Abstract
This chapter focuses on the requirements for data breach notification and communication under the EU General Data Protection Regulation (GDPR). GDPR is aimed to be addressing the European Commission’s Digital Single Market Strategy that focuses on enabling businesses and governments to fully benefit from digitalization that would thrive the European market while protecting the individual’s fundamental right to privacy. GDPR is applicable internationally, therefore businesses all around the world might be required to comply with the GDPR data breach obligations. In the current cyber threat landscape, the increased risk of data breaches as well as extraterritorial applicability of the GDPR draw much attention to GDPR and data breaches. This chapter briefly introduces the importance and relevance of GDPR, GDPR data breach notification, and communication requirements as well as risk assessment methods under the GDPR and contemporary case examples on data breach incidents. The chapter provides an overview of the relevant provisions of the GDPR and points out examples that can serve as guidelines on data protection impact assessment approaches.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acquisti, A., Taylor, C., & Wagman, L. (2016). The economics of privacy. Journal of Economic Literature, 54(2), 442–492.
Akerlof, G. (1970). The market for lemons: Qualitative uncertainty and the market mechanism. Quarterly Journal of Economics, 84, 488–500.
Albrecht, J. P. (2016). How the GDPR will change the world. European Data Protection Law Review, 2, 287.
CMS Report on “Hungarian data authority investigates two cases of privacy breaches”, 5 April 2019.
CNIL, French Data Protection Authority Report, “Uber: sanction de 400.000€ pour une atteinte à la sécurité des données des utilisateurs”, 20 Decembre 2018.
CNIL, French Data Protection Authority Report, Délibération de la formation restreinte n° SAN – 2019–001 du prononçant une sanction pécuniaire à l’encontre de la société Google LLC, 21 Janvier 2019.
Court of Justice of the European Union, Judgment of 13 May 2014 in Case C-131/12, Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez.
Court of Justice of the European Union, Judgment of 1 October 2015, Case C-230/14, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság.
Court of Justice of the European Union, Judgment of 6 October 2015, Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, joined party: Digital Rights Ireland Ltd.
Erdemoglu, E. (2016). A law and economics approach to the new EU privacy regulation: Analysing the European general data protection regulation. In Governance and security issues of the European Union (pp. 109–126). The Hague: TMC Asser Press.
European Commission (2012a), Press Release IP/12/46, ‘Commission Proposes a Comprehensive Reform of Data Protection Rules to Increase Users’ Control of Their Data and to Cut Costs for Businesses’, 25 January 2012. Available at http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en. Accessed 15 Oct 2015.
European Commission (2012b), Communication ‘Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)’, COM (2012), 2012/0011 (COD), Brussels, 25 January 2012.
European Commission, Communication ‘Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A Digital Single Market Strategy for Europe’, COM (2015) 192 of 6 May 2015.
European Commission, Communication “Exchanging and Protecting Personal Data in a Globalised World”, COM (2017), 2017/7, Brussels, 10 January 2017.
European Commission, Eurobarometer 431. (2015, June 24). Available at http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_sum_en.pdf. Accessed 31 May 2016.
European Data Protection Board, Information Note on Data Transfers Under the GDPR in the event of a No-Deal Brexit, 12 February 2019.
European Data Protection Supervisor, Opinion 3/2019, Opinion regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention, 2 April 2019. Available at https://edps.europa.eu/data-protection/our-work/publications/opinions/budapest-cybercrime-convention_en
Fiegerman, S. (2019, April 24). CNN Business, “Facebook expects FTC fine could be as much as $5 billion”. Available at https://edition.cnn.com/2019/04/24/tech/facebook-q1-earnings/index.html
Freiherr, A. V. D. B., & Zeiter, A. (2016). Implementing the EU general data protection regulation: A business perspective. The European Data Protection Law Review, 2, 576.
Gellert, R. (2018). Understanding the notion of risk in the general data protection regulation. Computer Law & Security Review, 34(2), 279–288.
