by Gabriel Avigdor

Portugal initiates fines under the GDPR in the EU. The data protection supervisory authority (Comissão Nacional de Proteção de Dados) issued a €400k fine against a hospital for three infringements of the GDPR. This article is the opportunity to analyse two elements:

• looking back at a few important decisions and ruling that we have seen since 25 May 2018; and
• understand what is the current situation with Swiss hospitals from a privacy perspective.

_____________________

BAD MANAGEMENT OF ACCESS CONTROLS TO PATIENT DATABASE 

According to the press, the “Hospitalar Barreiro-Montijo” in Portugal received a €400,000 fine from the Portuguese supervisory authority for three different violations of the EU General Data Protection Regulation:

1. Infringement of integrity and confidentiality of the data: €150,000.- ;
2. Infringement of access limitation (access rights management): €150,000 ; and
3. Unable to ensure integrity of the data by the hospital (data controller): €100,000

After an investigation, the CNPD assessed that the hospital’s staff, as well as psychologists, dietitians and other professionals had access to patient data via false profiles. Those accesses included members of the administrative personnel of the hospital, which were normally to be used by physicians only. In the news, we can read that

while 985 doctors had clearance for accessing patient files although the hospital only hired 296 doctors, non healthcare professionals could also access patient data.

This case started after an association of doctors reported the facts to the CNPD in June 2018. The decision from the CNPD has not been made public yet, and references can be found in this local article and here (in Portuguese).

As detailed in my last article on GDPR readiness in EU countries, Portugal has not implemented the GDPR yet. However, the fine was calculated and assessed pursuant to Regulation (EU) 2016/679 that is now applicable and enforceable. The hospital has contested the decision.

_____________________

REMINDER: NOT EVERY DECISION ISSUED AFTER 25 MAY 2018 ARE ANALYZED UNDER THE GDPR

After 25 May 2018, we have already seen a few important decisions from supervisory authorities and courts. The vast majority of them related to facts that data controllers or processors did before Regulation (EU) 2016/679 (GDPR) became enforceable.

As a reminder, it is worth noting that the GDPR applies worldwide, but only as of 25 May 2018. It applies to processing by processors of personal data (private and public), wherever they are located, to the extent it relates to individuals that are located within the EU. Citizenship is not relevant to assess the extraterritorial reach of this EU Privacy law. The principle of non-retroactivity of the laws applies and facts that are older than 25 May 2018 would trigger the local data protection legislation for any investigation. The famous 2% -€10M / 4% – €20M shall therefore not apply. In Europe, Directive EU 95/46/CEE on the protection of individuals with regard to the processing of personal data and on the free movement of such data governed data protection as a framework, which the 28 EU countries have implemented into their local laws.

Beware, many articles on the Internet explain that fines were imposed in 2018 according to the GDPR, which is probably not exact. So verify when the facts are dated.

_____________________

 

TWO IMPORTANT DECISIONS AFTER 25 MAY 2018, BUT NOT PURSUANT TO THE GDPR

Two important decisions are worth noting in the context of the previous legal regime (Directive 95/46/CE) even though it was published after the GDPR:

The Equifax case

2017 was a bad year with 23 cyberattacks reported. But it became worse with the Equifax scandal.

In September 2017, the Equifax scandal became public with cybercriminals who stole Equifax Inc. credit card data. While the cyberattack happened in the USA, the case impacted over 145 millions customers’ credit card data, and around 15 millions citizens in the UK. The UK Information Commissioner’s Office (ICO) imposed the maximum fine of £500,00 to Equifax Ltd, for breach of the UK data protection legislation. While the ICO issued this decision in September 2018, the facts dated back 2017. The bad thing is that Equifax knew about the hack more than a month before they reported it.

In this case, Equifax failed to implement and maintain appropriate organizational and technical measures to prevent unauthorized access to the data (equivalent to article 32 of the GDPR). The ICO considered the infringement as particularly high due to the sensitive aspects of credit card data and the fact that it has impacted so many individuals. In this decision, the ICO considered that the retention period of the credit card data was too long.

Under the GDPR, failing to comply with article 32 (appropriate technical and organizational measures – ATOM) may lead to a 2% fine according to article 83 §4 (a) GDPR. This is the same for not complying with the privacy by design obligation, which includes the obligation to only keep the data for as long as necessary for the purpose of the processing (art. 25 and 83 §4 (a)). Therefore, and to the extent the sanction by the ICO may have been assessed under the same criteria as under the GDPR, the fine may have been around £20.87 millions, instead of £500,000.

Cambridge Analytica case

On 24 October 2018, Facebook Ireland Ltd was fined the highest possible fine under UK privacy law by the British Information Commissioner’s Office. This decision, although taken in October 2018, related to facts prior to 25 May 2018.

In this decision, Facebook was fined £500,000 for failing to ensure the security of its users’ data. In this scandal, Cambridge Analytica misled Facebook users by collecting survey data to analyze user behavior and influence their voting intentions, which may have been used for the US elections during the Donald Trump campaign. It is also likely that such methods have been used in previous campaigns in the United States, such as the election of Barack Obama.

Facebook had failed to protect its users by not putting in place appropriate security measures. Cambridge Analitica, through its surveys, had been able to obtain access to the user profiles, but also to the profiles of the “Facebook friends” of the people participating in the survey, although these people did not know this and could not consent to or be informed of this.

