IMY imposes fines totaling 45 million SEK on two pharmacy chains for improperly sharing buyer information by means of Meta Pixel software.
The Swedish Knowledge Safety Authority (IMY) has imposed fines totaling 45 million Swedish kronor on two main pharmacy chains, Apoteket AB and Apohem AB, for improperly transferring delicate private information to Meta Platforms Inc. by means of using Meta’s monitoring pixel on their web sites. The choice, introduced on August 30, 2024, comes after a prolonged investigation following information breach notifications submitted by each corporations in 2022.
Apoteket AB, Sweden’s largest state-owned pharmacy chain, has been ordered to pay a nice of 37 million kronor (roughly $3.4 million USD), whereas the net pharmacy Apohem AB faces a penalty of 8 million kronor (about $730,000 USD). The fines had been levied on account of violations of the EU’s Normal Knowledge Safety Regulation (GDPR), particularly Article 32 which requires applicable technical and organizational measures to make sure information safety.
The investigation revealed that each corporations had applied Meta’s monitoring pixel on their web sites to boost advertising and marketing efforts on Fb and Instagram. Nonetheless, the activation of a sophisticated matching characteristic throughout the pixel led to the unintended switch of delicate buyer information to Meta over an prolonged interval.
For Apoteket, the unauthorized information switch occurred between January 19, 2020, and April 25, 2022. Apohem’s incident spanned from April 15, 2021, to April 26, 2022. The transferred information included details about clients’ purchases of over-the-counter medicines, merchandise associated to particular well being circumstances, sexual well being objects, and different delicate private data. Importantly, no information relating to prescription medicines was compromised in both case.
Shirin Daneshgari Nejad, a lawyer at IMY, acknowledged, “Processing the sort of privacy-sensitive private information entails excessive dangers that require a excessive stage of safety. The businesses had an obligation to take applicable measures to guard the info from being shared with unauthorized events.”
The investigation highlighted a number of key points:
- Scale of the breach: Apoteket estimates that as much as 930,000 people might have been affected, whereas Apohem reviews roughly 15,000 affected clients.
- Forms of information transferred: Data included names, electronic mail addresses, cellphone numbers, postal addresses, and particulars of bought merchandise similar to self-tests for sexually transmitted infections, contraceptives, sexual wellness merchandise, and objects associated to numerous well being circumstances.
- Lack of oversight: Each corporations didn’t implement ample procedures to detect and forestall the unauthorized information transfers. The breaches had been solely found and halted after being delivered to the businesses’ consideration by exterior sources.
- Period of the incidents: The information transfers continued for over two years in Apoteket’s case and for greater than a 12 months for Apohem.
Maja Welander, one other lawyer at IMY, emphasised the significance of ongoing safety measures: “Our overview reveals that the businesses didn’t have the required procedures in place to detect the deficiencies themselves. Consequently, the switch of private information continued for an prolonged interval and was solely stopped after the businesses had been made conscious of the incident by outsiders.”
Each Apoteket and Apohem have since taken steps to enhance their information safety practices. They’ve up to date inside procedures to make sure correct dealing with of private information and instantly disabled the Meta pixel upon discovering the breach.
The fines imposed by IMY are primarily based on the businesses’ annual turnover and the severity of the GDPR violations. Apoteket, with a reported annual turnover of 23.27 billion kronor in 2023, confronted the next penalty on account of its bigger dimension and the extra intensive nature of its information breach.
This case highlights the continued challenges corporations face in managing buyer information whereas using third-party advertising and marketing instruments. It additionally underscores the significance of normal safety audits and the potential penalties of failing to adequately defend delicate private data.
IMY has indicated that it’s conducting a number of different investigations associated to using Meta’s pixel know-how and unauthorized information transfers to the social media big. These selections function a warning to different companies in regards to the want for vigilance in information safety practices, particularly when coping with health-related data.
The pharmacy chains have the best to attraction the choices to the Administrative Courtroom in Stockholm inside three weeks of receiving the rulings.
Key info
- Date of announcement: August 30, 2024
- Fines imposed: 37 million SEK for Apoteket AB, 8 million SEK for Apohem AB
- Violation interval: January 2020 to April 2022 (Apoteket), April 2021 to April 2022 (Apohem)
- Estimated variety of affected people: As much as 930,000 (Apoteket), roughly 15,000 (Apohem)
- GDPR article violated: Article 32 (safety of processing)
- Knowledge compromised: Buyer names, contact data, and particulars of non-prescription well being product purchases
- Explanation for breach: Improper configuration of Meta Pixel superior matching characteristic