Portugal's data protection commission announced that the mayor's office in Lisbon must pay a $1.4 million fine for sending the personal information of protest organizers to foreign diplomats whose countries were the targets of those political demonstrations.
Among the countries that received such sensitive data was Russia, where authorities are accused of increasingly cracking down on critics.
The Portuguese commission ruled that the fine was justified based on 225 instances in which Lisbon authorities violated the General Data Protection Regulation.
The practice of data-sharing, which dates as far back as 2012 under a previous mayoral administration, became illegal after the data-protection law was enacted across the European Union in 2018. But the data-sharing continued until last year.
The municipal government failed to follow transparency regulations and illegally shared private data, among other infractions, the commission said.
The regulatory body added it rejected Lisbon's request to pay less because the fine had already taken into account the financial strain the government is under during the pandemic.
A "much higher" fine would have been justified because of "the degree of censorship of [Lisbon's] conducts and the risks" that the organizers face, the report states.
Last summer, Lisbon's municipal office, led by then-Mayor Fernando Medina, drew public criticism after it admitted that personal details of at least three dissidents organizing a demonstration in support of the jailed Russian opposition leader Alexei Navalny were shared with Russian officials.
An investigation by Medina's office found further breaches, and Medina apologized for what he called a "bureaucratic error." Medina, a member of the center-left Socialist Party, was voted out of office last year and replaced by Carlos Moedas of the right-leaning Social Democrat Party.
The Lisbon mayor's office said in a statement that the national commission's decision was "a heavy legacy" left by the former administration and that the fine would cause a strain on its budget, according to Reuters.
"We will evaluate this fine in detail and how best to protect the interests of citizens and the institution," the office added.
Ksenia Ashrafullina, one of the protest organizers affected by the data disclosure, found out that information such as her phone number and home address had been given to the Russian Embassy in Portugal and Russia's Foreign Ministry in Moscow, The Associated Press reported in June.
Her private information was required to apply for permission to hold the demonstration, Ashrafullina said, adding that the data-sharing could put her and other Russian dissidents in danger. She did not respond Saturday to a request for comment from The Washington Post.
Countries such as Cuba, Angola, Venezuela and Israel also received private information about protest organizers, according to Reuters.
The General Data Protection Regulation places heavy restrictions on data transfers outside the EU, allowing such moves for about a dozen countries. A common data protection agreement used in the United States, for instance, does not adequately uphold EU privacy law, a top EU court ruled in 2020.