GDPR General Data Protection Regulation

2024: European Commission breaks data protection rules when using Microsoft 365

The European Data Protection Watchdog (EDPS) has determined that the European Commission violated data protection rules when using Microsoft 365 cloud software. This was announced on March 13, 2024 by the press service of the State Duma deputy RFAnton Nemkin. Read more here.

2022

Heavy fines for violating EU persdata law

The largest fines for violating the law on personal data in EU as of September 6, 2022,
Instagram and Facebook are recognized as extremist organizations and banned in Russia

Europol forced to destroy 4 PB of illegally collected personal data of EU citizens

The European Data Protection Supervisory Authority (EDPS) in January 2022 issued a decree to Europol on the need to delete the data of EU citizens, which, according to the regulator, are stored illegally. Read more here.

2021

Largest fines

By June 2021, 648 fines for more than €283 million were imposed for violation of GDPR since the launch of May 2018. The largest punishment was received by Google - €50 million, banks also received fines:

• Romanian Unicredit Bank SA was fined €130 thousand for disclosing personal data of the payer (place of residence, personal number) to recipients of money;
• Italian UniCredit bank received a fine of €600 thousand for providing a partner with data of 700 thousand customers;
• Romanian RaiffazenBank was fined €150 thousand for sending data to 1,177 customers on Whatsapp, later the fine was reduced to €15 thousand;
• Romanian Banca Transilvania received a fine of €100 thousand for disclosing "business" correspondence with a client on the Internet.

In Russia, an analogue of the European GDPR is the FZ-152 On Personal Data: for failure to comply with the requirements for information processing, as a result of which a leak occurred, a fine for physical. persons 4-10 thousand rubles, for companies - 25-50 thousand rubles.

Storage of European cloud users in the EU

Microsoft has pledged to store data from European users of cloud services in the EU. The company announced this on May 6, 2021. Read more here.

2020

The European Union allowed business to open access to impersonal personal data for the development of new services

At the end of November 2020, the European Union introduced new rules allowing companies to access impersonal public and personal data. This will allow European companies to compete with American and Asian tech giants and encourage innovation in areas such as climate and health protection.

Rules initiated by the European Commission will give businesses and research organisations access to data that is normally blocked due to privacy law, commercial privacy or intellectual property rights. The new rules will also make it easier to share data for nonprofit research.

EU allowed business to open access to impersonal personal data for the development of new services

At the same time, strict data protection rules called the General Data Protection Regulation or GDPR will continue to apply, so companies and government agencies will need to implement special technical solutions to ensure confidentiality. For example, personal data must be anonymized before companies can access it.

As the role of industrial data in our economy is constantly growing, Europe needs an open but sovereign single data market, said Internal Market Commissioner Thierry Breton, adding that the new regulation rules "will help Europe become a leader in the global data market.

Thus, the EU hopes to encourage enterprises to create new services and products, as well as help researchers in solving social problems. Under the new rules, companies will no longer have to have headquarters in Europe or store data in the region they receive, but they will have to appoint local representatives to participate in the program. Access to data by the authorities of third countries will also be strictly regulated.^[1]

Publication of a ban on European sites using the "cookie wall"

On May 7, 2020, it became known that The European the data protection European Data Protection Board (EDPB) published an updated guide regarding obtaining site permissions from users to process them. information Among other things, the management now prohibits sites from making access to them dependent on whether the user has given consent to process their own (data the so-called "cookie wall" or wall cookie).

According to European law, the presence of user permission is one of the six mandatory conditions for the processing of personal data. In accordance with the General Data Protection Regulation (GDPR), the permission must be understandable, specific, conscious and voluntary. However, site owners found a way to ask visitors for the coveted permission using the "cookie wall," and began to provide users with access to their resources only in exchange for permission to process their data.

The operator of such a "cookie wall" in Europe is the Internet Advertising Bureau Europe, which requests consent from site visitors to process data if they want to access content. However, the problem is that such "consent" is not voluntary as required by the GDPR, so the updated EDPB guidance has banned the use of a "cookie wall."

Actions such as scrolling or scrolling through a web page or similar actions by users cannot under any circumstances be considered satisfactory to the requirements of clear and affirmative actions, the updated guide says[2]

The total amount of fines reached 114 million euros

For the period of validity GDPR as of January 2020, the amount of fines reached 114 million euros. Recorded by regulators 160 thousand violations.

2019: Biggest multi-million fine for GDPR breach

As of November 7, 2019, the largest share of fines (by number) falls on, Hungary,, Spain Czech Republic Bulgaria,. The Romania UK accounts for about 2% of the total number of fines. The size of fines according to statistics is established in proportion to the violation - which complies with GDPR standards. The largest fines for the leakage of passport data, in the region health care , etc.

Biggest multi-million dollar fines for GDPR breach:

• British Airways
• Country: United Kingdom
• Penalty: 204 110 000 €
• Violated GDPR article: 32

In July, British Airways was fined £183m^[3] by the UK Information Commissioner's Office (ICO) for a data breach that occurred in September 2018. The attackers managed to steal the personal information of approximately 500,000 airline customers. This data contained names, bank card numbers and their CVV codes, as well as email addresses. Article 32 of the law requires companies to implement technical and organizational measures to ensure the security of information.

