News

17.09.2024

The Mischief of Mismanagement: Tale of a Breach of the GDPR

In early 2022, the Portuguese National Data Protection Supervisory Authority (“CNPD”) accused Lisbon’s Municipality of retaining demonstrators’ and protestors’ personal information for longer than necessary and sharing it with national and foreign public entities without proper legal basis, in breach of the principle of data minimization, without having previously conducted a data protection impact assessment and in breach of their obligations to inform data subjects about data processing operations.

This Article provides an overview of the Administrative Court Decision that, almost two and a half years later, confirms the impressions of the CNPD and fines the Municipality in over one million euros for its mischief in the management of personal data.

In early 2022, an Accusation of breach of the GDPR, authored by the Portuguese National Data Protection Supervisory Authority (“CNPD”) in December 2021, caused commotion, foretelling a narrative of incautious behavior by the largest, most resourceful municipal body in the nation.

It was Lisbon’s Municipality, who stood accused of retaining demonstrators’ and protestors’ personal information for longer than necessary and sharing it with national and foreign public entities without proper legal basis, in breach of the principle of data minimization, without having previously conducted a data protection impact assessment and in breach of their obligations to inform data subjects about data processing operations.

The facts underlying the accusation were the preparation and dissemination of Notices for Demonstrations, containing personal information of their promoters and sometimes their participants, to several legal entities, such as the Police, Internal Affairs ministry and secretariats and, importantly, foreign national authorities.

The story caught fire in news cycles for months. Having appealed the Accusation to judicial instances, the Municipality found itself facing a worthy opponent in open Court, who would not simply give in to the cause.

Now, almost two and a half years later, by an Administrative Court Decision published on Wednesday, August 7th, 2024, the Municipality of Lisbon was found guilty, convicted and fined over one million euros for its maintenance of an organizational culture of laxity and disregard for statutorily imposed obligations (in this case, of data protection).

As it happens, the Court focused, not so much in the individual breach of data protection rules taking place with the data transfer of personal data of each promoter/participant, but rather on the global conduct of the Municipality and its technocratic nature. In fact, while it was found that between 2018 and 2021, the Municipality would frequently send out emails to foreign Embassies in Portugal (such as the Embassy of India, Hungary, Brazil or even Russia), in connection with Demonstrations for peace or political reform in the countries those Embassies belong to – presumably not in demonstration of political support but, rather as part of a procedure pre-dating the GDPR to inform all those who may have an interest in the matter demonstrated about that a Demonstration shall be held about that issue on said date and place to avoid liability for any damages arising in connection with the Demonstration – the Court found that the most serious infringement, in this case, was not the sharing of personal information with political opponents of the data subjects, but rather the attitude demonstrated by the refusal to revise internal procedures to comply with the GDPR.

The Municipality defended itself by arguing that there had been no intent to breach the law and, therefore, there could not be any sanctioning of a criminal nature. The Court is quick to set that argument aside. It starts by determining that the element of intent, for the purpose of administrative criminal offenses, is not as strict as that of criminal offenses – and while criminal sanctioning generally requires a moral-ethical sanctioning of the conduct of the agent, administrative criminal offenses only require knowledgeable (or negligence) non-conformity with the legal and social requirements imposed by the societal perception of the role of the agent.

It then follows to conclude, without any indication of a doubt, that the sharing of personal information regarding Demonstrations’ promoters and participants with widely varying entities (from foreign embassies to restaurants), without any criteria or preoccupation with the subsequent processing of the data shared is demonstrative of “a very deficient organizational culture” favoring “total indifference in the activities of personal data management and sharing.” A culture that, in the eyes of the Court, had not only been set, but was also continuously supported by the Municipality itself.

The Court furthermore calls the participants attention, among others, to the fact that despite the GDPR entered into force two years after being published to enable adaptation of internal procedures to the GDPR, the Municipality only set a team to oversee the implementation of GDPR mandated procedures and requirements within the Municipality on the 24th of May, 2018, one literal day before the entry into force of the Regulation. These discovery pieces of evidence supported the finding of intention in the Municipality – according to the Court, the Municipality knew and was conformed with the illegal consequences of its conduct.

Interestingly, the Appeal Court caved to the Municipality’s argument that the infractions should not be accounted for as individual infractions (one infraction for each Notice, or for each communication sent) but rather as continuous infractions, occurring permanently throughout three years (counted from the beginning of application of the GDPR to the date of the Accusation). More interestingly even, however, the reduction of the quantity of infractions (from hundreds in connection with data sharing, to only two) did not have a perceived material effect in the actual measure of punishment. On the contrary, having considered a few infractions had met their statute of limitations, the Court reduced the penalty initially imposed by CNPD in a manner that appears frankly proportional – instead of a 1.250.000 EUR (one million, two hundred and fifty thousand euros) fine, it convicted the Municipality in 1.027.000 EUR (one million, twenty-seven thousand euros).

The final decision of the Court, as such, appears in line with the reasoning of the Supervisory Authority, and constitutes a warning for all data processing entities in Portugal: size and power do not acquire exemption from legal obligations. Breaches of personal data protection will be prosecuted ever more carefully, especially in a data-driven economy.

The attentive eye of CNPD and its willingness to impose better data processing practices through litigation, together with the implications of a fine in over one million euros, have shown that the Portuguese Supervisory Authority is active and taking the necessary steps to improve the quality of data processing procedures across Portugal.

In the way of conclusion, lastly, this Decision provides a good illustration of a curious legal phenomenon: the qualification of an infraction is often less relevant for the purpose of setting the measure for punishment than the overall feeling of censorship towards the mischief (and the need to deter similar behavior). As shown, the reduction of the number of infractions did not materially affect the fine imposed in the end.

 

Article provided by INPLP member: Ricardo Henriques (Abreu Advogados, Portugal)

co-authors: José Maria Alves Pereira and Leonor de Sá e Frade

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)