The social media company responded that the data was stolen and published due to a reported data breach that occurred in early 2018. Since the breach preceded the entry into force of the General Data Protection Regulation (GDPR) and because – according to Facebook – no new ones there was a breach , the company believes there is no case to respond.
Its leading European data surveillance authority, the Irish Data Protection Commission, sent detailed questions to Facebook to find out what happened given the huge amount of data, according to Deputy Commissioner Graham Doyle.
“Generally speaking, when a regulatory authority imposes a fine for a personal data breach, the recipient would not face another fine for the same breach.”
Amir Kousari, Senior Associate, Boyes Turner
The case raises several interesting legal questions about what powers – if any – the regulator has if stolen personal data from previous cyber-hacking or data breaches are similarly “recycled” and potentially harmed. Experts have differing opinions on what regulators can – and cannot do under the GDPR – hold companies accountable in such scenarios.
First, the GDPR is not retroactive. Experts agree that data regulators cannot subsequently use the GDPR to impose any sanction if a breach or loss of data occurred before the regulation came into force in May 2018.
Further, any penalty imposed on a company responsible for a failure to protect personal data cannot be subsequently increased (either under the GDPR or domestic law) if that same data occurs – even if people suffer financial damage as a result. Lawyers say that, given that DPA investigations are so thorough and lengthy, the level / threat of monetary damage is calculated within any original sanction.
“Generally speaking,” says Amir Kousari, a senior associate on the technology team at law firm Boyes Turner, “when a regulator imposes a fine for violating personal information, the recipient would not have another penalty for the same violation. “
“Fines are determined by the law in effect when the offense actually occurred, not when the damage occurred,” says Camilla Winlo, director of advisory services at DQM GRC.
Experts, however, disagree on whether there could be a case where the DPA imposes new penalties against Facebook if, for example, it turns out that the original violation was greater than what was recognized or discovered at the time. It also discusses whether national data regulators can take action on their own if they believe it would serve the interests of their own citizens.
Some also believe that the GDPR could be applied against a company if the improper controls or procedures that led to the original breach have not been sufficiently improved since then – even if the incident precedes the entry into force of EU privacy rules.
“The GDPR does not explicitly state what would happen in the event that an organization violates an offense that it has not effectively remedied,” said Akber Datoo, executive director of law firm and change consulting firm D2 Legal Technology.
If Facebook has suffered an additional breach – which the company appears to be hinting at when it states on its blog that it believes that “the data in question were used by malicious people who used our importer contacts from our importer contacts from their Facebook profiles before September 2019” – the majority opinion the company will face its 10th cross-border GDPR investigation.
Experts also point out that other industry regulators – instead of the DPA – may have the power to impose fines for historic data loss under other domestic laws.
For example, in the United Kingdom, the Financial Conduct Authority and Prudential Regulation – the supervisory authorities for the financial services sector – can impose penalties for not protecting customer data, notes Toni Vitale, a data protection partner at law firm Gateley Legal. Meanwhile, laws such as the Computer Abuse Act allow police and other executive agencies – rather than the regulator – to investigate and refer cases for prosecution.
Furthermore, due to Brexit, there is a possibility that the Office of the British Commissioner for Information and Regulatory Bodies in the European Union will impose a fine against the company for the same violation. Affected British individuals would be served by a potential British version of the GDPR.