The German Data Protection Authority in the state of Baden-Württemberg (DPA) imposed the first fine under the GDPR in Germany. The fine of EUR 20,000 was imposed on a chat platform provider for storing its users’ passwords without encrypting them. The unencrypted storing of passwords was revealed by the provider itself in conjunction with submitting a breach notification to the DPA following a hacker attack.
It began with a security breach
The chat platform provider “knuddels.de” was hacked in July 2018. Personal data (including passwords and email addresses) of approximately 330,000 users were stolen and then made publicly available by the hacker(s) in early September 2018.
The chat platform provider informed its users about the hack and notified the DPA on 8 September 2018. As part of the notification to the DPA, the provider disclosed information inter alia revealing that it had stored its users’ passwords in plain text (i.e., the data were neither encrypted nor hashed). The DPA considered this way of storing passwords to constitute an intentional violation of Art. 32(1)(a) GDPR, which imposes “inter alia as appropriate” an obligation to pseudonymize and encrypt personal data and imposed a fine according to Art. 83(4)(a) GDPR.
The DPA's considerations in deciding on the amount of the fine
The DPA considered the following aspects when determining the actual amount of the fine imposed pursuant to Art. 83 (4)(a) GDPR, which provides for a range of fines up to EUR 10 million or, in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(i) the provider was fully transparent and cooperated fully with the DPA
(ii) the provider implemented both the legal requirements and the recommendations of the DPA and promptly increased the protection levels for personal data
(iii) the overall financial impact of the security breach (including the fine) on the provider (a six-digit figure in Euros)
(iv) the provider's willingness to further cooperate with the DPA as regards additional measures.
The DPA emphasized that fines imposed under the GDPR should not only be effective and dissuasive, but also proportionate. The DPA did not want to create the impression that it wished to compete with other DPAs for imposing the highest possible fines.
What about the privilege against self-incrimination?
In its press release, the DPA did not further explain to what extent it considered Section 43(4) German Federal Data Protection Act (“FDPA”) when it determined to impose a fine. Section 43(4) FDPA provides that a notification pursuant to Arts 33 or 34 (1) GDPR must not be used in administrative proceedings to impose a fine against the controller, unless the controller consented thereto.
It can only be speculated that the chat platform provider may have provided information to the DPA beyond the requirements of Arts 33 and 34 of the GDPR and that this information was then used by the DPA to justify and impose the fine. Given the DPA's right to request any information from a controller pursuant to Art. 58(1)(a) GDPR, and to request access to all personal data and all information necessary for the performance of the DPA's tasks, it is impossible for a controller to limit the information sharing following a security breach to the information aspects mentioned in Arts 33 and 34(1) GDPR. If the German DPAs take a very restrictive view that only the information aspects mentioned in Arts 33 and 34 (1) GDPR are excluded from consideration in a fine proceeding pursuant to Section 43 (4) FDPA, the protection afforded by Section 43(4) FDPA will, in practice, be of minimal, if not no value to companies.
Contributors: Michael Schmidl, Holger Lutz and Hendrik Seidel