If the sanction had been imposed under the GDPR, and provided that the same application criteria had been used, the maximum fine of 4% would have been of a different magnitude. Indeed, if we take the Facebook group’s net annual turnover in 2017 (2018 not yet known), i.e. excluding taxes, and compare the exchange rate on 31 December 2017 between EUR and GBP, the fine could have amounted to some £471.64 million. This would represent an increase of +943% over the fine imposed by the ICO in the United Kingdom

* * *

Uber data breach in 2016

One last case for those who still doubt that supervisory authorities will fine companies for breach of data protection or if data protection is not important at least for keeping a good reputation.

A press release dated 27 November 2018 from the Dutch supervisory authority showed that Uber was fined € 600k for breach of the Dutch data protection legislation after the famous cyber attack, in which Uber failed to report the breach within the deadline of 72 hours. The data breach affected 57 million Uber users worldwide, and concerned 174,000 Dutch citizens. Amongst the data were names, e-mail addresses and telephone numbers of customers and drivers.

Not only Uber failed to report the breach, but Uber also paid off hackers to hide the massive data breach for a period of one year. According to CNBC and the NY Times, Uber agreed to pay $158 million to settle claims related the data breach in the United States of America, but was also fined in the UK for £385,000.

Finally it is worth noting that, while there may be one authority issuing a fine in one country, each supervisory may be competent to issue a fine separately for each jurisdiction in which data subjects may be affected and suffered from the data breach. This may become a nightmare for companies that will have to deal with lawsuits in many jurisdictions and appealing in potentially all 28 (27?) EU countries.

_____________________

WHAT IS THE FIRST DECISION UNDER THE GDPR?

On 29 May 2018, an important German decision opposed ICANN vs EPAG. This case was about “Whois data”, i.e. the personal data of domain name holders, where such data was collected and made publicly available. The company “Registrar EPAG Domainservices GmbH”, a German company accredited by the ICANN for domain name registrations (Registrars) was in dispute against the ICANN. In this case, the question was about whether contact data – that were published online by the registrar when registering domain names (Admin-C and Technical-C) – should necessarily be collected.

Analyzing the situation under art. 5 (1) letter c) of the GDPR, the German court considered that it was not mandatory to collect that data. Therefore, the EPAG did not have any obligation to collect this data so that no one could force EPAG to do so.

The consequence of this decision is quite significant. For years, many online providers have asked clients to pay for not appearing as the owner of the website (such as “whois guard service“), in order to remain anonymous. Now that there is no obligation to collect this data, paid services would no longer be necessary, making them obsolete or even illegal. We now see agencies offering “free” anonymisation of contact data from the site owner to their customers. Some agencies even use this as a marketing argument, while there is no legal obligation to publish that data.

---

WHAT ABOUT SWISS HOSPITALS?

The vast majority of – if not all – Swiss public hospitals and private clinics are not subject to the GDPR.

Why?

The reason is that those healthcare institutions generally do not have any establishments in the EU or EU presence. In addition, they usually do not offer goods and services to patients located in the EU, nor do they monitor the behaviour of data subjects in the EU, where the processing is happening in the EU.

There is still a need to remain cautious. This is not because European fines under the GDPR cannot affect Swiss hospitals that the risks are low. On the contrary.

In my article where I analyzed the cyber attack and theft of data of 800,000 customers from Swisscom, the absence of serious data protection legislation (with sanctions that have a preventive and dissuasive effect) does not encourage data controllers to protect the data of Swiss citizens and patients. Many recent cases have shown that hospitals have become a prime target for cyber attacks, particularly due to the high value of health data which are highly sensitive and the fact that adequate security measures are expensive and time-consuming to implement.

This report show that medical data provides access to a wide range of information for various fraudulent uses:

• American Hospital Association document on hospital attacks;
• Anthem – historical record of data theft involving more than 80 million patients and employees.

Ransomware have become commonplace, and human errors are the biggest cause of security breaches. In an environment with so many transitions, staff changes, 24-hour activities, access to patient and confidential data, it requires strict control over access and constant training of employees at all hierarchical levels. It is not surprising that many hospitals are subject to investigations and sanctions by data protection authorities.

________

WHAT ABOUT SWISS PRIVACY?

The draft revision of the Swiss Data Protection Act (DPA) is still pending in the federal Parliament. The law will sooner or later be finalized and will enter into force with very broad alignment with the GDPR.

Talking about the fines, the status of the draft bill still doesn’t address the same mechanism for the sanction regime as there is no plan to give the Commissioner with powers to impose administrative fines. The fines may be imposed through criminal proceedings, where an individual may be held liable instead of the company. As compared to the actual fines for violation of the Swiss DPA that are ridiculously low, the amount of criminal fines will still get higher than today with a maximum of CHF 250k.

In addition, incidents will have to be reported (which is not the case today), DPIA (data protection impact assessments) will become compulsory for processing that are at risk, in certain cases the controller shall record the processing and document it, consent requirements will become stronger, and so on.

With this in mind and the upcoming changes in the Swiss privacy framework, which will probably not become in force before 2021, it remains essential for Swiss healthcare professionals and institutions – as well as any Swiss companies, to prepare for the revision of the Swiss DPA. Swiss companies are highly advised to learn from what is happening with he European framework (GDPR) and prepare for the next years to come.

—

By Gabriel Avigdor | NTIC.ch

If you are looking for legal advice relating to privacy whether related to the GDPR or the current or upcoming Swiss DPA, we offer services to support you towards compliance. You can contact me directly or visit our new online platform datalex.ch for more information.

access controlcambridge analyticacyber attackcybersecurityEPAGequifaxfinesGDPRhealthcarehospitalICANNICO UKPortugalPrivacysanctionsecurity measuressupervisory authoritywhois guard