German DPA Issues Data Breach Fine

On November 21, 2018, the German Data Protection Authority (DPA) of the German state of Baden-Württemberg (LfDI) handed down its first fine for a breach of the European Union’s General Data Protection Regulation (GDPR). The fine of €20,000 was leveled against German online chat company Knuddels for a data breach of up to 1.8 million users, nearly half of the company’s users, that involved email addresses, passwords, nicknames, and physical addresses.

In its enforcement action, the LfDI alleged that account passwords were stored in plain text on the company’s system, allowing bad actors easy access to obtain and publicly post email-password combinations in violation of Article 32 of GDPR. That article states “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate...the pseudonymisation and encryption of personal data.”

While GDPR allows for extraordinarily high fines (up to 4% of an organization’s annual turnover or €20,000,000, whichever is higher), Knuddels received a relatively low €20,000 fine, which German DPA said was the result of Knuddels’ quick and transparent response to the breach, including cooperation with the LfDI following the breach. The LfDI emphasized that, in bringing the enforcement action, it was focused on improving data protection and security rather than on imposing the highest possible fines.

Tip: This incident demonstrates the importance of swift investigation and reporting of data breaches to the appropriate data protection authority, as such, transparent cooperation can mitigate consequences.