The weird thing about this case is that it was completely informal data collection, about employees by their mid-level managers. Doesn't even look like upper management was involved.
Very different from the usual concerns about large-scale, organized collection of data about end users.
There is nothing weird about this. If you are not allowed to collect/archive certain data, you are not allowed to do so. This is not limited to customers. And that is good.
I think that's actually excellent. It shows that any kind of data collection is subject to the GDPR. This is something I've been warning companies about for a while now, they believe - quite erroneously - that as long as the system isn't automated that they are free and clear but the GDPR doesn't say anything about automation. So even if it is informal and even if you use stone tablets you are still subject to the law.
Well, strictly speaking, automation is a key factor.
If it's automated, it's always GDPR.
If it's not automated, it's GDPR under the condition that the data is part of a filing system.
So if you order your stone tablets alphabetically by their title, it's GDPR, but jumble a sufficiently large pile of stone tablets and you're in the clear.
In practice, this means that if you have a warehouse full of unordered boxes full of unordered forms, then somebody exercising their right to be forgotten cannot force you to go through every single box to see if there is data in there.
Conversely and frustratingly, if you have one gigantic folder of digital media, then you are technically required to actually go through that data, although I've heard of cases argued with authorities where this can be forgone in cases where it would be extremely uneconomical.
I'm still anxiously waiting for the first big decision on e-mail, for example. In large-scale corporate environments, good luck identifying every email containing personal data of a particular person, should that person ever exercise their right to be forgotten.
(Edit: no idea why you got downvoted, you raise an important point)
That organizational aspect is actually not all that clear cut and I would hold off on making strong statements about what counts as a filing system. A stack of paper might qualify, ordered or not for instance when it pertains to similar data gathered on others, something that can be searched automatically would definitely qualify and so on.
Finding out where that line is is probably going to be an interesting academic exercise which will result in lots of fines that could have been avoided easily: if you don't have a right to process certain data in an automated way pretend you don't have that right at all to stay safe.
After all, once the data is sufficiently disorganized to be searched efficiently it is also sufficiently disorganized to keep it secure and a data leak of disorganized data would be just as big an issue as gathering the data itself.
I agree; what counts as a filing system remains to be seen. Hence why I used a "sufficiently large" pile of stone tablets, to put it beyond doubt that it's not organized regardless of how strict or relaxed the interpretation.
I don't recall the source at the moment, but one convincing argument I've heard was that an amount of disorganized data that you can organize given a few hours time would probably be treated as equivalent to organized data in the eyes of the authorities, otherwise you'd have a trivial loophole.
There is that and there are multiple cases where a single individual affected by a transgression already led to fines as well as the fairly low count that is used to determine if a transgression is a significant one (10!).
> The weird thing about this case is that it was completely informal data collection, about employees by their mid-level managers.
The article says that "H&M collected information on illnesses [...]".
Data concerning health is among the Article 9 special categories of personal data [1], the processing of which is generally prohibited, with only a few exceptions. I'm all but certain that a mid-level manager collecting this data does not fall under any of the exceptions.
You are most certainly right. But I think parent's point was that informal data gathering on mid manager level is a difficult thing to protect yourself from, as a large corporation. Any clueless manager can open an Excel file and type in personal information about their reports. Training and policies can help, but not completely prevent. When you build larger software systems you can have audit processes in place etc. But the informal level is tricky..
In the eyes of regulators, you're expected to clue in the clueless.
Training people in basic IT security is difficult, too, but it's still done. Of course the results aren't going to be perfect, but at least most people will then understand that writing down a password on a post-it under a keyboard is a no-no.
In this case they seem to have collected 60 GB data shared among 50 managers. It's interesting that no one raised an issue. It only became known after the network share was made visible to more people by mistake.
That clearly rises well above the level of “someone entered personal data into a spreadsheet”. At that level it is absolutely a negligent failure of the company to A. train and educate its managers, and B. audit operations to shut down activities like this.
Well, the problem is that to be consistent (and safe), you'd have to do a similar training for every possible offense. GDPR is top-of-mind for HN readers, but any large company is likely constantly violating at least dozens, if not hundreds or thousands of regulations. Ask any corporate lawyer how you could avoid violating any regulation or law, and they will just give you a blank stare, or tell you it's impossible.
Very few laws have as many teeth in them for corporations as the GDPR does, it was designed with that particular aspect in mind. The EU bureaucrats have a personal stake in the outcome so that definitely helped to focus them.
I suppose you're right that companies should weigh their efforts in favor of complying with laws that bureaucrats are personally invested in. That said, I see this as a rather sad state of affairs.
It's pretty much an as open-and-shut of a clear violation of having consent and a right to process that data as you could come up with. They got off light in my view but then again, it is a first time offense so maybe not all that light.
And the first of these exceptions is employment. That's quite reasonable because an employer keeps track of employees' absence for health reasons and will come to know some details in case of serious health problems/long absences.
In this case they collected data after sick leaves, but (a) it seems they collected quite a bit of information regarding private life, perhaps more than could be deemed reasonable and (b) the data leaked because they did not secure it properly.
This sort of files on employees used to be very common. Regulations have made them 'tricky' especially if managed "as it's always been done" without expert, up-to-date, input on what's allowed and acceptable, and how to keep it secure, which seems to have happened at H&M... So definitely a failure of the company management and I'm sure that all managers have been put through compulsory training since with a very clear message that ignoring it means instant dismissal.
an employer keeps track of employees' absence for health reasons
That works differently in Europe. Employee health is a personal matter, and the employer does not get automatic access to that information. The employer can get a dedicated physician (affiliated but not employed by your employer) to assess your illness and guide you back to work, but even then the physician's records are off-limits to the employer.
