Data breaches in Europe can be extremely expensive, up to 4% of a company’s annual turnover, thanks to the General Data Protection Regulation (GDPR). Fines for data breaches reached more than $1.1 billion in 2021, with Amazon leading the scoreboard with a staggering $867 million fine.
Read more: GDPR Fines Exceed $1.1 billion in Q3
But not only Big Tech companies need to be aware of this regulation and how easy it may sometimes be to infringe the law. Last Friday, Giropay, a German payment platform was the subject of a complaint by the European Center for Digital Rights for allegedly violating the EU’s GDPR.
According to the complaint, Giropay displayed and processed sensitive personal sexual and health information without customer consent. Article 9 of the GDPR prohibits platforms from processing data “concerning health or data concerning a natural person´s sex life or sexual orientation” without explicit consent.
Giropay is an integrated payment processing service that many retailers use to process customer payment. A customer noticed that the platform had saved data about the products she bought, including some eye drops and product from a sex shop. The key in this case is that Giropay, according to the company, is not responsible for transmitting this information as retailers had sole discretion to share shopping cart information.
The case may be reviewed by the competent data protection agency. If the authority finds that Giropay did breach the GDPR, it may impose a fine, which won’t likely be big given the nature of this infringement, but it will probably ask the company to change its data processing practices bringing them in line with the EU GDPR.
This case exemplifies how far the GDPR can go when it comes to the collection and processing of personal data, as Giropay didn’t intend to collect personal data, it simply took the data from the shopping cart. There are some exceptions in the law that allows the collection data which may be identified as personal, when it is “customary in the market” and corresponds to the service expectations of the users. But again, this will need to be proven in the investigation, if the agency opens one.
New EU Rules for Data Sharing
The European Union is proposing new data rules to complement existing legislation governing data, the Data Act. This is the second main legislative initiative resulting from the European strategy for data that intends to boost the EU’s leadership in the regulation of the data-driven society. The Data Act intends to complement the GDPR. The latter mostly relies on the principle of informational self-determination, which leaves the policing of the privacy markets to the consumers themselves by assuming that the users will be engaged in taking care of their privacy (for instance, by requesting companies to delete their data).
The Data Act seeks to empower consumers by giving them the option to easily take their data from one provider to another, and for small and medium companies to have more power to negotiate better data-sharing contracts.
Read more: EU’s New Data Act May Compel US Firms To Share More Data
Compliance with EU data laws is becoming increasingly complex, for EU and non-EU firms. Meta clearly stated this risk in its last quarterly report where it said that data rules in Europe could affect the company’s ability to transfer data from the EU to the U.S. and subsequently, this could have a significant impact in the operations of Facebook and Instagram in the region.
Read also: Regulator Could Order Meta to Stop EU-US Data Transfers
Sign up here for daily updates on the legal, policy and regulatory issues shaping the future of the connected economy.