05 Nov 2018

The First Major GDPR Case Is Underway!

Not so long ago, on May 25, 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR has been a subject of great interest and discussion, even prior to its implementation, due to its application on entities all over the world – inside or outside the European Union (EU).

Although the GDPR has, practically, changed the legal framework in relation to the rules on data protection, and introduced a whole set of new obligations while imposing massive fines for non-compliance, the real implications of the application of the GDPR are yet to be seen, especially on non-EU entities.

However, only few months since the beginning of its application, it seems that the first major GDPR case is underway, and to be more important, against one of the most popular non-EU entities in the world, “the” social network Facebook.

Firstly, we would like to remind that non-EU entities, such as Facebook, may be subjects to the application of GDPR if certain conditions are met, which we have explained in more detail in our article (https://www.geciclaw.com/gdpr-in-serbia-a-foreign-investors-perspective/).

Furthermore, under GDPR rules, all entities dealing with the processing of personal data, including non-EUR entities to which the GDPR applies, have to introduce appropriate measures to ensure the security of collected personal data and potential breach of privacy.  Such measures consist not only in the adoption of more advanced information security mechanisms, but also in securing greater protection against risks of privacy violation by diminishing the amount of information that may be collected and processed. Therefore, whenever there is a large amount of personal data subject to processing, the level of risk is increased, and thus, the level of security needs to be higher.

Having said that, recent media reports have revealed that a hackers’ attack managed to breach Facebook’s code related to access tokens, in order to gain entry to user accounts (more than 50 million of users), and potentially take control over them. For the time being, this attack seems to be the most severe breach of Facebook security in its history. Due to the severity of the breach, the Irish Data Protection Commission, the leading privacy watchdog for Facebook in Europe, commenced an investigation due to the concern that the privacy of millions of citizens of the EU might be stolen or revealed.

To that end, the main issue will be whether Facebook has mishandled the data of its users. Namely, the mere fact that such a security breach does not automatically mean that Facebook violated GDPR rules, the investigation will determine if the primary cause of the hackers’ success was the lack of adequate security measure by Facebook. Officials from this company have already pointed out that it has made significant investments in security technology in order to reduce the risk to its users’ data. However, whether these measures were sufficient and adequate remains to be assessed by the competent authorities. Therefore, it is our opinion that, in addition to the technical security measures, the outcome of the case will assess how necessary is to collect such large amount of Facebook users’ data as a mean of reducing the risks of breach of privacy.

In case that Facebook is found to be in breach of the GDPR for failing to adequately protect privacy of its users, it could face a $1.63 billion fine, given that GDPR sets a maximum fine of €20 million (app. $23 million), or 4% of an entity’s global annual revenue for the prior year, whichever is higher.

Furthermore, other than providing appropriate steps for safeguarding users’ data, GDPR sets the “72 hours rule” – a timeframe within which entities have to notify privacy commissioners of breaches or face a fine amounting to 2% of worldwide revenue. According to unconfirmed rumours, Facebook failed to notify the privacy commissioners within this tight deadline, which will certainly, be an additional subject of investigation against mentioned company.

Nevertheless, the outcome of this utmost significant GDPR case will be known in upcoming months…