Tag Archives: fine

Google Hit with Biggest Ever GDPR Fine

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine

German DPA Hands Out Fines for Data Transfers

The reality in the wake of the Safe Harbor decision is hitting several companies that transfer data out of Germany.

The quick recap: The Schrems judgement invalidated the Safe Harbor framework. Now all data transfers between the EU and U.S. using Safe Harbor are unlawful.

The Data Protection Authority in Hamburg, Germany gave companies a short window to change the basis of their data transfers to a legal method – i.e. standard contractual clauses or binding corporate rules.

After that time frame, the Hamburg DPA started reviewing the data transfers of 35 companies. The good news is it looks like most companies are on board and changed the legal basis of their data transfers. However, there are a few companies that failed to make the change in time.

The Hamburg DPA announced that it fined three companies for unlawful data transfers from Germany to the U.S.:

  • Adobe – €8,000
  • Punica – €9,000
  • Unilever – €11,000

All three companies have switched over to standard contractual clauses during the reviews, leading to the smaller fines than the maximum €300,000 penalty. Additional investigations are ongoing and the Hamburg DPA noted that future penalties could be heavier for unlawful data transfers.

While these are the first fines handed out to companies that haven’t switched over from Safe Harbor, they surely won’t be the last. Other DPAs are expected to conduct their own investigations and enforce the legality of data transfers outside the EU.

Lessons Learned from HIPAA Settlement

St_Elizabeth logoThe Department of Health and Human Services’ Office for Civil Rights (OCR) reports it has entered into a resolution agreement with St. Elizabeth’s Medical Center for violations of the Health Insurance Portability and Accountability Act (HIPAA). St. Elizabeth’s has agreed to a fine of $218,000 and adoption of a corrective action plan to correct the deficiencies in its HIPAA compliance program. The agreement comes after investigation of two security incidents.

The first incident involved staff members using an Internet site to share documents containing electronic protected health information (ePHI) of about 500 individuals without taking into account the potential security risks. Furthermore, the investigation revealed that St. Elizabeth’s failed to adequately respond to a known security incident, mitigate the harmful effects, and document the incident.

The second incident involved notification to the OCR regarding the theft of a staff member’s personal laptop and USB flash drive that contained unsecure ePHI. About 600 individuals were affected.

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The corrective action plan agreed upon calls for the medical center to:

  • Conduct a “self-assessment” of workforce members’ familiarity and compliance with the hospital’s policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.

Lessons Learned

The OCR learned of the complaints from the staff members. Organizations should consider whether employees know how to report HIPAA issues or security incidents to the privacy and security officers. This gives the organization the opportunity to assess the incident and take any necessary actions to mediate the situation.

The settlement places significance on having a strategy in place when it comes to using the cloud. The strategy should include policies, training, and technical safeguards in place to ensure that ePHI stays secure and off unauthorized sources.

Another issue that continues to come up is preventing unencrypted PHI from being on personal devices. The solutions are clear – PHI shouldn’t be stored on a personal device if it’s not necessary, and kept encrypted if it is necessary.