€ 500 per data subject – a quantification of why GDPR matters
Clients often ask me why they should invest in General Data Protection Regulation (GDPR) compliance so much. For medical devices and medicines regulatory compliance, they get it to an extent. Non-compliant devices carry risk of enforcement, which can lead to them being taken off the market. Devices off the market = collapse of cash flow and bad press. Both are bad for the company. And then there is the product liability risk for non-compliant devices or medicines that harm patients. More bad press and of course you don’t want to harm patients.
But data, seriously? For personal data related non-compliance companies often reason differently. They see personal data (and personal data concerning health) often as a surplus that can be harvested and put to their use: as their data rather than the data that is governed by rights of the data subjects concerned. Compliance to EU GDPR is costly, complex and follows alien logic. It’s my surplus right? It’s generated by my devices, generated in my trials and stored on my servers that I have secured as well as I think is necessary. It’s not like we are harming people if there is a data breach or if we send the data to the US (or the UK after hard Brexit). Look at company statements when a data breach happens: the first statement that a company makes is that they have no indication that the data were used for any detrimental purpose by bad guys (if any).
So why all this costly and complex hassle? Companies generally understand there are rules enforced by data protection authorities, and that these authorities may enforce these rules in case of non-compliance. So then the question is: what is the risk of enforcement and disruption of operations? That seems to be the only risk that is really considered. There is no product liability in data protection – it seems. Data protection authorities are comfortably under resourced so risk of enforcement and imposition of the ginormous penalties that we were warned about when the GDPR entered into force is relatively small. And a data breach (other risk) may be bad publicity but it always blows over – Facebook can tell you all about that. So, what’s the problem right?
A small legal case
A small legal case in the Netherlands may serve as a powerful example of where things are heading with the GDPR, and to show that the GDPR is serious about the intrinsic value of personal data to the data subject that they relate to. Personal data is not surplus. A data subject does not only have an interest in bad guys not going to town with their breached data and pillaging their bank account or selling their genetic data, or third parties using their data in non-compliant ways by aggregating it into profiles about you that follow you around with ads about stuff you already bought. A Dutch court recently held that non-compliance under the GDPR harms the data subject’s interests in control over his or her personal data, which is a fundamental, personal right. And this personal right is exactly what article 82 GDPR protects when it states that:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
So what non-material damage could a person suffer as a result of an infringement of the GDPR? The Dutch case concerned local government officials sending emails to inform each other about the fact that a person filed a request for disclosure of certain data. This was done not in accordance with compliant procedure and therefore constituted a data protection law infringement. The infringement seemed innocent enough on its own merits, like
- doctors whatsapping each other images of patients’ wounds or statuses (so useful and quick),
- maintenance personnel making copies of all treatment session data on a medical device on to their laptop for further analysis without covering this in the services agreement (very efficient),
- support staff doing root level remote log-ins from services centers outside the EU on medical capital equipment and having access to all data on the equipment without a processing agreement with the hospital (good service),
- hospitals scrapping devices without deleting diagnostic data on them (how should we know there’s data on these things),
- companies far and wide transferring personal data concerning health outside the EU for further processing without adducing compliant safeguards (crazy Europeans have rules for that?).
And the list goes on. And what’s the harm, right? We were only trying to help, only running our business, just getting things done – this GDPR business that starts with privacy by design just makes things way too complicated. We already have other rules to worry about.
Privacy by design
Yet, privacy by design is so important, because for example regarding devices security design the GDPR places regulatory emphasis one half of the below model, and the MDR/IVDR on the other half:
This model comes from BSI’s very interesting white paper on cybersecurity, which you can download here from their page with a lot of other interesting and relevant white papers for MDR and IVDR. This serves to show how data protection requirements under the GDPR and GDPRs under the MDR and IVDR for software form different sides of the same coin and must therefore be equally considered in design and risk management. They must be parts of an overall integrated strategy to get this right. And we all know what can happen with badly designed products / services: if they don’t harm someone they’ll compromise their data or both.
