In the public and education sector, DPAs from 22 different countries (+1 in comparison to the 2021 ETR) have imposed a total of 136 fines (+58 in comparison to the 2021 ETR) on representatives of local governments (such as mayors), police officers, schools, universities and other public bodies or educational institutions amounting to a total of more than EUR 14.1 million (+9.1 million in comparison to the 2021 ETR).
Mainly consistent with the overall distribution of GDPR fines in the Enforcement Tracker, fines related to insufficient legal bases for data processing (47 fines in total) and insufficient technical and organisational measures (42 fines in total) cover the majority of fines in the public and education sector. The overall second largest type of GDPR violation (non-compliance with general data processing principles) is slightly less relevant in the public sector and in education (22 fines in total).
But let's take a closer look
- During the Covid-19 pandemic, the use of digital products (e.g. messenger apps or video conferences tools) by universities or schools, in particular for holding online classes and examinations, has increased significantly. When using such technologies, the personal data collected (e.g. recordings of examinations and identification data), must be stored in an appropriately secured manner and must not be stored for longer than is necessary for the initial purpose. In this context, the Italian DPA imposed a fine of EUR 200,000 on Bocconi University (ETid-876) for the use of a remote monitoring software in online examinations. The software was able to monitor the behaviour of the students through video recordings and snapshots taken at random intervals. In addition, the exam was audio-visually recorded and a photograph was taken of each examinee at the beginning of the exam. In its investigation the DPA found that students were not properly informed of the processing of their personal data (e.g. no information about the audiovisual recordings). The DPA considered this to be a violation of the principles of lawfulness, fairness and transparency. It also found that the university had processed the personal data without a valid legal basis. In light of the health risks in the pandemic, the obtained consents of the students could not be considered voluntary as the in-person exam was the only proposed alternative to the online exams.
- In other cases, fines have been imposed on schools that have processed special types of personal data such as biometric information (e.g. using facial recognition technology for monitoring student attendance, see ETid-67). While the use of biometric data is not prohibited in general, it is necessary to ensure that (a) the use of the data is appropriate, (b) consent must be given voluntarily, which is not the case if there are no alternatives other than to consent, and (c) the data is protected by sufficient technical and organisational measures to ensure information security.
- The Italian Data Protection Authority imposed a fine of EUR 800,000 on the administration of Rome (ETid-827). The violation concerned the technical upgrade of parking meters. Data of individuals using the updated service was accessible to employees of the contracted firms without them having received proper instructions on data processing or having been properly declared as data processors. The upgraded system had already collected the data of 8.6 million stays, which included the license plates. According to the DPA, the officials could have (unlawfully) checked any vehicle registration plates en masse and repeatedly over time, thereby theoretically having the opportunity to trace a person's habits and parking location.
- The highest fine in the public and education sector to date was issued by the Dutch Supervisory Authority for Data Protection (AP), which sanctioned the Dutch Minister of Finance (ETid-946) with a fine of EUR 2.75 million for the processing of dual citizenship data of 1.4 million people in the context of childcare benefit applications, although the data on dual nationality of Dutch citizens would not have been necessary when assessing an application for childcare benefits. The data was also used – without any legal basis – to combat organised fraud and automatic classification in the authority’s risk system. The AP stated that the data subjects had also been discriminated against based on their nationality.
- The second highest fine was issued by the Data Protection Commission of Bulgaria, which in 2019 sanctioned the National Revenue Agency (ETid-71) with a fine of EUR 2.6 million for the leakage of personal data in a hacking attack due to inadequate technical and organisational measures resulting in access to personal data concerning around 6 million people.
Public authorities have a special position of trust that requires particularly strict compliance with data protection laws and an outstandingly high level of data security. The same applies to schools and other educational establishments, in particular those that process personal data of minors. Data protection authorities appear to have increased scrutiny of the public and education sector since the 2020 ETR, in particular in connection with the use of technology during the Covid-19 pandemic. In 2021 the majority of fines in the public sector have been imposed on educational institutions. We consider it likely that more COVID-19 related violations will be registered and sanctioned in the coming years. Further, the number of fines in the public sector for violations of data protection law with regard to the processing of sensitive data (e.g. health data), profiling and tracking or surveillance of individuals has increased over recent years. It seems likely that this trend will continue in the future.