[throwaway13337]

Wow. Here's an crazy one:

Someone was fined 2000 euros for using CC instead of BCC in his little mailing list newsletter of 150 people in Germany.

"The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list."

Poor guy.

This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.

[jdietrich]

In the UK, the data regulator fined a small organisation £180,000 ($230,000) for exactly the same mistake on a list with 781 recipients. The organisation was a specialist sexual health clinic and the newsletter was for patients with HIV.

Without knowing the details, I can't say whether a €2000 fine was disproportionately onerous or a slap on the wrist.

https://www.businessinsider.com/nhs-trust-fined-for-leaking-...

[M2Ys4U]

It's worth noting that that fine was made under the Data Protection Act 1998 (implementing the Data Protection Directive), which is what was in force before the GDPR became law.

The ICO might well consider a similar breach worthy of a bigger fine now.

[rambojazz]

With such sensitive information they should really avoid CC/BCC and do it manually, or write a script for sending 1 email at a time. Not because CC/BCC is bad, but because you want to be 100% sure to dodge this kind of problems.

[rmc]

And the fine will make sure you remember to do that in future!

It's almost like laws can work.

[remus]

That'll be part of why they got the fine. One component of gdpr is taking reasonable steps to avoid leaking personal data, and as you pointed out relying on someone remembering to bcc rather than cc is asking for trouble.

[pluma]

Not just that. Health data is considered especially sensitive by the GDPR, so sharing it is a more serious transgression than simply sharing personally identifiable information in general.

[wbl]

The details are that some of the most sensitive medical information you could imagine got leaked. Huge, huge violation. Even in the US HIV status is extremely confidential.

[kortilla]

The details on the 2000 euro fine?

[wbl]

No the big one.

[zaarn]

Details on the 2k€ fine; the guy used his mailing list for harassment, the 2k€ fine would likely have also been issued prior to the GDPR as german privacy law is fairly strict.

[nothrabannosir]

HN tangent: This is a great example of where the oft touted wildcards on a personal domain fall short: if you’re on that list, you’re outed. Even without your name on it; only you use that domain.

This is where Outlook with their *@outlook.com and apple’s new system really do shine.

Commiserations to those affected :(

[Normal_gaussian]

Wildcards are a measure to track what others are (automatically) doing with your email address, provide a way to remove yourself from shared lists of bad actors, and sign up to something a dozen times. What they don't do is provide privacy against human eyes.

[Silhouette]

I've been wondering how this sort of email management strategy is going to handle the rules certain countries are bringing in now where if you want to go there then you have to provide a list of all of your email addresses and social media accounts. Has anyone run into that problem yet?

[londons_explore]

Yes, my email address is "usa-border@mydomain.com"

[ascorbic]

If the story linked elsewhere in this thread is the one in question, this wasn't an accident. It was a guy running some kind of harrassment campaign. His "little mailing list" was of people he was harrassing, not subscribers to a newsletter.

https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...

[rndgermandude]

Not a harassment campaign as such, it seems. He was mad about something, and mailed a bunch of politicians and press his complaints. Complaints, sometimes bordering on being libelous, according to the agency which fined him, not death threats.

He was fined solely based upon the email addresses being visible to all recipients, not because of the content of his mails, said a spokesperson. However, he was a repeat offender in terms of privacy, who in the past was warned, then fined for similar stuff.

I'm a little bit torn on that one. The fine seems excessive for what he did (and the email addresses seem to be a list of already public journalist and press contacts) and it certainly looks like somebody in the govt got annoyed and threw the book at the guy in retaliation. Then again, he had ample warnings, and choose to ignore those warnings.

[wjnc]

Isn't one of the points of separation of power that the government (executive branche) should not have priority access to the judicial branche? Fining individuals, even loony ones, while not even attempting to fight the big battles (FAANG, personal data trading for 'profiling' or even government profiling within the EU) is imho just preposterous.

[rndgermandude]

Well, the judiciary branch was not involved in this fine. It was a government agency issuing the fine. Now the fined person could pay the fine, or file a suit asking a court to overturn it.

It really is analogous to most govt fines e.g. speeding tickets: the government (the police) gives you a ticket, and if you pay it then OK, no court involved, but if you challenge it then the courts get involved.