Speaking only for NL here, but I think the regulation is the same EU-wide. When you call in sick, you are not obligated to answer any questions from your employer except:
- whether the cause of the illness is (or might be) work-related
- how much time you expect to be out
- discuss a next moment of contact (phone appointment or presence in the office)
Any data regarding the illness itself is off-limits for the employer, you are allowed to volunteer the information but the employer strictly isn't even allowed to ask.
I am not suggesting that an employer has access to employees' medical records. However, the fact is that employers will reasonably keep track of sicks leave and will in practice (and quite reasonably) have knowledge of health information very often including the illness.
Personally, I think things start to go too far. Saying that "employee health is a personal matter" is going too far. Intimate details are of course personal and people may not want to share too much (and that's fine) but an employee's health insofar it impacts their job very much concerns the employer, but it must be handled lawfully, reasonably, and tactfully by them. If the employer has a clear picture it is not necessarily negative for the employee as it means that the employer can adapt and take the appropriate supportive action.
I think that the legislator recognises this, seeing that employment is an exception to the GDPR's ban on health information processing (obviously without reason).
> Speaking only for NL here, but I think the regulation is the same EU-wide.
In Germany the doctor only certifies that the employee is unable to carry out their work duties. The reason why is a secret between doctor and patient.
In Finland the doctor sends the ICD code to the employer.
So there is no EU-wide regulation. IIRC GDPR says that data is protected unless the exchange is regulated by a law or the subject has consented. (It's been a while I read it...) Laws are national.
A nice website to check GDPR enforcement is https://www.enforcementtracker.com/. They already have a list of 407 entries, though as they specify not all fines are made public.
In 2018 they had about 1.1 billion € profit after tax.
35 million € of that isn't quite a small number and that is basically a warning shot to stop. The maximum fine would be 720 million €, which would eat into the years profit quite a lot (and in turn, the shareholder's dividends).
Is it related to GDPR? At least the linked article doesn't mention it is. It looks like it is related to health data which is anyways illegal in most countries before GDPR.
"The fashion company with seat in Hamburg operates a service center in Nuremberg. Here, according to the findings of the Hamburg data protection officer, since at least 2014 private life circumstances of some of the employees have been comprehensively recorded and this information stored on a network drive. For example, the company conducted a "Welcome Back Talk" after employees returned to work after vacation or illness. The information that became known in this context - including information on the symptoms of illness and diagnoses of the employees - was recorded and stored. In addition, according to the Hamburg data protection authority, some supervisors also used the "Flurfunk" [meaning to hear something through the grapevine] to acquire a broad knowledge of individual employees, for example about family problems and religious beliefs. The information stored on the network drive was accessible to up to 50 managers of the company and was used, among other things, to evaluate the work performance of the employees and to make employment decisions.The data collection became known due to a technical configuration error in October 2019, according to which the data stored on the network drive was accessible company-wide for several hours. After the violation became known, the management apologized to the employees and offered monetary compensation. In addition, also further protective measures were introduced together with the data protection authority. [Note: Concrete legal basis of the fine not yet published - we assume this will mainly be Art. 5 and 6 GDPR]"
Actually, the victims in this case were offered monetary compensation by the company. Likely, if they want to they can sue for more than that with this judgment in hand.
You're right, "breach" just has a second meaning when it comes to IT and data [1] that describes a more passive role (somebody breached their security and copied data) while they've been caught in a very active role: intentionally breaking the law.
I wonder if the huge, scaled violations (when web sites violate the privacy of millions of visitors through "consent" dialogs that require dozens of clicks or by claiming legitimate interest where it has already been decided that's not OK) will receive penalties scaled accordingly to their scale of the violation, and it's just taking time, or if the DPAs are just continuing their pattern of bringing the hammer down on randomly picked small-scale violations while ignoring the stuff that actually affects all of us.
That is interesting. Ok, then you should follow up with them and ask for how your case is progressing and do a write-up if you do not receive a satisfactory answer.
I honestly don't have the time and energy to chase a non-functioning entity that I have no effective way of forcing to do their job.
I do donate generously to noyb.eu, which is using those donations to hire full-time people to do exactly that, plus trigger lawsuits where necessary.
I did talk to people working DPAs though, and they seem obsessed with the irrelevant small stuff (particularly keeping people from easily communicating via e-mail is their pet peeve, ignoring the improvements in transport security that happened in the past two decades since they developed their policies), instead of dealing with what affects everyone.
It's about 2% of their annual profit. That seems not-unreasonable for a first offense. Most companies don't want to incur a 35 million euro cost if they can help it, so it should hopefully improve compliance.
Last year you read comments from people who said one thing, now you read a comment saying the opposite. That does not mean that HN has shifted. There are a lot of individuals on this platform with individual opinions.
Well, no, if the company doesn't stop and doesn't seem to stop the fines can be high enough to sink a company and I don't doubt that if it comes to it, the agencies involved are ready to sink a company over data protection.
Trust me on this: no company is going to take a 3% hit to their net profits after taxes as a happy event.
The agencies are quite ready but it would take a pretty stupid management to step in front of that train willingly. Note that H&M was adamant that they would cease to collect this data (as they should be).
The only case I know of where there was a multiple-repeat-offender the eventual fine was 250K for a violation involving a single individual (hospital employees in NL thought it was 'fun' to peek on the records of a minor celebrity).
