On 21 November 2018, the data protection authority of Baden-Württemberg, Germany (the "authority") imposed a fine of EUR 20,000 against a German social media provider (the "company") for failing to encrypt user passwords. The authority's decision marks the first time that a fine was imposed on a company for violating the European General Data Protection Regulation (GDPR) in Germany (here: Art. 32(1)(a)).

Email addresses and passwords of about 330,000 users of the company's social media website were hacked and published on the Internet. The company notified the authority of the personal data breach and provided extensive information concerning its data processing activities. The company also informed its users of the breach in accordance with the applicable GDPR provisions.

From the information provided by the company, the authority learned that user passwords were stored unencrypted. Pursuant to Art. 32 of the GDPR, companies shall implement appropriate technical and organizational measures to secure personal data so that the rights and freedoms of the concerned natural persons are protected. To determine the appropriate measures, companies must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing the personal data. Based on those considerations—and the fact that encryption of personal data is listed as an appropriate measure in Art. 32(1)(a) of the GDPR—the authority determined that the company should have encrypted user passwords, rather than processing them in plain text, to grant a level of protection appropriate to the risks. Consequently, the authority concluded that the company had violated Art 32(1)(a) of the GDPR and applied a fine pursuant to Art. 83(4).

The fine could have been as high as EUR 10 million or 2 percent of the company's worldwide turnover of the previous year, whichever is higher. However, when determining the amount of the fine, the authority considered the efforts taken by the company to implement the measures ordered and suggested by the authority and the company's willingness to cooperate, in a very positive collaboration, with the authority.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.