Loss of control over personal data
Where’s the harm when personal data are lost or wrongly processed? Nobody re-sold the data (yet), nobody plundered bank accounts (yet) so what’s your problem data subject?
The problem of the data subject is – as the Dutch court phrased it – loss of control over personal data as a result of the non-compliance. Non-compliant processing leads to loss of control over personal data, which constitutes non-material damage in the meaning of article 82 GDPR. The Dutch court quantified this non-material damage to € 500 for the person concerned, taking into account that the decision to engage in non-compliant processing did not contain a justification (by the way this is why I always have been telling companies from the start of the GDPR to take the often mandatory Data Protection Impact Assessment (DPIA), which should contain such argumentation, very seriously). Especially when someone processes your special categories of data (concerning health, genetic data and biometric data among other things) you have very very much an expectation, even a fundamental right, to privacy as data subject. This is also a circumstance that could give rise to another quantification of non-material damage under the GDPR, because the € 500 was determined in a case where the personal data were not of the exciting kind. Imagine that you are a company offering genetic testing services and have a database of whole genomes and related hereditary disease risk factors of your customers that a disgruntled employee makes off with and then sells on the dark web. I bet that the amount of non-material damage for the data subjects will be more than € 500. And there are other conceivable factors that could influence the amount.
It adds up
500 Euros may not sound like much, but this is a per data subject amount. When you have a large user base, the number quickly adds up. When you are a multinational company with millions of users, things get really serious. And when the users concerned combine into a class action, you are in a world of trouble.
Not only the controller is in trouble, but also the processor – service provider may be. A processor is liable for the damage caused by processing where it has not complied with GDPR obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller, for example because the processor has not not implemented the level of security required under the processing agreement with the controller. Processing agreements are just a stupid formality that your lawyer spends too much time on nerding about clever wording? Maybe time to take another look at yours.
Because let’s say you have a million users in the EU and your service suffers a catastrophic data breach because your processor’s systems are hacked and you were processing health data in the US without proper transfer mechanism. Or you were processing data of extra-EU data subjects in your EU operations not realizing that this means that these people suddenly are covered by the GDPR and have the same rights as EU citizens under the GDPR as a result.
Or something less spectacular: you sell the user database in an asset transaction when divesting that service from your company (without prior data subject consent or with another GDPR compliance issue that clever people in the due diligence warned you for but you do it anyway).
Or even yet more unspectacular: you have misunderstood (as so many companies crossing my desk do) the difference between anonymous data and pseudonomised data and as a result you are processing personal when thinking you do not. Especially US companies are very prone to this mistake due to local US concepts of what anonymisation is and I have many heated debates with insufficiently informed US company lawyers about that the GDPR really uses different logic in this regard. The same is true for many institutions and persons in medical research: they think that a coded dataset is anonymised just because of the distributed key, while for legal purposes it really is not because the whole point of a key is that the coding is reversible.
Or even still less spectacular: you decide to do performance evaluation for your IVD on a biobank of samples that you still had somewhere for other purposes because the IVDR is coming and you need more data because your did not do PMS for your self certified IVD like most companies in the market.
The above are all realistic scenarios that happen all the time.
So congratulations: someone makes a small and perhaps totally avoidable mistake and you have just racked up a potential liability of € 500.000.000 in our realistic examples (yes, half a billion Euro) for your company, of which the fuse can be lit by any data subject concerned clever enough to make this into a major problem for you by starting a class action. Dutch class action law and the GDPR provide that a data subject can be represented by a class action vehicle and the GDPR provides that a data subject can sue a controller or processor in every EU member state in which the company has an establishment. So if fundamental rights and enforcement risk by authorities are not enough reason to takes GDPR compliance seriously, maybe the risk of a major class action is.
Stacking of the legal deck
The Dutch court decision is being appealed I understand, and appeal means it may be reversed or it may not. But this case shows how the deck is stacked legally, and why data protection is serious business.
So maybe give this GDPR business just a bit more consideration than you are currently doing – if only because it’s prudent risk management and, quite frankly, the right thing to do because we are talking about fundamental rights here.