• Marriott International, Inc.
• Country: United Kingdom
• Penalty: 118 714 808 €
• Violated GDPR article: 32

At the end of November 2018, Marriott International became the main character^[4] at that time. The personal data of 339 million customers was stolen. Hackers have gained access to hotel data since 2014.

According to an investigation by the UK Commissioner for Information's Office, the stolen data contained details of about 30 million customers from 31 countries in the European Economic Area. The security vulnerability is believed to have been exploited since 2014, when Starwood Hotel Group was compromised and Marriott bought Starwood in 2016. Information Commissioner Elizabeth Denham explained: "The GDPR makes clear that organisations should be responsible for the personal data they hold. This also implies a thorough legal examination when making a corporate acquisition transaction. "

The fine imposed on Marriott International was £99,200,396.

• Google LLC
• Country: France
• Penalty: €50,000,000
• Violated GDPR articles: 5, 6, 13, 14

The National Commission for Information and Freedom CNIL (Commission Nationale de l'Informatique et des Libertés), which is a data protection agency in France, fined Google LLC €50 million in January^[5] for violating GDPR transparency rules and for lacking a valid legal framework for processing personal data for advertising purposes. According to CNIL, Google users did not receive sufficient information about the use of their data. Moreover, the consent obtained by Google is neither "specific" nor "unambiguous."

• Österreichische Post AG
• Country: Austria
• Penalty: €18,000,000
• Violated GDPR articles: 5, 6

In October, the Austrian postal company Österreichische Post AG received a fine of €18 million^[6] for creating profiles^[7] about three million people, which contained information about their addresses, personal preferences and political affiliation. These profiles were then sold to political parties and other companies. The violated GDPR articles mentioned above are related to obtaining a legal basis for data processing.

• 1&1 Telecom
• Country: Germany
• Penalty: €9,550,000
• Violated GDPR article: 32

In December, German federal commissioner for data protection and freedom of information (BfDI) fined telecommunications company 1 & 1 Telecom €9.5 million. The company was unable to implement the necessary technical and organizational measures to protect personal data in its call centers: it was found that it was quite easy to obtain information about customers, indicating their name and date of birth. According to BfDI, this level of authentication was not enough to properly protect client data.

2018

Key differences between GDPR and 152 FZ

WP29 replaced by European Data Protection Board (EDPB)

Since May 25, 2018, it WP29 replaced by the European Data Protection Board (EDPB) - also a pan-European supervisory authority. Clarifications began to appear. GDPR Resolves disputes. From May 2018 to September 2019, EDPB issued 74 fines, among them British Airways and Marriott. Individual EU regulators also issue various clarifications, but they are also members of the EDPB.

2016: Pan-European Regulation on Personal Data (GDPR) adopted

In May 2016, the EU adopted the Pan-European Regulation on Personal Data (General Data Protection Regulation,) GDPR - a replacement for Data Protection Directive (officially Directive 95/46/EC on the protection of individuals in relation to the processing of personal data and on the free movement of such data)). All organizations, regardless of their jurisdiction, must comply with the new rules if their activities are related to the processing of personal data of personal data subjects located in the EU (including citizens of the Russian Federation)^[8]

GDPR applies to all companies processing personal data of EU residents and citizens, regardless of the location of such a company. Personal data under GDPR is any information relating to an individual or data that may directly or indirectly identify that person. For example:

• Name, e-mail address, address of residence, phone number;
• Personal information (e.g. sexual orientation, race, political bias);
• Bank information;
• Computer IP address, cookie ID.

Under the new law, consumers will gain greater control over their data. Individuals (FLs) will receive the following rights:

• Right of access - to know what information about them is stored and how it is processed;
• Right to correction - make changes to personal data if they are inaccurate or incomplete;
• Right to be forgotten - delete your personal data without the need for a specific reason;
• The right to limited processing - to block or prohibit the processing of your personal data.
• Right to transfer data - save and reuse your personal data for your own purposes;
• The right of objection is to object to the use of personal data. For example, for marketing, scientific and historical research, etc.

GDPR applicability criteria

This applies GDPR to the processing of personal data in the context of the presence in the EU of their operator or processor, regardless of whether such processing is carried out in the EU or not (GDPR applies to all subsidiaries of Russian holdings located in the EU).

GDPR applies to the processing of personal data located in the EU of subjects, which is carried out by an operator or processor who does not have a presence in the EU (for example, Russian legal entities), where such processing activities relate to:

• offering goods or services to personal data subjects located in the EU both on a reimbursable and free of charge basis;
• tracking their actions, provided that they are carried out within the EU.

It should be noted that in the criteria there is no binding to the citizenship of the subject of personal data. Personal data (PD) of all subjects at the time of their stay inside the EU (including citizens of the Russian Federation) fall under GDPR protection.

