LastPass risking a €20 million GDPR fine due to unresolved bugs

Header image for LastPass GDPR piece

In the EU, data privacy and the way a company manages a private person’s data is taken very seriously. This is in stark contrast to the way data privacy is handled in the United States, and if a company from the United States should wish to do business in the EU, they must follow the GDPR guidelines or suffer potentially grave consequences.

These are not empty threats. In July, Amazon Europe paid the largest GDPR violation penalty in history. The retail giant was ordered to pay a whopping €746 million after a 10,000-person complaint against the behemoth regarding the way it processes user data was found to be in violation of user's privacy.

It seems that LastPass, who is busy playing cleanup after December’s security debacle, might be throwing its hat in a ring of burning cash. In a Reddit post, user /u/nametaken_thisonetoo posted his grievances with the company, explaining the numerous ways the software holds your data hostage. The post was quickly followed up by an article on AlternativeTo where the author connected these pain points to violations of the GDPR.

Of the many grievances listed, some really standout and they all revolve around tactics that make it hard, if not impossible, for a LastPass free user to export their personal data. For instance, if you’ve dropped down to a free account, LastPass can lock you into their desktop browser offering after three switches between mobile or desktop. Once you’re locked into the desktop plugin, you may not be able to export your data because of a myriad of unanswered bugs.

LastPass forum user tombrady reported this bug on 3/21/2021 where options to export data are simply greyed out with no recourse, and there is still no solution almost ten months later. Interestingly, the forum post was marked as an "accepted solution" by LastPass staff member GlennD who said, “We are aware of this issue and will be releasing an update very soon to correct this”.

In spite of this, the forum post continues to receive complaints of their data being held hostage with no actual confirmation of the bug being fixed. There have been two posts in the last 24 hours asking why the bug still hasn’t been fixed. Meanwhile, GlennD is seemingly fixing all the reported errors by hand. The fact that this bug exists at all may be in direct violation of Article 20 of the GDPR, Right to data portability. This article explicitly states that users should have access to their data, in a ‘commonly used and machine readable format’, without distinction between paying and non-paying customer.

Snapshot of Article 20 section 1 of GDPR

Another complaint is that LastPass doesn’t offer a traditional channel of support. I wanted to see for myself if this is true, and after I spoke with Sparky, their virtual assistant, I’ve surmised that this is true. While phone and email support are available for LastPass Premium customers, it’s not available for free customers.

This means if you’re in a situation where you don’t have access to your data because of a LastPass bug, you will have to rely on the LastPass forums, which as evidenced above, is a spotty experience that may or may not lead to a solution. By restricting phone and email support from free customers, LastPass seems to again be in violation of Article 20 of the GDPR leaving itself vulnerable to a considerable fine.

Source: AlternativeTo via Reddit

Report a problem with article
iPhone owners must choose between Content Filtering and iCloud Private Relay suggests Telcos
Next Article

iPhone owners must choose between Content Filtering and iCloud Private Relay, suggests telcos

Patch Tuesday text next to the default backgrounds of Windows 7 8 and 10
Previous Article

Microsoft pushes Patch Tuesday updates for Windows 8.1 (KB5009624) and Windows 7 (KB5009610)

29 Comments - Add comment

Advertisement