It’s that time of the year again when Krampus puts his satchel on, readies his gold and silver birch twigs and his whip, and gets ready to travel the world to punish all the naughty children.
In the spirit of Krampus and Krampusnacht, we thought we’d take a quick look at some of the recent regulatory actions taken by EU Data Protection Regulators in the past few months. The cases highlight the importance of things like good Data Governance, Supplier Management, Data Quality, Consent management, and transparency of processing. They also highlight the importance of common sense approaches to data and data protection.
Vodafone Krampus’d for €12.25 million
Vodafone Italy was fined €12.250 million euro for aggressive direct marketing in a manner which breached a number of fundamental legal requirements:
- Their agents used fake outbound calling number or numbers that were not registered with the Registry of Communications Operators.
- They used data obtained from other list providers for outbound calling without having appropriate consents in place
- They had inappropriate or non-existent security controls in place over customer data, including the use of Whatsapp and similar platforms to obtain copies of customer information
The overall situation speaks to a failure on the part of Vodafone to properly manage their contract outbound marketing functions. No controls were in place to ensure the lineage of data used for outbound marketing. In addition, another bug bear of Castlebridge’s reared its head: the inappropriate use of social messaging applications to process customer data, particularly where those apps can result in customer data being stored on a user’s device. If we add a BYOD culture into the mix, a huge security risk is created.
This isn’t as big a fine as Telecom Italia received earlier in the year, a case which highlighted a range of issues from failure to apply consents to excessive data retention and ‘bundling’ of consent.
Poor Data Quality results in Krampus visit for Telefonica Mobile in Spain
In a scenario all too familiar to those of us who have worked in the telecommunications sector, Telefonica Mobile in Spain were fined €75,000 for linking accounts to the wrong person and then sending bills to them in error. This is very similar to the UK case of Ferguson v British Gas from 2009, which I’ve written about here.
In the Telefonica case, they failed to rectify an error or inaccuracy in data when it was brought to their attention. In Ferguson v British Gas a similar error continued to propagate after a customer left British Gas to go to another supplier. Of course, the cases highlight the need to have effective systems and processes to find, respond to, and rectify data quality problems. It’s often the case however, that a fix in a downstream system can get overwritten by wrong data coming back through the organisation’s data systems (this is what appears to have happened in the British Gas case).
Defective data supply chains are worth €75000 per person now in Spain (and elsewhere). It’s worth remembering that research from UCC and the IMI has found that less than 3% of organisations have data that meets basic data quality standards.
Krampus likes Spain.. XFERA Moviles fined €70,000 for sending customer bills to the wrong person
Another telco operator sent bills to the wrong person and was fined €70k by the Spanish authorities. Again, this could be a simple case of poor data matching or a botched single view of customer implementation. It does highlight the need for good Data Quality processes in organisations that can quickly respond to issues like this.
Bergen Local Authority fined for security weaknesses in app used for communication by schools
Over the past year, many of us have found our schools embracing and using technologies to improve communication with parents and, during lock downs, to try and help with the delivery of home-schooling. But Data Krampus came calling on the Municipality of Bergen in Norway arising from security failings in the application they were using which exposed data of children to third parties.
The fine that was levied was €276,000. This highlights the importance of DPIAs in the context of new technologies or ways of working for organisations.
Belgian Local Authority reprimanded for linking information of people beyond what was necessary for purpose
Data Krampus visited a Belgian local authority who had, as part of their investigation of an illegal littering case, matched data from other sources to infer a family relationship between the litterer and two other people. This raised issues of whether there was a lawful basis for the processing (there wasn’t) and the simple fact that the inferred link could be inaccurate.
The real issue here is a local authority deciding to do something with personal data as part of an enforcement function and failing to ensure that they had appropriate safeguards in place to ensure that the processing was lawful. This echoes the DPC’s findings in their investigation of Wexford County Council for failure to conduct a DPIA in respect of the use of drone mounted cameras.
The key takeaways from all of this are that the issues leading to fines and enforcement actions in domestic cases by EU regulators are generally mundane but often occur at scale. However, even individual cases can have multi-thousand euro penalties associated with them.
Of course, it is easy for a Supervisory Authority to levy penalties that grab headlines. Real effectiveness comes with the penalties actually being collected and with the Regulator not having to walk back the penalty when faced with an appeal or when having to have their penalties approved by a Court. The challenge for Regulators is to set penalties at a level where they will be paid, where the risk of appeal is low (for the Regulator), and where the level of the penalty focuses attention on the issues.
After all, under GDPR fines are supposed to be meaningful, effective, and dissuasive. That is a challenging balance to set.
But the trend is clear.. Data Krampus is stalking the land and there will be penalties and sanctions levied by Regulators for breaches of GDPR. It can just take time for the wheels of administrative process to turn.