The Washington PostDemocracy Dies in Darkness

Lisbon fined $1.4 million for sharing personal data of protesters with foreign countries, including Russia

Lisbon's former mayor, Fernando Medina, was defeated by his conservative opponent in last year's election, months after an investigation found that the municipal office had illegally shared personal information. (Pedro Nunes/Reuters)

The mayor’s office in Lisbon, Portugal’s capital, has to pay a $1.4 million fine for sending the personal information of protest organizers to foreign diplomats whose countries were the targets of those political demonstrations, the European country’s data protection commission announced Friday.

Among the countries that received such sensitive data was Russia, where authorities are accused of increasingly cracking down on its critics.

The national commission ruled that the fine was justified based on the 225 instances in which Lisbon authorities violated the General Data Protection Regulation. The practice of data-sharing, which dates as far back as 2012 under a previous mayoral administration, became illegal after the sweeping set of data-protection laws were enacted across the European Union in 2018. Nevertheless, data-sharing continued until last year.

Lisbon’s municipal government failed to follow transparency regulations and illegally shared private data, among other infractions, the commission said.

The regulatory body added that it rejected Lisbon’s request to pay less because the amount of the fine had already taken into account the pandemic-induced financial strain the government was under.

A “much higher” fine would have been justified because of “the degree of censorship of [Lisbon’s] conducts and the risks” that these organizers face, the report said. (Serious violations of GDPR can result in fines exceeding $22 million.)

Europe, not the U.S., is now the most powerful regulator of Silicon Valley

Last summer, Lisbon’s municipal office, led by then-Mayor Fernando Medina, drew public criticism after it admitted that personal details of at least three dissidents organizing a local demonstration in support of the jailed Russian opposition leader Alexei Navalny were shared with Russian officials. An investigation by Medina’s office found further breaches, and Medina apologized for what he called a “bureaucratic error.”

Ksenia Ashrafullina, one of the protest organizers affected by the leak, found out that information such as her phone number and home address had been given to the Russian embassy in Portugal, as well as Russia’s foreign ministry in Moscow, based on email exchanges she had with local authorities, the Associated Press reported last June.

Her private information was required to apply for permission to hold the demonstration, Ashrafullina told AP, adding that the data-sharing could put her and other Russian dissidents in danger. She did not respond to request for comment from The Washington Post early on Saturday.

Other than Russia, countries such as Cuba, Angola, Venezuela and Israel, had also received private information of protest organizers targeting them, according to Reuters.

Months after the scandal, Medina, a member of the center-left Socialist Party, was voted out of office and replaced by Carlos Moedas from the right-leaning Social Democrat Party. Medina did not immediately respond to a request for comment from The Post.

GDPR places heavy restrictions on data transfer outside the European Union, allowing such a move for about a dozen countries. A common data protection agreement used in the United States, for instance, does not adequately uphold E.U. privacy law, a top E.U. court ruled in 2020.

Lisbon’s mayor’s office said in a statement the national commission’s decision was “a heavy legacy” left by the former administration and that the fine would cause a strain on its budget, according to Reuters.

“We will evaluate this fine in detail and how best to protect the interests of citizens and the institution,” the office added.