GDPRLocal

Data Breaches

GDPR: I Didn’t Know We Could Be Fined For That?

You may know that companies can be fined for GDPR violations. Since 2018, more than 1,100 organisations have been. But did you know that private citizens can also risk penalties for data privacy violations?

Here, data protection specialist Zlatko Delev, shares his knowledge on the matter.

We only tend to hear of the big, newsworthy GDPR violations, perhaps where a GDPR data protection officer hasn’t carried out their duties as they should, where ads are being targeted using user data without consent, or where a company should have appointed an Article 27 EU representative (about which, more below) but hasn’t.

The biggest fine yet imposed was against Amazon, a huge €746m imposed by Luxembourg’s National Commission for Data Protection, which is currently passing through the country’s appeal courts. But you don’t have to be Amazon to be hit with a fine. You don’t even have to be a company.

Below are the most common ways individuals have ended up receiving fines for breaking GDPR, according to Digital News. 

CCTV 

To date, the majority of GDPR violations made by private citizens have been related to their use of CCTV. 

CCTV for private homes is legal, as long as public spaces and others’ private property is not recorded. This includes public roads and pavements and neighbour’s properties. 

The Spanish Data Protection Authority fined a private citizen €3,000 because their CCTV covered public spaces. Not only were they fined for the use of the cameras, but also for not properly informing the public of the cameras’ presence. 

By covering any public spaces with personal surveillance cameras, a person automatically becomes a ‘data controller’ under GDPR law.

In the UK, a private citizen was sued over the camera found in their smart doorbell, which was found to cover public spaces and their neighbour’s property, breaching data laws. 

The landmark case caused the ICO to issue new guidance on domestic CCTV use. Those using surveillance equipment were advised to only record their own private property, but if this was not possible, to make the public aware of the presence of the CCTV system, to limit its use, delete footage, and respond to access requests from those filmed.

Social Media Pictures 

Consent is the main theme of GDPR violations, and nowhere is this more pertinent than in social media. 

A Spanish individual was fined €6,000 for sharing a video on social media of other people without their consent. As the faces were not pixelated, the individual would have required consent to post the video. 

Even posting images of random people in public earned one photographer a fine. They had to pay €800 after posting pictures of strangers at the beach.

Dashcam Footage 

A German citizen was fined for posting dashcam footage on YouTube. 

UK law concerning personal dashcams appears to differ from Europe, perhaps because a display of personal dashcam footage on the wider web has not yet been challenged.

The ICO, as of 2021, states that only company dashcams need to worry about GDPR. 

Unsolicited Emails 

You might think unsolicited emails are only an issue for businesses, but private individuals can be fined as well. A German citizen was fined €2,500 for sending emails that allowed recipients to view other users’ email addresses.

Catfishing

GDPR law treats catfishing as a case of identity theft, allowing individuals to sue those who use their personal data for impersonation purposes. 

An individual in Ireland was fined for using someone’s personal photos to impersonate them on Tinder and WhatsApp.

How Can An Individual Violate GDPR?

Typically, an individual can fall foul of their GDPR responsibilities in two ways:

  1. As a sole trader

You’re self-employed but, just like any company, you may process data. Perhaps it’s an Excel list of client email addresses and phone numbers. Perhaps you run a small online shop and store payment details. Either way, you’re collecting data in connection with your business, so you’re bound by GDPR. 

If your clients/customers are solely in the UK (and you are too) you’ll be bound by UK GDRP regulations. If you’re based in the UK but collect any data for EU citizens you’ll also need a GDPR Article 27 EU representative, an EU-based expert to act on your behalf. And if you’re in the EU but control data of citizens in the UK, you’ll need a GDPR Article 27 UK representative.

As a sole trader you, not your business, bear the responsibility for this.

  1. As someone who breaches a local data privacy law

If, for example, you were leaving a company and took the data of employees and customers before you exited the building, you’d probably be breaching the Data Protection Act 2018 but also the UK GDPR.

Individual Breaches, Corporate Impact

An individual breaching GDPR regulations within their company could be liable for the breach rather than (or as well as) the company itself. 

Suppose, for example, an individual smuggled a laptop out of work that contained personal, unencrypted data and then left it on the train. 

Where the company encouraged laptops to be taken home and was lax in its application of security, you might expect the company to bear the liability. 

Where, however, the laptop was taken without consent and in contravention of strict company rules, the company may escape liability but the individual may be held responsible. The company would, however, still face the impact of the reputational fallout that would follow. 

GDPR: A Personal Issue 

GDPR breaches haven’t become a thing of the past since Brexit. To date, the UK GDPR has largely mirrored its EU counterpart yet, despite a commitment to equivalency (“adequacy”), UK data reforms could still see a change in the way personal data collection is handled by companies and individuals.

It’s important, therefore, for private citizens as well as corporate bodies to protect their own data, understand their responsibilities around data, and ensure they comply with regulations to avoid fines.

To understand your responsibilities and ensure you (or your people) aren’t inadvertently risking contravening the law, find out more about data protection, or get expert GDPR support and consultancy from GDPR Local.

Contact our data protection specialist Zlatko Delev for more information.

1.https://mlexmarketinsight.com/news/insight/amazon-s-appeal-of-record-gdpr-fine-to-go-to-luxembourg-court-in-january-2024

2.https://www.digit.fyi/

3. https://techmonitor.ai/policy/geopolitics/data-protection-bill-uk-gdpr-replacement-brexit