On the 18th of February, the Information and Data Protection Commissioner (“IDPC”) imposed a €5,000 fine on the Lands Authority after having investigated a major data breach in November 2018.
As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself.
Administrative Fines for Public Authorities/Bodies
The GDPR expressly states that “each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State”. For this reason, the levels of administrative fines imposed on public authorities and bodies vary throughout the EU.
In Belgium, public authorities are not liable to administrative fines except when such authority or body is offering goods or services to the market. On the other hand, in Ireland, a public authority or body can be fined up to a maximum of €1,000,000 for breaching the provisions of the GDPR.
In Malta, in the case of a breach by a public authority or body, the IDPC may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists. The law also allows such a fine to be doubled in the event of more serious cases, i.e. a €50,000 fine for each violation and a daily payment of €50 for each day such violation persists. The fines imposed depend on the provisions of the law which have been breached by the authority.
The Lands Authority chose not to appeal to the fine of €5,000 imposed by the IDPC despite having the right to do so. The Authority is currently carrying out penetration testing on its website and has migrated its data to servers owned and managed by Malta Information Technology Agency, as a risk mitigation procedure.
Administrative Fines for Private Entities
It is clear that the GDPR was intended to multinational private entities which process large amount of personal data, such as Facebook and Google. For this reason, if private entities do not adhere to the GDPR, they will become liable to much higher fines than public authorities and bodies.
Merely processing data without the instructions of the Data Controller or processing personal data of a child without the necessary parental consent can attract a fine of up to 2% of total global annual turnover or €10m (whichever is the higher). More serious breaches will lead to more serious fines; unlawfully processing someone’s personal data or restricting the data subject from his rights to erasure of personal data can lead to a fine equivalent to 4% of the annual global turnover of said organisation, or €20 million, whichever is greater. Hence, adherence to the GDPR through self-regulation is key.