A medical technology firm notified the Italian Supervisory Authority (the “Garante”) of a Bcc data breach. That notification triggered a wider investigation and fine. We consider the practical implications.

Background

Medtronic Italia provides the Minimed Mobile (the “App”). That App links an insulin pump to the user’s smartphone so that the user can visualise the information from the pump on their smartphone. Once the user creates an account on “CareLink Personal”, the App receives the data from the insulin pump and, at the user’s discretion, synchronises the information with the CareLink Personal user’s account.

Unfortunately, Medtronic was subject to a personal data breach after sending an email to the users of its App. This was a Bcc data breach, in that the recipients of the email were all in the “To” field (instead of the “Bcc” field) and hence visible to each recipient. Medtronic notified the personal data breach to the Garante.

The data breach notification triggered an investigation by the Garante into not just the personal data breach but also the wider processing by Medtronic. In particular, the Garante sought confirmation that:

• The user sees Medtronic’s privacy policy and consent is sought at the time of the account registration on CareLink Personal. This takes place before a user provides his/her personal data.
• In 2020, during the Covid-19 pandemic, Medtronic activated additional functionality in Italy named “Health Partner Share” (“HPS”). This function allows the user to give specific and express consent for their health data to be shared with their doctor (subject to the doctor also creating an individual account with CareLink Personal). For these purposes, Medtronic and the doctor act as independent data controllers.

The breaches and sanction

The Garante found that Medtronic failed to comply with the GDPR and, in doing so, confirmed that emails are personal data. The breaches consisted of:

• Security failure – Although the email notified to users was a simple service notice, it revealed health data as it was addressed to individuals who use the App and therefore would be diabetic. There was no justification for revealing this information to all of the recipients of the email. This was a breach of Articles 5(1)(a)(f), 9 and 32 of the GDPR.
• Transparency failure – The privacy policy provided to users was not clear, especially in relation to the processing of personal data that occurs when the user and doctor’s account are linked on CareLink via the HPS function. Furthermore, the legal basis for this disclosure was not specified, in breach of the correctness and transparency purposes as of Articles 5(1)(a), 12 and 13 of the GDPR.

The Garante issued administrative fines against Medtronic of EUR 250,000 (security failings) and EUR 50,000 (transparency failings).

Conclusions

There are three important points to come out of this fine.

First, regulators are unlikely to be sympathetic to Bcc data breaches. Whilst these are often the result of human error and/or failure to follow guidelines and policies, there should really be no possibility of this type of mistake happening in the first place. For example, the UK Information Commissioner suggests that where the email contains special category of personal data, emails should be sent using specialist email services to prevent recipient details being included in the “To” or “Cc” fields (here).

Second, this is another example of the Garante requiring clear and specific disclosure of the legal basis (and related purposes) relied upon for each processing operation. A detailed and clear privacy policy is key to protecting yourself against sanctions should you be investigated.

Finally, this is a salutary lesson that notifying a personal data breach may well trigger a broader investigation, especially when it involves special categories of personal data.