Data Breaches and GDPR

This chapter focuses on the requirements for data breach notification and communication under the EU General Data Protection Regulation (GDPR). GDPR is aimed to be addressing the European Commission’s Digital Single Market Strategy that focuses on enabling businesses and governments to fully benefit from digitalization that would thrive the European market while protecting the individual’s fundamental right to privacy. GDPR is applicable internationally, therefore businesses all around the world might be required to comply with the GDPR data breach obligations. In the current cyber threat landscape, the increased risk of data breaches as well as extraterritorial applicability of the GDPR draw much attention to GDPR and data breaches. This chapter briefly introduces the importance and relevance of GDPR, GDPR data breach notification, and communication requirements as well as risk assessment methods under the GDPR and contemporary case examples on data breach incidents. The chapter provides an overview of the relevant provisions of the GDPR and points out examples that can serve as guidelines on data protection impact assessment approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

• Get 10 units per month
• Download Article/Chapter or eBook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime

Buy Now

eBook EUR 481.49 Price includes VAT (France)

Hardcover Book EUR 632.99 Price includes VAT (France)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Similar content being viewed by others

Data Breaches and GDPR

Numbers and statistics: data and cyber breaches under the General Data Protection Regulation

Data Breaches and Carding

References

• Acquisti, A., Taylor, C., & Wagman, L. (2016). The economics of privacy. Journal of Economic Literature, 54(2), 442–492. ArticleGoogle Scholar
• Akerlof, G. (1970). The market for lemons: Qualitative uncertainty and the market mechanism. Quarterly Journal of Economics, 84, 488–500. ArticleGoogle Scholar
• Albrecht, J. P. (2016). How the GDPR will change the world. European Data Protection Law Review, 2, 287. ArticleGoogle Scholar
• CMS Report on “Hungarian data authority investigates two cases of privacy breaches”, 5 April 2019. Google Scholar
• CNIL, French Data Protection Authority Report, “Uber: sanction de 400.000€ pour une atteinte à la sécurité des données des utilisateurs”, 20 Decembre 2018. Google Scholar
• CNIL, French Data Protection Authority Report, Délibération de la formation restreinte n° SAN – 2019–001 du prononçant une sanction pécuniaire à l’encontre de la société Google LLC, 21 Janvier 2019. Google Scholar
• Court of Justice of the European Union, Judgment of 13 May 2014 in Case C-131/12, Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez. Google Scholar
• Court of Justice of the European Union, Judgment of 1 October 2015, Case C-230/14, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság. Google Scholar
• Court of Justice of the European Union, Judgment of 6 October 2015, Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, joined party: Digital Rights Ireland Ltd. Google Scholar
• Erdemoglu, E. (2016). A law and economics approach to the new EU privacy regulation: Analysing the European general data protection regulation. In Governance and security issues of the European Union (pp. 109–126). The Hague: TMC Asser Press. ChapterGoogle Scholar
• European Commission (2012a), Press Release IP/12/46, ‘Commission Proposes a Comprehensive Reform of Data Protection Rules to Increase Users’ Control of Their Data and to Cut Costs for Businesses’, 25 January 2012. Available at http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en. Accessed 15 Oct 2015.
• European Commission (2012b), Communication ‘Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)’, COM (2012), 2012/0011 (COD), Brussels, 25 January 2012. Google Scholar
• European Commission, Communication ‘Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A Digital Single Market Strategy for Europe’, COM (2015) 192 of 6 May 2015. Google Scholar
• European Commission, Communication “Exchanging and Protecting Personal Data in a Globalised World”, COM (2017), 2017/7, Brussels, 10 January 2017. Google Scholar
• European Commission, Eurobarometer 431. (2015, June 24). Available at http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_sum_en.pdf. Accessed 31 May 2016.
• European Data Protection Board, Information Note on Data Transfers Under the GDPR in the event of a No-Deal Brexit, 12 February 2019. Google Scholar
• European Data Protection Supervisor, Opinion 3/2019, Opinion regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention, 2 April 2019. Available at https://edps.europa.eu/data-protection/our-work/publications/opinions/budapest-cybercrime-convention_en
• Fiegerman, S. (2019, April 24). CNN Business, “Facebook expects FTC fine could be as much as $5 billion”. Available at https://edition.cnn.com/2019/04/24/tech/facebook-q1-earnings/index.html
• Freiherr, A. V. D. B., & Zeiter, A. (2016). Implementing the EU general data protection regulation: A business perspective. The European Data Protection Law Review, 2, 576. ArticleGoogle Scholar
• Gellert, R. (2018). Understanding the notion of risk in the general data protection regulation. Computer Law & Security Review, 34(2), 279–288. ArticleGoogle Scholar
• Goldman, E ( 2019, June). An introduction to the California Consumer Privacy Act (CCPA). Santa Clara Univ. Legal Studies Research Paper. Available at SSRN https://ssrn.com/abstract=3211013 or https://doi.org/10.2139/ssrn.3211013
• Hamburg Commissioner for Data Protection, Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, 27. Tätigkeitsbericht Datenschutz des Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit, 2018. Google Scholar
• Hildebrandt, M., & Tielemans, L. (2013). Data protection by design and technology neutral law. Computer Law & Security Review, 29(5), 509–521. ArticleGoogle Scholar
• Houser, K. A., & Voss, W. G. (2018). Gdpr: The end of Google and Facebook or a new paradigm in data privacy? Richmond Journal of Law & Technology, 25, 1. Google Scholar
• Information Commissioner’s Office, Monetary Penalty Notice, 26 November 2018 Supervisory Powers of the Information Commissioner. Google Scholar
• Information Commissioner’s Office Guidelines on “Leaving the EU – Six Steps to Take”, March 2019 v.2.2. Google Scholar
• Koops, B. J. (2014). The trouble with European data protection law. International Data Privacy Law, 4(4), 250–261. ArticleGoogle Scholar
• Koops, E. J., Koops, B. J., Lips, A. M. B., Prins, J. E. J., & Schellekens, M. H. M. (2006). Should ICT regulation be technology-neutral?. IT & Law, (9), 77–108. Google Scholar
• Kostopoulos, G. (2017). Cyberspace and cybersecurity. New York: Auerbach Publications. Google Scholar
• Kuner, C. (2010). Data protection law and international jurisdiction on the internet (part 1). International Journal of Law and Information Technology, 18(2), 176–193. ArticleGoogle Scholar
• Kuner, C., Bygrave, L., & Docksey, C. (2019). Draft commentaries on 10 GDPR articles (from commentary on the EU general data protection regulation). Oxford: Oxford University Press. Google Scholar
• Quelle, C. (2018). Enhancing compliance under the general data protection regulation: The risky upshot of the accountability-and risk-based approach. European Journal of Risk Regulation, 9(3), 502–526. ArticleGoogle Scholar
• SANS Institute Threat Landscape Survey. (2017). Users on the front line, SANS institute whitepaper, SANS institute Reading room. Available at https://www.sans.org/reading-room/whitepapers/threats/2017-threat-landscape-survey-users-front-line-37910
• Schneier, B. (2015). Data and goliath: The hidden battles to collect your data and control your world. New York: WW Norton. Google Scholar
• Schwartz, P. (2013). The EU-US privacy collision: A turn to institutions and procedures. Harvard Law Review, 126, 1. Google Scholar
• Securities and Exchange Commission, 17 CFR Parts 229 and 249, [Release Nos. 33-10459; 34-82746] Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Available at: https://www.sec.gov/rules/interp/2018/33-10459.pdf
• Silva, J., Calegari, N., & Gomes, E. (2019, May). After Brazil’s general data protection law: Authorization in decentralized web applications. In Companion proceedings of the 2019 World Wide Web conference (pp. 819–822). New York: ACM. ChapterGoogle Scholar
• Ustaran E. (2018). Room S., Security of personal data. In European data protection law and practice. Portsmouth: IAPP. Google Scholar
• Victor, J. M. (2013). The EU general data protection regulation: Toward a property regime for protecting data privacy. Yale Law Journal, 123, 513. Google Scholar
• Voigt, P., & Von dem Bussche, A. (2017). The EU general data protection regulation (GDPR). A practical guide (1st ed.). Cham: Springer International Publishing. BookGoogle Scholar
• Working Party 29, 17/EN, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, Adopted 3 October 2017. Accessible at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237
• Working Party 29, 18/EN, Guidelines on Personal data breach notification under Regulation 2016/679, Adopted 3 October 2017, Revised and Adopted on 6 February 2018. Accessible at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052

