We meant to record something else for this episode but Rie read a decision which is pretty explosive and - in our opinion - sends the opposite signal of what the DPA likely meant to do.
Not everyone is as grumpy as Miloš and Rie - but some are. Check out the comments on LinkedIn post no. 1 and no. 2 on this case and please join the debate. As you can see from a selection of comments below, not everyone agrees. 🔥 This also shows how tricky GDPR compliance can be (and why there's no such thing as 100% compliance).
- Most concerned by the lack of predictability. For the last 4-5 years the Norwegian DPA have said that the 72 hours rule is not vital or important?
- The DPA is certainly setting an example here with this case, but for everyone saying the fine is too high: too high compared to what? I would argue the fine is one the lower side of the scale for a company with this economy?
- There is no justification for this level of legal uncertainty and arbitrary enforcement, especially when the rules stem from non-democratic bodies.
- In the absence of dissuasive fines, no one will take the necessary steps to solve the root cause of the problem ... And waiting two months for the legal opinion should not be a mitigating factor, lawyers can answer five minutes ago if needed😊
- Looking at the data in scope, the data subjects affected, and the several measures the company took to understand and remediate the situation, this does look like a disproportionate approach and I believe it sends out the wrong message, unfortunately
- If they only one employee was victim of phishing and they did their investigations, the fine seems exagarated to me.
- DPA's really need to agree on criterias regarding the level of sanctions. Legal security is at stake. 🤔
- So if the Norwegian SA believes this should all be reportable, they either like to have too much to do or they are the best funded SA in the European Economic Area by being able to handle the work load.
This episode's resources:
- The Norwegian DPA's press release (links to the full decision which is in English, yay!) and the GDPRhub summary
- Read Article 33(1) on GDPR Fan
- EDPB's Guidelines 9/2022 on personal data breach notification under GDPR NB: The EDPB discussed the "targeted update" mentioned on this page in their meeting on 28 March so we expect the final version to be released shortly!
- EDPB's Guidelines 01/2021 on Examples regarding Personal Data Breach Notification