Klarna must pay a fine equivalent to some 671,000 euros from Sweden's Administrative Court of Appeal for violating the General Data Protection Regulation (AVG). The payment service failed to adequately inform customers about the collection and processing of personal data. Klarna cannot yet say whether it will acquiesce to the fine decision.
So writes the US news agency Reuters (1).
Companies and organizations operating in Europe are required by European privacy laws to inform customers about how they handle their data. They must explain what data they collect, for what purposes, whether they share this data with other parties and how long they store the data.
A lower court ruled last year that in privacy statements used between March and June 2020, Klarna did not provide sufficient information to customers about how their personal data was stored. For that, the Swedish payment service had to pay a fine of 6 million kronor, or more than 537,000 euros.
Klarna disagreed with the decision because its privacy statements have since been updated several times to comply with the AVG. Moreover, there was no connection to how the company collected or processed data. The payment service therefore appealed. The Swedish Administrative Appeals Court ruled on the case on Monday.
The court stated that the fine imposed by the lower court was justified. It added that the disclosures were also unclear or difficult to access. So the court increased the original fine amount from 6 million kronor to 7.5 million kronor, which amounts to about 671,000 euros. That is the original fine amount demanded by the Swedish Data Protection Authority.
Whether Klarna accepts the privacy fine or takes further action is unclear. "We have just received the court decision and it is too early to comment," a company spokesman told Reuters.
This is not the first time Klarna has been fined for violating the AVG (2). In April 2022, Swedish privacy watchdog IMY ruled that the financial services provider constantly changed information about data processing on its website. Information about the data the company provided to third parties was also "incomplete and misleading." Finally, Klarna was not transparent about customers' privacy rights. For this, the Swedish company was fined the equivalent of €728,000.
In early 2021, the Consumers' Association claimed that Klarna does not adequately protect customers from identity fraud (3). The pressure group discovered in September 2020 that it was possible to place an order via Klarna in someone else's name and account. Meanwhile, the order was neatly delivered to the fraudster's home. At checkout, the payment service did not ask for a password. Filling in personal data was sufficient, according to the Consumers' Association. There was also no form of multi-factor authentication.
In response to these allegations, Klarna took additional security measures and promised to compensate victims of identity fraud.
(1) https://www.reuters.com/technology/swedens-klarna-fined-733000-over-data-protection-shortcomings-2024-03-11/
(2) https://www.vpngids.nl/nieuws/klarna-krijgt-boete-van-728-000-euro-voor-overtreden-avg/
(3) https://www.vpngids.nl/nieuws/klarna-beschermt-onvoldoende-tegen-identiteitsfraude/
