Netcompany fined record high DKr 15m by the Danish Data Protection Authority

The company violated data protection regulation multiple times when launching the new digital mailbox mit.dk.

The Danish Data Protection Authority, Datatilsynet, has reported Netcompany to the police and recommended its largest fine to date over data protection violations. It has floated a fine of at least DKr15m ($2.2m) for several cases in relations to Netcompany’s development of the digital mailbox mit.dk.

According to Datatilsynet, the company did not ensure enough level of security with the developments of the digital mailbox, nor did it have a consequence analysis prepared. The company also failed to have built appropriate security measures into the design of the solution itself.

The mailbox, which opened in March 2022, can be used to receive mail from governments, book doctor’s or dentist’s appointments, pay electricity bills, share documents with hospitals or general practitioners, manage finances and more.

Citizen information rights

“Preparing an impact analysis is not a formality. The analysis is an important guarantee of legal certainty for citizens’ rights when the processing of their information has an inherent high risk,” said Vibeke Dyssemark Thomsen, chief consultant at the Danish Data Protection Authority. 

“The work with such an analysis involves a thorough and structured process, which provides a better and more detailed overview of the risks associated with a certain solution, just as in the process the necessary measures must be found and implemented to address and reduce the risk. The impact analysis must be done before the treatment starts, so that you are sure that all key risks have been handled and all high risks reduced.”

Inappropriate coding

Even though the company carried out tests such as code review, static code analysis and performance tests before launching the mailbox, it failed to discover an ‘inappropriate coding’ in the component that authenticated the users. When users logged in an error occurred that meant they were able to access other users’ digital mail and gain access to confidential and sensitive information. Which, the authority said, led to “an unnecessarily high risk for all users of mit.dk”.

“When developing IT solutions, you must – before starting to process personal data – identify the specific risks and especially the most critical risk scenarios that the individual IT solution may involve, so that you can take them into account with appropriate security measures. And when you subsequently test your solution, it is crucial that there is an extra focus on the particularly critical risk scenarios,” Dyssemark Thomsen continued.

“Preparing an impact analysis is not a formality. The analysis is an important guarantee of legal certainty for citizens’ rights when the processing of their information has an inherent high risk,”

Vibeke Dyssemark Thomsen, chief consultant, Datatilsynet

The authority says that the amount of the recommended fine reflects the fact that the product has a large number of users.

“Danish society is highly digitized, and therefore it is crucial that citizens can trust that the security of the national critical infrastructure is in order. A case like this can go beyond that trust, and for this reason, the Danish Data Protection Authority also had to crack down hard. Solutions like mit.dk have to manage citizens’ data responsibly, securely and with respect for the individual’s privacy,” said Dyssemark Thomsen.