time to be resolved.
Interesting to see some individuals and seemingly individual police officers fined. I know it was theoretically possible but I wonder what the stories are there.
At least for Germany there are cases, where police officers have leaked information about people that they have access to through their systems. Especially leaking data about political opponents to certain groups.
I don't know which case you're thinking of but generally the trend seems to be police officers leaking data about (perceived) left-wing activists to far-right groups.
There is a known far-right extremism problem in the German police force and military, e.g. the founder of GSG9 (think German SWAT) and a brigadier general and former commander of the KSK (think German SOCOM/SEAL) published a book with a far-right publishing house, which was the first in a series of incidents that led to the KSK being reformed in 2020 to (hopefully) address the systemic far-right extremism problem.
There have been credible claims of ties of far-right terrorist groups like Combat 18 and NSU 2.0 to the police. E.g. in one of the biggest news stories there was a find of not only a disturbing cache of weapons and body bags but also "kill lists" found to be sourced from police computers.
There are obvious ideological reasons why police officers are more likely to be supportive of far-right extremism than, say, far-left extremism. That isn't to say police officers are generally far-right but maintaining the status quo, opposing disturbances of the public order and enforcing the letter of the law fit better with conservatism than progressivism and social justice movements, let alone radical leftism.
Here's one story: a doctor interviewed by polish TV station "TVN" complained on patients not getting receipts for painkiller meds for 2 days. To which the Polish Minister of Health Adam Niedzielski responded on twitter [1] saying the doctor lied, because he prescribed himself a psychotropic/painkiller drug a day prior.
Positively surprised to see that fines are being enforced for non-compliers, with some of the fines being significant. I still encounter sites that are not complying with GDPR, but maybe things will improve after all.
I expected that they might have went behind a few high-profile cases, for the show, and an entire group of smaller non-compliers would simply continue their business as usual.
I often wondered if flagging smaller websites not respecting the GDPR to the relevant watchdogs would have any effect at all, or that it was just a waste of time because small-fish complaints would go straight to the bin.
I stand corrected, and will not hesitate to do so going forward.
No, that's not what I'm saying. I made my point clumsily though, admittedly.
I'm saying for the relatively few fines that have been issued in the UK, a surprising number have been aimed at targets of the culture war of the day and that that's noteworthy.
I'm definitely not trying to bait, or troll anyone. I apologise if that's how it's coming across.
I found the proportion of the fines aimed at a particular group of organisations noteworthy; especially specific organisations that are already under intense scrutiny in the UK media.
The implication here is that this stands out because others haven't been fined. I'm not up to date enough on UK privacy violations to be able to tell whether that is the case.
Charities have to obey privacy law the same as anybody else regardless of what they stand for. It seems the fines were perfectly justified and I see no problem with that.
That said, pretending there is not a deliberate "culture war" around the existence of trans people in the UK is either dishonest or ignorant. UK politics, politicians and media have been extremely hostile towards trans people in recent years even relative to the general attitude of the general population in the UK. The level of artificial moral panic surrounding trans people in UK politics and media is surprising even by American standards. There are a number of astroturfed anti-trans groups present in English-speaking media but the most effective ones are all UK-centric.
The fines, however, seem to be orthogonal to that.
> This penalty has been issued because of contraventions by Mermaids of Articles 5(1)(f) and 32(1) and (2) of the GDPR in that during the period of 25 May 2018 to 14 June 2019 Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents or emails containing
personal data, including in some cases relating to children and / or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results.
A fine for this seems reasonable. Data on sexuality and medical history is protected beyond the normal level for personal data.
> On 15 August 2016, which is the date on which the email group
of relevance to the contraventions set out in this notice was created,
the Chief Executive Officer ("the CEO") was at that date the only paid
staff member at Mermaids. On 14 June 2019, Mermaids were notified
by a service user of the charity that internal emails containing personal
data were publicly available online. Mermaids contacted the
Commissioner later that day to report the concerns. On 17 June 2019,
the CEO telephoned the Commissioner to update her and sent a follow
up email detailing the remedial steps which Mermaids had taken
£21,000
> At 14: 22 on 6 September 2019 a member of staff in the -
used Microsoft Outlook to generate an email communication which
was initially sent to a total of 1,781 GIC patients. The email was
sent in two batches comprising 912 and 869 email addresses
respectively. In both batches the email addresses were copied from
the output report and entered into the "To" field instead of the
"Blind carbon copy" ("Bee") field. The recipients of each email could
therefore see the email addresses of the other recipients of that
email. Four of the emails were returned as undeliverable and so
potentially 1,777 emails were delivered and opened
£92,000
I mean, they did accidentally dox their clients which is in scope for GDPR enforcement, and they are the 2nd and 3rd lowest fines (likely due to a low level of intentionality and resources), with the only lower fine going to a HIV charity.
No, of course not. I'm just curious why such a large proportion (14%) of GDPR fines in the UK have been handed to trans-friendly organisations. Sure, in isolation, they are obviously justified. But why such a focus?
I don't think it's meaningful to talk about "a large proportion" with this few data points.
They're serious privacy violations because of the nature of the data that was exposed. We're also only talking about two organizations, both of which did have legitimate privacy violation incidents.
You're drawing conclusions based on statistically meaningless sample sizes.
Just open the file yourself https://docs.google.com/spreadsheets/d/1s2eNqf5xpVX8j6LfnL6r...