Goldman, E ( 2019, June). An introduction to the California Consumer Privacy Act (CCPA). Santa Clara Univ. Legal Studies Research Paper. Available at SSRN https://ssrn.com/abstract=3211013 or https://doi.org/10.2139/ssrn.3211013
Hamburg Commissioner for Data Protection, Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, 27. Tätigkeitsbericht Datenschutz des Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit, 2018.
Hildebrandt, M., & Tielemans, L. (2013). Data protection by design and technology neutral law. Computer Law & Security Review, 29(5), 509–521.
Houser, K. A., & Voss, W. G. (2018). Gdpr: The end of Google and Facebook or a new paradigm in data privacy? Richmond Journal of Law & Technology, 25, 1.
Information Commissioner’s Office, Monetary Penalty Notice, 26 November 2018 Supervisory Powers of the Information Commissioner.
Information Commissioner’s Office Guidelines on “Leaving the EU – Six Steps to Take”, March 2019 v.2.2.
Koops, B. J. (2014). The trouble with European data protection law. International Data Privacy Law, 4(4), 250–261.
Koops, E. J., Koops, B. J., Lips, A. M. B., Prins, J. E. J., & Schellekens, M. H. M. (2006). Should ICT regulation be technology-neutral?. IT & Law, (9), 77–108.
Kostopoulos, G. (2017). Cyberspace and cybersecurity. New York: Auerbach Publications.
Kuner, C. (2010). Data protection law and international jurisdiction on the internet (part 1). International Journal of Law and Information Technology, 18(2), 176–193.
Kuner, C., Bygrave, L., & Docksey, C. (2019). Draft commentaries on 10 GDPR articles (from commentary on the EU general data protection regulation). Oxford: Oxford University Press.
Quelle, C. (2018). Enhancing compliance under the general data protection regulation: The risky upshot of the accountability-and risk-based approach. European Journal of Risk Regulation, 9(3), 502–526.
SANS Institute Threat Landscape Survey. (2017). Users on the front line, SANS institute whitepaper, SANS institute Reading room. Available at https://www.sans.org/reading-room/whitepapers/threats/2017-threat-landscape-survey-users-front-line-37910
Schneier, B. (2015). Data and goliath: The hidden battles to collect your data and control your world. New York: WW Norton.
Schwartz, P. (2013). The EU-US privacy collision: A turn to institutions and procedures. Harvard Law Review, 126, 1.
Securities and Exchange Commission, 17 CFR Parts 229 and 249, [Release Nos. 33-10459; 34-82746] Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Available at: https://www.sec.gov/rules/interp/2018/33-10459.pdf
Silva, J., Calegari, N., & Gomes, E. (2019, May). After Brazil’s general data protection law: Authorization in decentralized web applications. In Companion proceedings of the 2019 World Wide Web conference (pp. 819–822). New York: ACM.
Ustaran E. (2018). Room S., Security of personal data. In European data protection law and practice. Portsmouth: IAPP.
Victor, J. M. (2013). The EU general data protection regulation: Toward a property regime for protecting data privacy. Yale Law Journal, 123, 513.
Voigt, P., & Von dem Bussche, A. (2017). The EU general data protection regulation (GDPR). A practical guide (1st ed.). Cham: Springer International Publishing.
Working Party 29, 17/EN, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, Adopted 3 October 2017. Accessible at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237
Working Party 29, 18/EN, Guidelines on Personal data breach notification under Regulation 2016/679, Adopted 3 October 2017, Revised and Adopted on 6 February 2018. Accessible at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Author(s)
About this entry
Cite this entry
Kiesow Cortez, E. (2020). Data Breaches and GDPR. In: Holt, T., Bossler, A. (eds) The Palgrave Handbook of International Cybercrime and Cyberdeviance. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-319-78440-3_39
Download citation
DOI: https://doi.org/10.1007/978-3-319-78440-3_39
Published:
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-319-78439-7
Online ISBN: 978-3-319-78440-3
eBook Packages: Law and CriminologyReference Module Humanities and Social SciencesReference Module Business, Economics and Social Sciences