Thus, the following types of Russian organizations can potentially fall under the GDPR:

• Subsidiaries of large Russian holdings (trading enterprises of exporting companies, subsidiary banks of large banking groups, etc.) located in the EU.

• Banking and telecommunications companies. Monitoring of bank card transactions, as well as analysis of calls from a PD subject (for example, as part of processes to prevent fraudulent activities) located in the EU falls under the criterion of "tracking actions."

• Companies providing services to consumers from the EU (online stores, hotels, carrier airlines, logistics services companies). The criteria for focusing on the EU market can be: the presence of a website in one of the official EU languages, the possibility of receiving payment for services in EU currency, as well as the explicit affiliation of the company's services with EU partners (for example, the presence on the website of a Russian online store of information about cooperation with local courier delivery services operating in the EU).

Failure to comply with the requirements of the new GDPR regulation may lead to the imposition by the supervisory authority in the field of personal data protection of a fine of up to 20 million euros or up to 4% of the company's annual turnover (whichever is more) - according to the results of an international study conducted by E&Y and IAPP (International Association of Privacy Professionals) in 2017.

The document begins to operate on May 25, 2018, but a number of Russian companies present in the EU have already begun to bring the processes of processing personal data in line with GDPR.

What will happen if Russian enterprises violate GDPR?

This regulation has an extraterritorial nature and is subject to any company that processes and stores personal data of residents and citizens of the European Union. If your company is covered by this law, are you ready for its entry into force? The likelihood that your company is not yet ready is quite high, because even in the European Union, almost 60% of companies said that they are not ready to implement the changes that are required under the new legislation on the protection of personal data. According to a recent study by Forrester, a huge number of businesses are working on their adaptation to the new regulation, but only 22% of them expect to bring their enterprise into compliance with GDPR requirements in 2018. However, this may turn out to be too late, because the entry on May 25, 2018 into force of this regulation was known two years ago^[9]

GDPR: What is it and why should you pay attention to it?

If your company processes the data of citizens and residents of the European Union, then you should take care of compliance with the requirements of the regulations. But why? Because no matter where your business is located, you must meet GDPR requirements. Obviously, many companies do not know what global coverage this regulation has, and its effect applies not only to companies from the European Union. In fact, 43% of IT professionals in the United States do not believe that GDPR will somehow affect the work of their enterprise.

GDPR provides individuals with advanced rights to control and access their personal data. In turn, companies have an additional responsibility to protect this data. Among the main innovations, we note the requirement to obtain the explicit and active consent of an individual for the processing, storage and use of his personal data (informing the user is no longer enough: he must provide his consent). There is also a requirement to notify the supervisory authorities of violations of the confidentiality and integrity of personal data within 72 hours from the moment the enterprise became aware of the incident. In addition, GDPR contains new rights such as:

• right to be forgotten - the user may demand that the enterprise delete its personal data under certain circumstances: if consent is revoked, if the reason why this personal data was previously transferred, etc. has ceased to exist.
• right to portability - users have the right to require an enterprise that stores its personal data to provide it with a copy of this data for transfer to another organization.

Despite GDPR requirements for companies to strengthen control of personal data, some companies strongly related to personal data issues (for example, in the field of communications or retail trade) are the least prepared for the entry into force of this regulation. According to Forrester, just 27% of companies said they were fully GDPR compliant, with many admitting they had only started implementing changes at their facilities as a result of "pressure from their customers."

Risks of non-compliance with GDPR requirements

Violation of GDPR requirements can have various consequences:

• Economic: These, the most discussed consequences are most of the concern of company representatives, since the authorities will be able to impose fines of up to 20 million euros, or 4% of the company's annual turnover. Obviously, the amount of fines will depend on many factors, such as the essence of the violation, its severity and duration (for example, how many people suffered from the violation and what damage was caused to them), whether these violations were caused by negligence or they were conscious, whether the enterprise has other cases of violation of the regulations, etc.

The most serious fines will be imposed on companies that do not comply with the basic principles of personal data processing and violate the rights of users or transfer personal data to third countries or international organizations that cannot ensure the proper level of their protection.

In addition to these administrative penalties, companies may also face additional financial consequences as a result of legal claims from individuals for damages resulting from the confidentiality and integrity of their personal data being violated.

• Reputational: Failure to comply with GDPR requirements can lead to public censure of such companies. The higher degree of transparency required under this regulation, and the requirement to notify the supervisory authorities of personal data violations, may draw even more attention to your company - there will be a negative opinion in society about your company, which is not able to protect their personal data. Lack of trust and negative public opinion can seriously affect your company's success - these consequences can be even more devastating than financial penalties.
• Commercial: Failure to show that your company complies with legal requirements can cause you to lose customers and run into problems entering into contracts with other companies. Customers do not want to put their personal data at risk if your competitor meets GDPR requirements and is able to protect their data. This can also affect the business activity of the enterprise: many companies may not want to be your partner and share their customer information with your company, which can put it at serious risk.

See also

• Regulation of personal data in the Russian Federation
• Personal Data Law No. 152-FZ
• Protection of personal data in Russia
• Protection of personal data in countries of the world

Notes