The Asper Biogene genetic data leak is the largest and most serious in Estonian history and could bring a change in the way personal data is protected and handled in Estonia, Risto Hübner, a specialist in IT law, IP law and data protection, said. He advised people whose data was leaked to contact hospitals and Asper Biogene to claim damages.
"I don't know of such a serious case in Estonia. We had a case here in the summer about the population register, which caused a lot of discussion, but there has never been a case like this before. I think there's certainly a lot of procedural work to be done here," Risto Hübner, the managing partner and attorney-at-law at Nordx Legal and member of the Board at the Estonian Bar Association, told "Vikerhommik" on Wednesday. He said that professionally speaking this is a very interesting case.
The number of parties involved in the case is very large, with 10,000 individuals' data compromised and 42 hospitals and other healthcare providers involved in addition to Asper Biogene, setting the stage for a very large number of lawsuits, he said.
"There are a lot of people affected, data subjects, 10,000 patients, very sensitive data leaked, special categories of personal data, genetic data, health data, plus 42 companies, institutions, including the largest hospitals in Estonia involved in this process as data controllers. There are many of these parties and proceedings can certainly be brought against all of them. Obviously, the Data Protection Inspectorate, if it has not already done so, will also start proceedings against all the hospitals, all the health care institutions – I think it certainly has to do so. People also can make claims directly against the hospitals, as well as directly against Asper Biogene," Hübner said.
The amount of damages depends on the circumstances
People whose data has been leaked could seek compensation for moral damages, non-pecuniary damages as well as pecuniary damages, he said. "The pecuniary damage may yet become clear – depending on whether there will be some kind of ransom demands and so on. Time will tell," Hübner said.
As an example, he cited the case of the data leak from the Finnish psychotherapy clinic Vastaamo, which was followed by blackmail, scams and identity theft for thousands of people.
Hübner advised people whose data may have been leaked to be very alert and vigilant if someone calls and starts saying something about their health data, and also to be wary of emails and possible phishing attempts.
The police should definitely be contacted if they try to extort something from a person on the basis of these data, he stressed.
Hübner said there are different approaches to calculating the amount of damages. "Here we can talk about non-pecuniary damage, the practice of which is of course quite complicated. But as a quick interlude, just last week a European Court of Justice ruling came down saying that a person's mere fear that his or her data might be misused in the future, for example as a result of this leak, can give rise to a claim for non-pecuniary damage, and non-pecuniary damage can be claimed from a court, at the court's discretion," he said.
"And the financial loss will depend on the circumstances, so that if a person falls victim to some kind of extortion, is further deprived of some kind of financial resources as a result of some kind of identity fraud or something like that – that's where it comes in," Hübner said.
Worth looking into leaked data
People might also be interested to know exactly what information was leaked about them.
"I have spoken to a few people who have been affected by this data leak, and I have heard that the announcements so far have been rather general. In fact, people could be bolder in asking for clarification themselves. Data controllers need to be able to justify and talk specifically about what data was leaked," he said.
"The data processor must tell the person exactly what was exposed. This is also important so that if, at some point, the individual wants to consider filing a claim for damages, he or she will know exactly what happened."
Hübner also said that the Data Protection Inspectorate gives every individual the right to ask for an explanation of how their data is processed.
"This is also one of the basic principles - transparency of data protection, so that if we take for example the same 42 organizations, where it is written their data protection conditions, where it is written what data they process, where it is written to whom they transfer this data, where it is written how long this data is stored – all this must be available to the individual in plain language and in an understandable way. Again, practice shows that this is not done very often in Estonia," he said.
Data already available in Estonia can be easily combined with the leaked data
"In the case of Estonia, the leaked genetic data can be combined with other data available on people, Hübner added. There is a lot of public data on people in Estonia in general, people are easy to profile. And that poses a broader – as I think the agency rightly pointed out in an interview – actually also a security threat at the national level, where people lose control over their data in this way," he said.
Hübner also acknowledged that people in Estonia have shown little willingness to stand up for the protection of their personal data.
"The general attitude is that I have nothing to hide anyway, which is certainly not the case in practice. That is why I think that this case, although extremely unfortunate, is a good opportunity to learn about the associated risks. And if there is anything useful to come out of this, it is this increased awareness," Hübner, said. Estonia probably has the lowest level of data protection awareness in Europe.
Estonian companies have been careless so far
Estonian companies and organizations are in fact massively ignoring the requirements of the General Data Protection Regulation (GDPR) in Europe.
And also here (in the Biogene case - ed.), just purely based on my own day-to-day practice, the likelihood is extremely high that these breaches are widespread throughout the entire data processing cycle, starting from the hospitals all the way out to this laboratory – that likelihood is very high," Hübner said.
The reason for this situation, according to him, is carelessness and indifference, and the attitude that if a competitor does not invest in it, why should I deal with it, said the lawyer.
"And also a sense of impunity, because in the last five and a half years that the European Union's General Data Protection Regulation, or GDPR, has been implemented in Estonia, there have actually been no penalties for violations. There were a number of legal reasons for this, which should have been resolved in principle by now," he said.
Hübner pointed out that the first serious case is that of the East Tallinn Central Hospital, where he is aware that a fine of €200,000 was imposed, but the case has not yet reached a final decision.
Data protection is a question of democracy and human rights
Hübner stressed that the protection of personal data is part of the protection of democracy and individual freedoms.
"It is very important to note that the right to the protection of personal data is a fundamental human right and, like the right to privacy, a right to respect for private life. These are two very closely related rights, which in turn are prerequisites for many other fundamental rights and freedoms, and in a broader sense for the functioning of the rule of law and democratic societies in general. If this pillar is unprotected in Estonia, and indeed I think it has been largely unprotected over the last five and a half years since the implementation of the GDPR, then we still have a pretty serious problem in the society," he said.
"Like I said, maybe this data leak will at least provide an opportunity for people to become more aware of the problem and also at the government level that it needs to be addressed," he said.
Editor: Mait Ots, Kristina Kersa