City Hall of Lisbon in Portugal showing GDPR fine for personal data sharing

City of Lisbon Facing $1.4 Million GDPR Fine for Years-Long Practice of Funneling Activist Personal Data to Foreign Diplomats

A new General Data Protection Regulation (GDPR) fine out of Portugal is noteworthy not so much for its size as for the nature of the offense. The mayor’s office of Lisbon, national capital and largest city, has been handed a $1.4 million fine by the country’s data protection commission for providing the personal data of activists and organizers to foreign diplomats representing the countries these activists were protesting.

The practice has been a matter of city policy since at least 2012, when it was installed by a previous mayor’s administration. It was supposed to be curtailed as of 2018, when the GDPR took effect. However, the complaint demonstrates that it continued into 2021. Among other incidents, the personal contact information of supporters of Russian opposition leader Alexei Navalny was shared with that country’s authorities.

Protest organizers in Portugal have personal data sent to foreign agents

Though it had been a policy of the mayor’s office for nearly a decade, the issue became a scandal in Portugal in mid-2021 when authorities admitted to sharing information about protesters with Russian officials. Dissidents participating in a rally for Alexei Navalny in January 2021 had personal information that is required to be given to the Public Security Police (PSP) by law turned over to Russian diplomats: names, national identification numbers, home addresses and telephone numbers.

In some cases this impacted Russian-Portuguese dual citizens, who could find themselves in danger or targets of surveillance upon returning to Russia after being identified in this way. Russia has banned Navalny’s opposition movement and has labeled its supporters as “extremists.”

Portuguese police implemented the policy during the Covid-19 crisis, getting protesters to agree to it as a means of conducting contact tracing should an outbreak be tracked back to an event. The fact that this personal data was being shared with foreign officials was not discovered until one of the protest organizers received an email from Lisbon city hall that contained a copy of the form with their information being submitted to the Russian diplomats.

The mayor’s office is being assessed a $1.4 million fine by the country’s data protection authority, as the policy breaches multiple terms of the GDPR. In addition to the Navalny protest, the investigation found 52 incidents of Lisbon authorities sharing personal data in this way with various foreign agents during the period of applicable GDPR rules. Since 2012, there have been 225 incidents of this type.

“Core” breaches of the GDPR terms include failure to follow data transparency rules and rules governing the sharing of categories of sensitive personal data. However, the actions also violate the GDPR in light of the Schrems II ruling, which forbids the passing of EU resident data to any foreign country that does not have GDPR-equivalent data privacy standards.

The Lisbon mayor’s office had applied to have the fine reduced due to financial stress caused by the Covid-19 pandemic, an appeal that has worked for other entities, but was rejected in this case due to the seriousness of the charges. The data privacy commission said that pandemic factors had already been accounted for in the fine total, which was initially planned to be “much higher” due to the nature of the violations, potentially up to $23 million for each incident.

Former mayor Franscisco Medina’s office has attempted to paint the incident as a “bureaucratic error.” Medina was voted out of office during a late 2021 election, in no small part due to this scandal.

Serious concerns about safety of activists, dissidents in Portugal

Other countries that apparently received the personal data of organizers and activists include China, Cuba, Israel, Venezuela and Angola. Much of this came from protests that were held in front of the national embassies of these countries, but for other incidents it is unclear what the security justification might have been for allowing this.

The report found that Lisbon’s policy of sharing information with these countries dates back roughly a decade. Even before the enhanced collection of information from participants during the Covid-19 crisis, the mayor’s office would reportedly share the information from protest permit applications with these countries. One organizer, Alexandra Correia, had the personal data on her permit given over to the Chinese embassy in 2019 due to holding a rally in support of Tibet’s 11th Panchen Lama. Correia says the rally was not held anywhere near the Chinese embassy.

Though it had been a policy of the mayor's office for nearly a decade, the #datasharing issue became a scandal in mid-2021 when authorities admitted to sharing information about protesters with Russian officials. #privacy #respectdataClick to Post

The revelation has scared political activists in the country, who often have family members in the nations that their protests target. The list of nations that personal data was shared with includes those with regimes that have long-standing track records of repressing dissent through inhumane means.