But more generally, the government should and does get priority access to the courts already. Criminal courts exist solely to serve the government; you cannot bring criminal suits as a citizen yourself, only civil suites. Also, e.g. in Germany the government and legislatures (federal and state) get priority access to e.g. the constitutional (supreme) court. A mere mortal cannot just file suit directly in the constitutional court, but has to go through the lower instances first (unless there is something similar to a class action petition, showing a sizable chunk of the population sees the same issue and wants it decided). Members of the parliaments and IIRC of the cabinet are allowed to file suit in the constitutional court directly. The reasoning here is that if it was allowed for citizens to petition the highest court directly, then the court would do nothing else than write rejection letters for bullshit petitions. While the govt and legislatures incl the parliamentary opposition of course represent the people (in theory) and aren't stupid morons wasting the courts time (in theory).

PS: Google was already fined €50M for GDPR violations, and there is probably more of those in their future. Facebook got fined €10M so far, IIRC, also with more to come. And don't forget the billions of Euros worth of antitrust fines against Google and Microsoft, e.g.

[simonh]

What sort of priority access was used in this case? Maybe they just filed a complaint like anyone else.

[notafraudster]

I support this fine in principle. Maybe not the magnitude, maybe not without a warning, and of course a three liner isn't enough context to be sure.

But using CC instead of BCC causes a massive leak of personal information, especially when either the subject being discussed or the people on the list are sensitive. In my life this has mostly been annoyance at large org stuff, but my wife has had this happen with a sensitive medical practice and we were not in the US so HIPAA did not apply.

I don't think fines are the only solution, of course. But I think fines should be on the table and it's easy to me imagine a circumstance where 2k euro would be appropriate.

[Radle]

There were multiple warnings and the guy was a repeated offender. He had already been fined earlier.

[TomVDB]

Last year, when GDPR was heavily discussed, people were criticizing those who decided to just stop their small hobby websites because of the potential GDPR exposure.

The argument back then was that they were overreacting, that we didn't understand how Europe works, that you'd only get fined after repeated warnings about violating procedures etc.

I'm sure the private person was dumb for doing what he did, but that doesn't invalidate the general point: unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet that might be used by EU citizens.

The benefits, whatever they might be, just don't justify the risks.

[NeedMoreTea]

Except we see just the fine. We have no idea how many attempts and warnings to get them to comply were sent first. It wasn't one email, it was multiple emails, multiple times over months.

This site makes no mention of warnings and escalations, and ICO at least doesn't normally announce that for individual cases. Though they do put out aggregate stats. When they have fines are clearly shown as arising in a small minority of cases.

[easytiger]

There are other examples at least from Germany where no warning or time to rectify was given, just a fine.

https://iapp.org/news/a/germanys-first-fine-under-the-gdpr-o...

[NeedMoreTea]

800k email records and passwords in plain text when breached. I don't know how big Knuddels are, so I don't know if that fine sounds lenient, right or high. Yet as it's a large breach it seems fitting of no warning first, considering the scale of negligence, mitigated by their "exemplary cooperation" afterwards.

Which goes to show why the regulators get the discretion to decide appropriate action from warning only to maximum fine. Without context and aggravating and mitigating factors we can't know, which was my point. If a penalty is disproportionate there's well worn appeal tracks.

Other comments seem to point to the small case in OP comment being some guy running a list to harass people, which seems like a huge aggravating factor to me. Maybe he got one warning, maybe in context he didn't deserve even that.

[TomVDB]

> We have no idea how many attempts and warnings to get them to comply were sent first.

True. But I doubt that even the most ruthlessly efficient GDPR enforcement authority could multiple enforcement requests between mid July and end July.

[sgift]

Why are multiple requests needed? You do shit, you get a request to stop it, you don't do it, you get hit with a fine. How many requests do you expect the authorities to send? 5? 10? 100? If I get summoned to court and don't follow it I get a fine. How is this any different?

[NeedMoreTea]

Sure, but offences between July and September 2018, and convicted Feb 2019 only against the small sub selection in July.

There's potential time for quite a few ignored warnings before prosecution, but I don't know and can't find out from here if or if not.

[tjoff]

They almost certainly got complaints from the users on that list. You tend to get pretty swift response from that.

Very likely that they just ignored it.

[comboy]

> unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet

DOT

sounds good

[llao]

What does DOT mean?

[comboy]

.

[llao]

Thanks, I thought it was some acronym.

[losvedir]

What does . mean?

[TomVDB]

Everybody makes mistakes. Which makes GDPR a recipe to hand over whatever remains of the Internet to only corporations that afford paying for them.

[comboy]

Sure, but there are different kind of mistakes. Surgeon can make a mistake, but it's a different kind of mistake if instead of a surgeon, a plumber cuts the patient with a kitchen knife.

