On 16th April 2021, a civil rights group, Digital Rights Ireland (DRI), announced that they were pursuing a group action against Facebook in relation to a major data breach resulting in more than 530 million users globally being affected.
DRI’s argued that Facebook was in breach of the General Data Protection Regulation (GDPR) for a number of reasons including:
- Failing to implement the necessary measures to protect their user’s data;
- Failed to notify those users who had been affected when the breach had occurred; and
- Failed to notify the Data Protection Commission within the requisite period.
The applicable law
Part 3 of the Data Protection Act 2018 (DPA 2018) confirms that all organisations should report personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. If you fail to report the breach within the 72 hour period you must explain the reason for the delay. Failure to notify a breach within the required period can result in the organisation receiving a significant fine of up to £8.7 million or two per cent of the organisation’s global turnover.
Where the breach is likely to result in a high risk to the rights and freedoms of the individuals involved, the data controller has a duty to report the breach to those affected. The organisation must give the individuals affected the following information:
- A description of the data breach;
- The name and contact details of the data protection officer at the organisation;
- A description of the likely consequences of the data breach; and
- A description of the measures taken to deal with the breach/any measures taken to mitigate any possible adverse effects.
This claim is in the very early stages at present, with a regulatory complaint only just having been filed with the Irish Data Protection Commission. The DRI has however claimed that the damages awarded in similar cases in Europe have varied between 300 – 12,000 euros for each person affected. It will be interesting to see what kind of award is made by the Court if DRI decides to issue proceedings following the Irish Data Protection Commission’s investigation.
How can Nelsons help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you have any questions in relation to the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online enquiry form.