News
The Mischief of Mismanagement: Tale of a Breach of the GDPR
In early 2022, the Portuguese National Data Protection Supervisory Authority (“CNPD”) accused Lisbon’s Municipality of retaining demonstrators’ and protestors’ personal information for longer than necessary and sharing it with national and foreign public entities without proper legal basis, in breach of the principle of data minimization, without having previously conducted a data protection impact assessment and in breach of their obligations to inform data subjects about data processing operations.
This Article provides an overview of the Administrative Court Decision that, almost two and a half years later, confirms the impressions of the CNPD and fines the Municipality in over one million euros for its mischief in the management of personal data.
In early 2022, an Accusation of breach of the GDPR, authored by the Portuguese National Data Protection Supervisory Authority (“CNPD”) in December 2021, caused commotion, foretelling a narrative of incautious behavior by the largest, most resourceful municipal body in the nation.
It was Lisbon’s Municipality, who stood accused of retaining demonstrators’ and protestors’ personal information for longer than necessary and sharing it with national and foreign public entities without proper legal basis, in breach of the principle of data minimization, without having previously conducted a data protection impact assessment and in breach of their obligations to inform data subjects about data processing operations.
The facts underlying the accusation were the preparation and dissemination of Notices for Demonstrations, containing personal information of their promoters and sometimes their participants, to several legal entities, such as the Police, Internal Affairs ministry and secretariats and, importantly, foreign national authorities.
The story caught fire in news cycles for months. Having appealed the Accusation to judicial instances, the Municipality found itself facing a worthy opponent in open Court, who would not simply give in to the cause.
Now, almost two and a half years later, by an Administrative Court Decision published on Wednesday, August 7th, 2024, the Municipality of Lisbon was found guilty, convicted and fined over one million euros for its maintenance of an organizational culture of laxity and disregard for statutorily imposed obligations (in this case, of data protection).
As it happens, the Court focused, not so much in the individual breach of data protection rules taking place with the data transfer of personal data of each promoter/participant, but rather on the global conduct of the Municipality and its technocratic nature. In fact, while it was found that between 2018 and 2021, the Municipality would frequently send out emails to foreign Embassies in Portugal (such as the Embassy of India, Hungary, Brazil or even Russia), in connection with Demonstrations for peace or political reform in the countries those Embassies belong to – presumably not in demonstration of political support but, rather as part of a procedure pre-dating the GDPR to inform all those who may have an interest in the matter demonstrated about that a Demonstration shall be held about that issue on said date and place to avoid liability for any damages arising in connection with the Demonstration – the Court found that the most serious infringement, in this case, was not the sharing of personal information with political opponents of the data subjects, but rather the attitude demonstrated by the refusal to revise internal procedures to comply with the GDPR.
The Municipality defended itself by arguing that there had been no intent to breach the law and, therefore, there could not be any sanctioning of a criminal nature. The Court is quick to set that argument aside. It starts by determining that the element of intent, for the purpose of administrative criminal offenses, is not as strict as that of criminal offenses – and while criminal sanctioning generally requires a moral-ethical sanctioning of the conduct of the agent, administrative criminal offenses only require knowledgeable (or negligence) non-conformity with the legal and social requirements imposed by the societal perception of the role of the agent.
It then follows to conclude, without any indication of a doubt, that the sharing of personal information regarding Demonstrations’ promoters and participants with widely varying entities (from foreign embassies to restaurants), without any criteria or preoccupation with the subsequent processing of the data shared is demonstrative of “a very deficient organizational culture” favoring “total indifference in the activities of personal data management and sharing.” A culture that, in the eyes of the Court, had not only been set, but was also continuously supported by the Municipality itself.
The Court furthermore calls the participants attention, among others, to the fact that despite the GDPR entered into force two years after being published to enable adaptation of internal procedures to the GDPR, the Municipality only set a team to oversee the implementation of GDPR mandated procedures and requirements within the Municipality on the 24th of May, 2018, one literal day before the entry into force of the Regulation. These discovery pieces of evidence supported the finding of intention in the Municipality – according to the Court, the Municipality knew and was conformed with the illegal consequences of its conduct.
Interestingly, the Appeal Court caved to the Municipality’s argument that the infractions should not be accounted for as individual infractions (one infraction for each Notice, or for each communication sent) but rather as continuous infractions, occurring permanently throughout three years (counted from the beginning of application of the GDPR to the date of the Accusation). More interestingly even, however, the reduction of the quantity of infractions (from hundreds in connection with data sharing, to only two) did not have a perceived material effect in the actual measure of punishment. On the contrary, having considered a few infractions had met their statute of limitations, the Court reduced the penalty initially imposed by CNPD in a manner that appears frankly proportional – instead of a 1.250.000 EUR (one million, two hundred and fifty thousand euros) fine, it convicted the Municipality in 1.027.000 EUR (one million, twenty-seven thousand euros).
The final decision of the Court, as such, appears in line with the reasoning of the Supervisory Authority, and constitutes a warning for all data processing entities in Portugal: size and power do not acquire exemption from legal obligations. Breaches of personal data protection will be prosecuted ever more carefully, especially in a data-driven economy.
The attentive eye of CNPD and its willingness to impose better data processing practices through litigation, together with the implications of a fine in over one million euros, have shown that the Portuguese Supervisory Authority is active and taking the necessary steps to improve the quality of data processing procedures across Portugal.
In the way of conclusion, lastly, this Decision provides a good illustration of a curious legal phenomenon: the qualification of an infraction is often less relevant for the purpose of setting the measure for punishment than the overall feeling of censorship towards the mischief (and the need to deter similar behavior). As shown, the reduction of the number of infractions did not materially affect the fine imposed in the end.
Article provided by INPLP member: Ricardo Henriques (Abreu Advogados, Portugal)
co-authors: José Maria Alves Pereira and Leonor de Sá e Frade
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010