Facebook has reported a hack of 3 million European users personal data to the Irish DPA. The Irish DPA is under pressure to answer to the key question of GDPR: do national DPAs have the power to force multinationals like Facebook to comply with GDPR?
1. Notification of data breaches
The Facebook-hack provides evidence that new instruments of GDPR having significant effect. Firstly, Facebook was required to notify the respective DPA of the incident within 72 hours according to Art. 32 GDPR. Secondly, Facebook addressed the hack to the Irish DPA as lead authority. According to Art. 56 GDPR the Irish DPA is lead authority for Facebook within the EU. Facebook has it´s headquarter, which determines the purpose and means of the data processing of the Group, in Ireland. Following the principle of ‘one stop shop’ Facebook solely has to report the incident to one single DPA and not to any national DPA within the EU.
2. Powers of the DPA
The Facebook-hack will show in which way the Irish DPA will use its powers granted by the GDPR. The powers of the DPA are categorised according to Article 58 GDPR in investigative powers, corrective powers and advisory powers.
Especially the investigative power and the corrective power will be in the focus. The Irish DPA may request any information necessary to evaluate the circumstances of the case according to Art. 58 (1)(a) GDPR. The Irish DPA may use it´s corrective power against Facebook, e.g. by requesting Facebook to implement certain security measures to prevent further hacks in the future. Eventually the Irish DPA will impose administrative fines on Facebook. The way the Irish DPA may impose fines will be elaborated later in this article.
3. Appropriate technical and organisational measures
The Facebook-hack raises concerns that Facebook did not implement adequate technical and organisational measures according to Art. 32 GDPR. These measures must be fit to prevent unlawful loss, disclosure or access to personal data. It is not upon the Irish DPA to show whether the measures of Facebook were insufficient. The burden of proof that the measures were sufficient lies with Facebook. That derives from the Accountability-principle which is laid down in Art. 5 (2) and Art. 24 (1) GDPR:
“…the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
Taking into account that the hack affected 3 million European users it will be nearly impossible for Facebook to show that it´s measures were sufficient. In addition, the methods of the hacker were not too sophisticated, and the effort of the hacker were not out of scale, that this kind of hack was unforeseeable.
4. Criteria for amount of fines
The infringement of the implementation of adequate security measures according to Art. 32 GDPR is punishable by fines up to €10 million or 2% of the annual worldwide turnover of Facebook according to Art. 83 (4) GDPR.
The infringement of the Accountability-principle according to Art. 5 (2) GDPR is punished with the maximum of fines up to €20 million or 4% of the annual worldwide turnover according to Art. 83 (5) GDPR. Facebook, which had more than $40.65 billion in revenue in 2017, could be fined with a maximum up to $1.63 billion.
The amount of fines is not fixed. The Irish DPA has discretion to define the amount of fines. Art. 83 (2) describes several criteria to estimate which amount will be adequate and reasonable. The most significant criteria which are relevant for the Facebook-hack:
- the nature, gravity and duration of the infringement,
- the number of data subjects affected,
- the intentional or negligent character of the infringement,
- any relevant previous infringements by the controller.
The number of 3 million affected users is one of the most significant criteria. That means that the fines may not be lower than €3 million. Whether the infringement occurred negligently or cross negligently is dependent on the nature of the security measures which were implemented by Facebook. Eventually Facebook has a long history of infringements of data protection law. The most significant was the resent Cambridge Analytica case.
Given all these facts, the fines will probably be significantly higher than €3 million and at least higher than €10 million.
Apart from the legal aspect the question arises, whether Facebook will accept the decision of the Irish DPA or will claim against the fines according to Art. 78 GDPR. Currently Facebook seems to follow the strategy, to claim against any decision in terms of data protection law until the highest judicial level when the ECJ has the final say. Facebook may change this strategy when the risk of bad reputation turns out to be higher than the potential reduction of the fines.
5. What about class action?
In addition to 3 million affected users – or a significant group of them – could claim for damages according to Art. 82 GDPR against Facebook. GDPR provides compensation for material and non-material damages and the burden of proof lies with Facebook.
Would it be efficient to drive 3 million proceedings through the legal systems within the EU-Member states? What would be more efficient to take these cases together within one class action since these are all based on the same facts?
That shows that the Facebook-hack has the potential to catalyse the political discussion about the introduction of class action within the EU.
 Although the Data Protection Authority of Ireland is called “Irish Data Protection Commission“, I will stay to the term ‘DPA’ which is the abbreviation for Data Protection Authority; https://www.dataprotection.ie/docs/Home/4.htm
 WP29, WP 244 rev.01, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, last revised and adopted on 5 April 2017, page 5 and 6; http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611235