I agree it's a difficult problem and it's hard to define boundaries, but some level of competence is welcome when handling data that belongs to other people.

If you start some internet service, I expect you not to lose my data (in some lame way, s.h.), just like I expect my car mechanic not to destroy my engine.

edit: to give it context, I closed my programming website with thousands of active users that I had for almost 20 years because of GDPR, I'm not a big fan of it, but what I like even less is when complete incompetence when handling personal data results in zero consequences

[cyphar]

Yes, people make mistakes. And by deciding to create a business around other people's personal information some mistakes are bad enough to merit a fine.

All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.

The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.

[closeparen]

>deciding to create a business around other people's personal information

>profit off people's personal data

Have you "decided to create a business around destroying the environment" and "profit off CO2 emissions" because your office is heated in the winter? GDPR is not specific to the adtech or data brokerage industries.

[TomVDB]

I used to have a website that did stuff with GPS data that was uploaded by users.

It was purely a hobby affair that was a net loss, but Google ads ($10 per month) reduced the cost somewhat.

Those ads probably made it a for profit business.

I shut the thing down before GDPR, but if I hadn’t it surely would have been an excellent reason to do so.

Those are the kind of websites that you lose.

I consider that a loss.

[ubercow13]

That's a pretty weak argument in and of itself. Many crimes are mistakes.

[TomVDB]

Similarly, many simple mistakes shouldn’t be treated as a crime.

[Angostura]

If you make a mistake and you do so honestly, not out of malice and fix it, you are very unlikely to get a fine - you will get guidance and a warning. Unless you are being egregiously slip-shod.

[easytiger]

That's not true, unfortunately.

https://www.lexology.com/library/detail.aspx?g=d8d0c69a-620e...

[cosmodisk]

That's absurd. Talking purely about the UK right now: there were tens of thousands of cases logged with ICO since GDPR came into power. So far,there were only a handful of companies that had to pay fines and their actions were either borderline criminal,or deliberate refusal to cooperate with ICO.

[tgsovlerkhgsel]

If it's the case I've seen [1], it wasn't someone sending a little mailing list newsletter to people who have opted in, it was someone sending complaints and CC'ing everyone they could get an e-mail address of. The article I saw also makes it sound very much like he was told to stop repeatedly.

Seems like an appropriate fine. Or do you think I should be allowed to collect 150 e-mail addresses, then e-mail them out to all 150 other people, after some of them told me not to do that?

[1] https://www.rosepartner.de/blog/bussgeld-fuer-offenen-e-mail...

[ysleepy]

The list has over 1600 recipients making it a bit larger than for "personal use". The quoted 187 recipients might just be one batch of recipients the examined mail was sent to.

The sender is also non-repentant and is running some sort of hate campaign.

[tempestn]

I expect there would have been a warning given in that case before assessing a fine. Many of the less serious ones I read explicitly mentioned warnings that were ignored.

[tinus_hn]

Seems to be proof it is being weaponized against behavior one doesn’t like, the behavior which is forbidden by the law.

This isn’t a one time slip up, it’s a 10 times slip up and chances are there were a lot of warnings this guy didn’t want to listen to. So he was hit where it hurts. Poor guy, it’s like he was caught speeding ten times and then got fined.

[TeMPOraL]

Woah. That's great!

In Poland we actually have a sort-of tradition, AFAIK started by one of computer security portals, where if you find yourself on the receiving end of such CC-instead-of-BCC, you kindly tell the company responsible that this can and should be picked up with data protection regulators, and it would be nice if they e.g. paid ~500-2k EUR equivalent to a charity of their choice.

I'm totally 100% in support of this against companies. Less so about private individuals, though a 150-people newsletter is kind of thought-out and organized thing, and then 2k EUR in Germany is probably less than a monthly paycheck. A hard hit, but survivable without loss of life quality.

[rorykoehler]

Airbnb Germany did this once in a mail out to all hosts. We started a business (since closed) off the back of it.

[idlewords]

Whether this is guy is a victim of overzealous enforcement, or an example of the GDPR protecting people, is completely dependent on the context of the case and the nature of the mailing list.

The linked article suggests that the guy was sending out angry political rants and criminal accusations to thousands of people a day, which adds a further twist.

[ignasl]

If that’s true then the gdpr was not used according to it’s spirit at all. They punished annoying guy who was trying to get some attention. Of course google or fb is fine...

[dRaBoQ]

This is crazy. I've seen it done plenty of times by accident in the past, because people don't know how to use BCC (and its hidden by default in many clients).

