Swedish DPA fines Apoteket and Apohem for transferring Sensitive Data to Meta
IMY imposes fines totaling 45 million SEK on two pharmacy chains for improperly sharing customer data through Meta Pixel tool.
The Swedish Data Protection Authority (IMY) has imposed fines totaling 45 million Swedish kronor on two major pharmacy chains, Apoteket AB and Apohem AB, for improperly transferring sensitive personal data to Meta Platforms Inc. through the use of Meta's tracking pixel on their websites. The decision, announced on August 30, 2024, comes after a lengthy investigation following data breach notifications submitted by both companies in 2022.
Apoteket AB, Sweden's largest state-owned pharmacy chain, has been ordered to pay a fine of 37 million kronor (approximately $3.4 million USD), while the online pharmacy Apohem AB faces a penalty of 8 million kronor (about $730,000 USD). The fines were levied due to violations of the EU's General Data Protection Regulation (GDPR), specifically Article 32 which requires appropriate technical and organizational measures to ensure data security.
The investigation revealed that both companies had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period.
For Apoteket, the unauthorized data transfer occurred between January 19, 2020, and April 25, 2022. Apohem's incident spanned from April 15, 2021, to April 26, 2022. The transferred data included information about customers' purchases of over-the-counter medications, products related to specific health conditions, sexual health items, and other sensitive personal information. Importantly, no data regarding prescription medications was compromised in either case.
Shirin Daneshgari Nejad, a lawyer at IMY, stated, "Processing this type of privacy-sensitive personal data involves high risks that require a high level of protection. The companies had an obligation to take appropriate measures to protect the data from being shared with unauthorized parties."
The investigation highlighted several key issues:
- Scale of the breach: Apoteket estimates that up to 930,000 individuals may have been affected, while Apohem reports approximately 15,000 affected customers.
- Types of data transferred: Information included names, email addresses, phone numbers, postal addresses, and details of purchased products such as self-tests for sexually transmitted infections, contraceptives, sexual wellness products, and items related to various health conditions.
- Lack of oversight: Both companies failed to implement adequate procedures to detect and prevent the unauthorized data transfers. The breaches were only discovered and halted after being brought to the companies' attention by external sources.
- Duration of the incidents: The data transfers continued for over two years in Apoteket's case and for more than a year for Apohem.
Maja Welander, another lawyer at IMY, emphasized the importance of ongoing security measures: "Our review shows that the companies did not have the necessary procedures in place to detect the deficiencies themselves. As a result, the transfer of personal data continued for an extended period and was only stopped after the companies were made aware of the incident by outsiders."
Both Apoteket and Apohem have since taken steps to improve their data protection practices. They have updated internal procedures to ensure proper handling of personal data and immediately disabled the Meta pixel upon discovering the breach.
The fines imposed by IMY are based on the companies' annual turnover and the severity of the GDPR violations. Apoteket, with a reported annual turnover of 23.27 billion kronor in 2023, faced a higher penalty due to its larger size and the more extensive nature of its data breach.
This case highlights the ongoing challenges companies face in managing customer data while utilizing third-party marketing tools. It also underscores the importance of regular security audits and the potential consequences of failing to adequately protect sensitive personal information.
IMY has indicated that it is conducting several other investigations related to the use of Meta's pixel technology and unauthorized data transfers to the social media giant. These decisions serve as a warning to other businesses about the need for vigilance in data protection practices, especially when dealing with health-related information.
The pharmacy chains have the right to appeal the decisions to the Administrative Court in Stockholm within three weeks of receiving the rulings.
Key facts
- Date of announcement: August 30, 2024
- Fines imposed: 37 million SEK for Apoteket AB, 8 million SEK for Apohem AB
- Violation period: January 2020 to April 2022 (Apoteket), April 2021 to April 2022 (Apohem)
- Estimated number of affected individuals: Up to 930,000 (Apoteket), approximately 15,000 (Apohem)
- GDPR article violated: Article 32 (security of processing)
- Data compromised: Customer names, contact information, and details of non-prescription health product purchases
- Cause of breach: Improper configuration of Meta Pixel advanced matching feature