After being fined a record £500,000 by the Information Commissioner’s Office (ICO) following the Cambridge Analytica affair, Facebook could open the ball to the sanctions provided for by Article 83 of the GDPR.
If the amount of the sanction pronounced by the ICO may seem derisory in view of the scope of the case and the consequences of the infringement committed by Facebook, it is because the Data Protection Act of 1998 did not allow the British authority to pronounce a higher sanction. There is no doubt that the fine would have been much higher had it been made on the basis of the Data Protection Act of 2018 incorporating the GDPR into UK domestic law.
Effective May 25, 2018, the Regulation on the Protection of Individuals with regard to the Processing of Personal Data (RGPD) has resulted in numerous convictions, with the total amount of sanctions handed down in 2020 amounting to 171 million euroswith the largest fine being that of 35 million euro fine against the German subsidiary of H&M.
Sanctioning power of the supervisory authorities
For a majority of Europeans attached to their fundamental rights, the application of Article 83 of the GDPR was particularly expected.
This article 83 gives an unprecedented power of sanction to the European supervisory authorities in case of violation of the regulation by any natural or legal person, controller or processor.
The supervisory authorities 20 million or, in the case of a legal entity, up to 4% of the total worldwide annual turnover of the previous financial year, whichever is higher.
Once the theoretical sanctions have been presented, it is logical to ask what sanctions Facebook is exposed to, both theoretically and practically, under the RGPD following the various cyberattacks against it.
First, it is necessary to identify the nature of the potential breaches of the GDPR of the latter in the context of these cyber attacks.
Time limit for notification of violations
Article 33 of the GDPR requires data controllers to a notification obligation to the control authority of any actual or suspected violation of the personal data as soon as possible “and, if possible, no later than 72 hours after becoming aware of it, unless the violation in question is not likely to create a risk to the rights and freedoms of natural persons “.
As an example, by issuing a public statement exactly 3 days after the cyberattack it suffered, i.e. on the day of September 28, 2018, Facebook clearly seems to comply with the notification deadlines imposed by Article 33 of the GDPR in case of a personal data breach.
However, it is important to keep an eye on the date of notification of the breach directly to the Irish supervisory authority and not only on the date of publication of the information notice to the general public.
Indeed, it is likely that notification of the data breach to the Data Protection Commission has occurred well in advance of the published release, since Section 33 requires notification “. as soon as possible “The 72-hour period is purely indicative.
Facebook’s notification to the Irish supervisory authority immediately after the discovery of the personal data breach could then demonstrate some effort at transparency on Facebook’s part. Regarding the leak of 2019, however, Facebook did not contact the authority, the penalty could fall; but an investigation was opened on April 14, 2021, Facebook arguing, among other things, that the leak took place before the regulation came into force, hence the lack of notification.
Content of the notifications of violations
The deadline for notifying the Data Protection Commission is essential, but its content will also have to be carefully checked since the same Article 33 requires that the notification must at least:
- Describe the nature of the breach including, if possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of personal data records affected;
- Provide the name and contact information of the DPO or other point of contact where additional information can be obtained;
- Describe the consequences of the violation;
- Describe the steps taken or proposed to be taken by the data controller to remedy the data breach.
Main principles relating to data processing
In addition to compliance with Article 33, data controllers must also comply with the provisions of Article 5 of the GDPR, which sets out the main principles relating to the processing of personal data.
Among these main principles is the obligation to process personal data in such a way as to ensure appropriate security of the data, including against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The data controller must therefore be able to demonstrate compliance with this obligation at any time upon request by a supervisory authority.
Proving compliance with this security obligation when one is subject to “successful” cyber attacks at regular intervals is not an easy task since data controllers have been aware of these attack risks for many years.
Logically, and as a prime target for hackers, Facebook should have adapted its security and taken all the necessary steps to ensure that it is “appropriate technical or organizational measures”. to prevent the reoccurrence of these attacks and thus protect the integrity and confidentiality of the very large-scale data processing it performs.
It is therefore on the basis of this article 5 that the Data Protection Commission decided to open an investigation on October 3, 2018 on the September 2018 cyberattack and specifically on the technical and organizational measures taken by Facebook to ensure the security and safeguarding of the personal data it processes.
Sanctions that can be imposed by the lead authority
If Facebook were to be sanctioned by the control authority Irish, for lack of security of the personal data that it processes, following the cyber attacks to which it was subjected, a penalty of up to 4% of its annual worldwide revenues, or nearly $4 billion could then be issued on the basis of Article 83 in violation of Article 5 or Article 33 of the GDPR.
Even though the harmful consequences of Facebook’s potential breaches following this cyber attack are cross-border, the Data Protection Commission alone is competent to impose a penalty on Facebook, in accordance with Article 55 of the GDPR, which defines the new role of lead supervisory authorities.
