Controller and Processor Articles 24 to 43 GDPR – Facebook Hack
In previous blog posts, we have already addressed, for example, Article 32 of the GDPR on technical and organizational measures. Today, we would like to dedicate the larger context to chapter five controller and processor, which is regulated in articles 24 to 43 of the GDPR. And we would like to take a quick look at last week’s Facebook hack in this context.
Article 24 defines the responsibility for the processing. It clarifies that the controller has the obligation to ensure through appropriate technical and organizational measures that personal data are adequately protected. The documentation of these measures should ensure complete reporting to public authorities. The adequacy of data protection precautions leaves room for interpretation as to how precautions and data processing relate to each other. Approved codes of conduct (Article 40 GDPR) and approved certifications (Article 42 GDPR) can be used as guidance in this regard.
This week, the first major hack after the GDPR came into force was reported at Facebook. About five million accounts, of the 50 million affected, belong to EU citizens. Several articles of the GDPR on Articles 24-43 controller and processor are applied here. Of course, the question arises whether the controller (Facebook) has taken adequate precautions (Article 24 GDPR) and the notification of the data breach has been properly completed. Among other things, the following articles of the GDPR are under scrutiny.
Which articles of the GDPR are under closer scrutiny in the context of the Facebook hack?
Article 25 – Data protection through technology design and through data protection-friendly default settings.
The question that arises in connection with the incident is whether appropriate technical and organizational measures were in place in advance and whether measures were taken after the incident became known.
Article 33 GDPR – Notification of personal data breaches to the supervisory authority.
The incident became known on Tuesday 25 September and the notification was received by the Irish authorities on the following Thursday. This is a calculating task for lawyers, whether the time window was respected. In any case, Facebook faces a penalty of up to two percent of annual revenue for misconduct.
Article 34 – Notification of the person affected by a personal data breach.
Should the risk to the data subjects be considered very high, Facebook should have informed them as well. However, there is also the question of proportionality here.
Article 35 – Data protection impact assessment.
If this incident is associated with a high risk for the data subjects, Facebook is also obliged to conduct a data protection impact assessment.
Article 55 GDPR – Competence
The Irish supervisory authority was competent in this case and was informed.
Articles 83 and 84 GDPR – Sanctions.
Facebook faces a penalty of up to two percent of its annual turnover for failure to report a data protection breach in compliance with the rules. If it turns out that Facebook did not take sufficient precautions, it could even face four percent of annual turnover.
You can find articles 24 to 43 of the GDPR here.
Further links to the Facebook Hack:
Facebook hack – combination of multiple software loopholes was to blame
Facebook Hack – No evidence of intrusion at other services
Facebook Hack – Less than ten percent of those affected from the EU
Facebook Hack – How to tell if you are affected
Facebook Hack – How the recent facebook hack is different than Cambridge Analytica