LastPass, a well-known password management tool, is at risk of a €20 million GDPR penalty due to a lack of solutions. In the EU, data privacy and the way companies manage personal data are very serious. These companies must follow GDPR guidelines or risk serious consequences.
And the EU has cracked down very this. Last July, the retail giant was ordered to pay fines of up to 746 million euros after 10,000 people complained that Amazon's handling of user data was found to have violated users' privacy. During last December's security disaster, LastPass was busy with repairs and recoveries, but it was these unresolved vulnerabilities that could face fines of up to €20 million for violating Article 20 of the GDPR, the right to data portability.
In a Reddit post, user /u/nametaken_thisonetoo posted his dissatisfaction with LastPass, explaining the many ways the software holds your data hostage. The post was quickly followed up by an article on AlternativeTo that linked these pain points to GDPR violations.
Among the many grievances listed, the most prominent one is the strategy of LastPass free users to export their personal data very difficult or even impossible. For example, if you've been downgraded to a free account, LastPass can lock you in their desktop browser product after three switches between mobile or desktop. Once you are locked into the desktop plugin, you may not be able to export your data because there are countless unresolved errors.
LastPass forum user tombrady reported the bug on March 21, 2021, and the option to export data was simply grayed out, there was no way around it, and it remained unresolved almost ten months later. Interestingly, the forum post was flagged as "Accept solution" by LastPass staff member GlennD, who said, "We are aware of the problem and will be releasing an update soon to correct the problem."
Despite this, the forum post continues to receive complaints about their data being hijacked, but does not actually confirm that the bug was fixed. In the last 24 hours, there were two posts asking why this error remains uncorrected. Meanwhile, GlennD seems to be working manually to fix all the reported bugs. The fact that this error exists may be a direct violation of Article 20 of the GDPR, the right to data portability. The clause makes it clear that users should be able to access their data in a "commonly used and machine-readable format," regardless of whether they are paid or not.
Another complaint is that LastPass doesn't offer traditional support channels. While LastPass premium users get phone and email support, free users don't. This means that if you can't access your data because of a LastPass error, you'll have to rely on LastPass's forums, which, as demonstrated above, is an unstable experience that may or may not lead to a solution. By restricting phone and email support for free customers, LastPass appears to have once again violated Article 20 of the GDPR, making itself vulnerable to considerable fines.