Last weekend, reports surfaced that the personal data of more than 533 million Facebook users had been made publicly available on a hacker forum.
The social media firm responded the data had been stolen and made public from a reported data breach that took place in early 2018. Because the breach predated the General Data Protection Regulation (GDPR) coming into force, and because—according to Facebook—no new breach has occurred, the company believes it has no case to answer.
Its lead European data supervisory authority, the Irish Data Protection Commission, however, has sent Facebook detailed questions to determine what happened given the tremendous amount of data involved, according to Deputy Commissioner Graham Doyle.
“Generally speaking, once a fine has been imposed by a regulator in respect of a personal data breach, the recipient would not face a second fine for the same breach.”
Amir Kousari, Senior Associate, Boyes Turner
The case poses several interesting legal questions as to what powers—if any—a regulator has if stolen personal information from previous cyber-hacks or data breaches is similarly “recycled” and potentially causes harm. Experts have varied opinions about what regulators can—and cannot—do under the GDPR to hold companies accountable in such scenarios.
Firstly, the GDPR is not retroactive. Experts agree data regulators cannot subsequently use the GDPR to issue any kind of sanction if the breach or data loss occurred prior to the regulation coming into force in May 2018.
Further, any penalty given to a company responsible for failing to protect personal data cannot subsequently be increased (either under the GDPR or domestic law) if that same data resurfaces—even if people suffer financial harm as a result. Lawyers say that, as data protection authority (DPA) investigations are so thorough and lengthy, the level/threat of financial harm is calculated within any original sanction.
“Generally speaking,” says Amir Kousari, senior associate in the technology team at law firm Boyes Turner, “once a fine has been imposed by a regulator in respect of a personal data breach, the recipient would not face a second fine for the same breach.”
“Fines are set according to the legislation in force when a breach actually happened, not when the harm occurred,” says Camilla Winlo, director of consultancy at DQM GRC.
Experts differ, however, over whether there may be a case for a DPA to impose new penalties against Facebook if, for example, the original breach turns out to have been bigger than recognized or disclosed at the time. Also debated is whether national data regulators can take action themselves if they feel it would serve the interests of their own citizens.
Some also believe the GDPR could be enforced against a company if the defective controls or procedures that led to the original breach have not been sufficiently improved since—even if the incident predates the EU privacy rules coming into effect.
“The GDPR does not explicitly state what would happen in case of a breach not being remedied effectively by the organization,” says Akber Datoo, CEO at legal data and change consulting firm D2 Legal Technology.
If Facebook has suffered an additional breach—which the company seems to hint at when it states on its blog it believes “the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019”—the majority view is the company would face its 10th cross-border GDPR investigation.
Experts also point out other industry regulators—rather than DPAs—may have the power to impose fines for historic data losses under other domestic laws.
For example, in the United Kingdom, the Financial Conduct Authority, and the Prudential Regulation Authority—the watchdogs for the financial services sector—can impose penalties for failure to protect customer data, notes Toni Vitale, data protection partner at law firm Gateley Legal. Meanwhile, legislation like the Computer Misuse Act enables the police and other enforcement agencies—rather than a regulator—to investigate and refer cases for criminal prosecution.
Further, because of Brexit, there is also scope for a fine to be imposed against a company by both the U.K.’s Information Commissioner’s Office and by regulatory authorities in the European Union for the same breach. Affected U.K. individuals would be served by a potential U.K. version of the GDPR.