Census authority FINED €4.3 million for data protection breaches

Census authority FINED €4.3 million for data protection breaches

Significant lapses identified in INE’s handling of 2021 Census

Portugal’s data protection commission (CNPD) has slapped INE statistics institute with a €4.3 million fine for “significant” lapses during the handling of the 2021 Census.

According to the CNPD’s decision consulted today by Lusa, at issue are violations (by INE) in the processing of special categories of personal data.

Data protection laws imply duties of information to data subjects, explains Lusa. They also establish rules applicable to the hiring of a company to manage the data collected in censuses. Yet INE appears not to have played by the book.

Also considered breaches were INE’s actions “in relation to transfers of data to third countries and failure to carry out an impact assessment on personal data”.

The commission believes INE’s actions constitute five offences “provided for and punishable” by general rules on data protection (RGPD), stressing that the offences “assume a significant degree of seriousness, given the number of data subjects concerned (…), the context in which violations were committed, especially the obligation to respond to the 2021 Census and the conviction that this was mandatory”.

The CNPD’s decision accuses INE of “negligent conduct” by violating the duty of transparency and the duty of care).

The CNPD also considers INE “acted with malice by not checking with the company that would collect and manage personal data to ensure that it would not pass the data to third countries”, says Lusa.

It concluded two administrative offences resulted from negligence and three were committed intentionally.

According to the commission, INE showed “a disregard for the principles and obligations set out in the RGPD, by relying on an intervention by the supervisory authority [CNPD], instead of taking the initiative to ensure that the census operation complied with that regime”.

The five administrative offences gave rise to five fines amounting to €6.5 million euros. 

“However, even recognising a “high degree of censurability of the defendant’s conduct” and the need for a “sanction that reflects the high censurability of this behaviour”, the body acknowledged the absence of a history of infractions by INE, thus “applying a single fine of €4.3 million”.

Lusa gives some background to this story, explaining the 2021 census “became embroiled in controversy after the contract with the company Cloudflare, responsible for the security of the website that collected responses to the census, was disclosed, showing it provided for the transfer of personal data to the United States of America and other countries”.

The National Commission for Data Protection has since demanded the suspension of any transfer of personal data, with INE suspending the contract with Cloudfare.

Source: LUSA