[laughinghan]

Yeah, but ten times in a row? And that's just in half a month, it sounds it could've been dozens of times over 3 months?

Nothing I've heard about this case sounds to me like an innocent mistake that a reasonable effort was made to correct.

I've accidentally smacked people on the street before (gesturing, probably). That's technically a crime, but it'd be crazy to prosecute me for a little mistake like that. But it's not crazy that hitting people is a crime and that people do get prosecuted for it in egregious cases.

[lokedhs]

Not just hidden. When using BCC, the information is never transmitted outside the sending server.

[kbenson]

I think what they meant is the option to send as BCC instead of CC is hidden in most mail clients.

[lokedhs]

Thank you. That does indeed make more sense.

[cosmodisk]

It should have been more.The idiots who do this deserve it. My fiancé's ex employeer used to send emails cc'ing contractors that haven't even seen each other.I've seen some small scale companies even try to send marketing emails to their small list of clients..

[rococode]

Different take: This is exactly what GDPR was designed for. It just hasn't been "weaponized" enough yet to have the bandwidth to deal with every situation, so situations like these seem like targeted attacks when in reality they're precisely what GDPR is supposed to deal with.

I personally think ~$15 per leaked email is a reasonable fine. I bet this guy and everyone else who reads this article won't accidentally leak emails again, and that's great.

[hartator]

The thing is if this was a civil case you have to prove some damages had be done by the leak. A random person leaking my email in CC - that happens a lot - is not even necessarily annoying but for sure don't cause any damages.

[rococode]

But how is that different from any of the other privacy violations that are regulated? I doubt many of us could prove any damages from Amazon listening in on conversations made by our kids, or Google not properly disclosing that its tracking our search clicks and GPS location for better ad targeting.

In fact, I'd argue that leaking an email that exposes a private association with a mailing list to other unknown people has much clearer potential for damage than any of the privacy issues that big companies get fined for. And yes, CC leaks do happen (not a lot, in my experience), but I'm personally upset about it every time - much more so than when I find out Google didn't get my consent before recording half of my internet activity. Just because the violation is something that "happens a lot" because it can be done by accident by a careless individual doesn't mean it's less serious.

[emiliobumachar]

+1. Privacy violations sure do cause damages, they're just very difficult to attribute. When someone suffers identity theft, which ones of the dozens of leaking sieves with their data most enabled it?

[laughinghan]

Can you clarify what you mean by "The thing is"? Are you saying that's good, bad, or something else?

If a behavior is harmful and we want to stop it, but it's difficult to prove direct damages and therefore civil suits have been ineffective at curbing the behavior, then it seems like a reasonable public policy to impose fines on engaging in the behavior without requiring actual damages be proven in court.

(And if it's easy to innocently accidentally engage in the behavior, it seems reasonable to first issue warnings, and then impose fines if the behavior continues repeatedly.)

[pm215]

Whether there are damages depends on the context. In 2015 an HIV clinic in London used the to: field instead of bcc: on a patient newsletter, thus exposing the names of 700 patients, many of whom knew each other due to the small geographic area being served (https://www.theguardian.com/technology/2016/may/09/london-hi...). They were fined GBP180K (under the pre-gdpr regime, incidentally, so this isn't a new risk for businesses).

[pkaye]

I think that is why my hospital network uses an online patient account for any messages instead of email. Easy to screw up this stuff if using email.

[orcdork]

"The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee"

Yes, proof of weaponized gdpr use indeed (for very specific filtering cases of gdpr use).

[Abishek_Muthian]

In India, I often get government mails (e.g. reminder for some compliance) of local city with all the business owners in CC. I even went to authority in question to tell them about the privacy issue in vain.

So if a EU citizen's email id was part of the list, will it be liable for action according to GDPR?

[waisbrot]

Yes, but if an entity has no interest in interacting with the EU then they don't have to respond. You only need to care about a country's laws if (1) you want to do business or visit there or (2) you're going to piss them off to such a degree that they convince your home country to come after you.

[ivanhoe]

> This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.

Well, against people who publicly share private info of 150 other people who trusted them those emails. 2K euros is not that huge money in Germany, it's not like they'll loose their house over it, and that certainly is a practice that needs to be stopped. Just being an amateur is not an excuse when you deal with other peoples' data.

[inetknght]

Frankly I'm glad that GDPR has the teeth to get people to stop abusing reply-all chains and mailing lists.

[laughinghan]

This seems to be proof that the GDPR is being weaponized against people and organizations one doesn't like.

What didn't they like about this person, and what proved that to you? And what proved that was the impetus for this fine?