Lisbon fined €1.25m for sharing personal data to foreign embassies

Lisbon received a fine for violating EU general data protection regulation. It shared the personal data of protesters with foreign embassies targeted by the protests. The fine accounts for 0.1% of the city’s annual budget.

Lisbon Mayor Fernando Medina
Lisbon is fined €1.25 million for violating EU data protection regulation during Fernando Medina’s tenure | Fernando Medina celebrating his reelection victory in Lisbon © Pedro Nunes via Reuters, October 2017

The Portuguese data protection authority sanctioned Lisbon’s mayor office with a fine of 1.25 million euros (US$1.43 million) on January 14.

Lisbon shared the personal data of protest organizers with embassies of countries targeted by the protests.

The case was revealed to the public in June 2021 when Ksenia Ashrafullina said she had received an email showing the city hall had shared data on her and fellow organizers with the Russian embassy.

Ksenia Ashrafullina is a Russian-Portuguese who organized a protest rally in Lisbon in support of Alexei Navalny, a jailed Russian politician poisoned in 2020 and critic of the Kremlin.

Personal data about organizers were sent to embassies when protests targeted their countries. Cuba, Angola, Venezuela, Israel or Russia‘s representative offices received such data.

An internal investigation showed that Lisbon shared data with foreign embassies since 2012. Organizers of 180 protests saw their personal data shared with foreign countries.

In 2011, the duties of managing protests were transferred from the government to municipalities.

Lisbon shared personal data and violated GDPR provisions

During that time, Lisbon was governed by left-leaning mayors from the Socialist Party. António Costa was Lisbon’s mayor between 2007 and 2015 before forming a coalition that led him to become Prime Minister, a role he’s been holding since. Fernando Medina, from the Socialist Party, succeeded Costa in 2015 and was reelected in 2017.

Medina conceded his defeat in local elections won by the center-right candidate Carlos Moedas on September 2021.

With the General Data Protection Regulation, the European Union has banned such data transfers since 2018. The fine corresponds to 225 data breaches violating various provisions of the GDPR regulation, only punishing practice during Mr. Medina’s tenure.

According to the Portuguese data protection authority, the mayor’s office shared personal information related to 52 protests with embassies and other entities between 2018 and 2021.

A fine accounting for 0.1% of Lisbon’s annual budget

In a statement, the current Lisbon mayor said the fine was a “heavy legacy […] left to the people of Lisbon” and a challenge for the budget.

Lisbon’s proposed budget for 2021-2022 is €1.16 billion, with a deficit of €346 million. The fine amounts to 0.1% of Lisbon’s annual expenditure.

Ashrafullina told Reuters she was satisfied with the decision: “We have been waiting for it, and it finally came.” Nevertheless, she is still scared about the consequences of such data-sharing if she ever needed to go back to Russia.

Read more about Portugal

CNPD aplica sanção ao município de Lisboa, CNPD, January 2022, Free access

Related Articles

Back to top button