A fascinating article and LinkedIn post from data protection specialist Jon Baines asks whether the recent Crowdstrike/Microsoft outage that resulted in a temporary inability to access personal data constitutes a personal data breach (PDB) under Article 4(12) of the General Data Protection Regulation (GDPR).
A LinkedIn poll resulted in a split vote. However, Baines argues that not every incident meets the definition of a PDB and that both the Information Commissioner's Office (ICO) and the European Data Protection Board (EDPB) are wrong to categorise this as a breach.
"This is about the law, and in law, words are important. To refer to a PDB as the single word "breach" is a potential cause of confusion, and both the ICO and the EDPB guidance are infected by and diminished by sloppy conflation of the terms "personal data breach" and "breach". In English, at least, and in English law, the word "breach" will often be used to refer to a contravention of a legal obligation: a "breach of the law". (And in information security terminology, a "breach" is generally used to refer to any sort of security breach.) But a "breach" is not coterminous with a "personal data breach", wrote Baines.
While not wanting to criticise any controllers for making an Article 33 notification, Baines highlights the 50/50 split on his online poll, suggesting a level of uncertainty that may require future clarification.
Anyone interested in this article should also take note of the comments on the LinkedIn post, as they add to an interesting debate.
In related news, the Italian data protection authority (Garante) has announced that it has opened an investigation into the effects of the recent global IT outage caused by a malfunction of the CrowdStrike security software. The investigation aims to determine the implications such outages have on the processing of personal data.
(Translate to English: Google Chrome, Mozilla Firefox, Microsoft Edge, or Apple Safari)
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.