Author information

Authors and Affiliations

1. The Hague University of Applied Sciences, The Hague, The Netherlands Elif Kiesow Cortez

1. Elif Kiesow Cortez

Corresponding author

Editor information

Editors and Affiliations

1. College of Social Science, School of Criminal Justice, Michigan State University, East Lansing, MI, USA Thomas J. Holt
2. Department of Criminal Justice and Criminology, Georgia Southern University, Statesboro, GA, USA Adam M. Bossler

Rights and permissions

Copyright information

© 2020 The Author(s)

About this entry

Cite this entry

Kiesow Cortez, E. (2020). Data Breaches and GDPR. In: Holt, T., Bossler, A. (eds) The Palgrave Handbook of International Cybercrime and Cyberdeviance. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-319-78440-3_39

Download citation

• .RIS
• .ENW
• .BIB

• DOI : https://doi.org/10.1007/978-3-319-78440-3_39
• Published : 06 June 2020
• Publisher Name : Palgrave Macmillan, Cham
• Print ISBN : 978-3-319-78439-7
• Online ISBN : 978-3-319-78440-3
• eBook Packages : Law and CriminologyReference Module Humanities and Social SciencesReference Module Business, Economics and Social Sciences

Share this entry

Anyone you share the following link with will be able to read this content:

Get shareable link

Sorry, a shareable link is not currently available for this article.

Copy to clipboard

Provided by the Springer Nature SharedIt content-sharing initiative