The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️

One of Europe’s top court clarifies GDPR compensation and data access rights

Yesterday, a significant step was taken in the realm of data protection, with the European Union’s top court announcing two noteworthy rulings. One, Case C-300/21, addresses compensation for GDPR breaches, and the other, Case C-487/21, clarifies what type of information individuals should expect to receive when exercising their GDPR rights to access data held about them.

In the area of GDPR compensation, the court's ruling delivers a nuanced verdict that could potentially have far-reaching implications. It puts the onus on claimants to demonstrate personal harm, but interestingly, the court also rules that there's no prerequisite for non-material damage to reach a certain seriousness level to justify compensation. This, in essence, removes a barrier to filing a compensation claim, a development that could be quite significant in the longer term.

Peter Church, counsel at law firm Linklaters, suggests that this could pave the way for compensation claims for even minor anxiety or upset. He also foresees a divergence between EU and UK laws in this area. Remember, back in 2021, the UK Supreme Court required proof of harm and a seriousness threshold for compensation in a case against Google. In contrast, the EU court has now removed any such seriousness bar.

Another key ruling came in the context of an individual's right to access their data under the GDPR. The court decided that individuals are entitled to "a faithful and intelligible reproduction" of their data. This is a powerful assertion of the individual's right to check the accuracy and legality of their data processing.

However, it's important to note that there's still potential for friction here, given the balancing act between the right to comprehensive personal data access and the rights and freedoms of others. The court emphasizes that the result of these considerations should not lead to a refusal to provide all information to the data subject.

We should carefully watch these developments. As we navigate the labyrinth of GDPR compliance and its ever-evolving interpretations, these rulings provide essential guidance on understanding the rights of individuals and our obligations as data guardians.

T-Mobile’s second break of the year

In the rapidly evolving digital era, data privacy has become a paramount concern. This week, we once again face a stark reminder of this reality as T-Mobile discloses its second data breach of the year. Sergiu Gatlan of Bleeping Computer provides a detailed report on this recent incident, outlining that attackers had access to personal information of hundreds of customers for more than a month, starting late February 2023. While this breach affected far fewer individuals compared to T-Mobile's previous breach, which impacted 37 million people, it is nonetheless a sobering reminder of the persistent threats we face in our sector.

The news of this breach comes on the heels of several others, marking a concerning pattern for T-Mobile. As Gatlan reports, the exposed information included "full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines." This extensive set of data exposes affected individuals to risks like identity theft and phishing attacks.

T-Mobile's response to the breach reveals their proactive approach in resetting account PINs for impacted customers and offering them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity. While these steps are commendable and vital, we must not overlook the need for prevention. It's in instances like these that the role of data protection officers becomes critical. Our profession's mandate isn't just to react to breaches but to prevent them.

It's also worth noting that this is the second data breach T-Mobile has disclosed since the start of the year, with a previous one disclosed on January 19. The history of breaches at T-Mobile, dating back to 2018, underscores the importance of vigilance and continuous improvement in data security measures. The frequency of these incidents suggests that the company has significant gaps in its data security that need addressing, and this should be a wake-up call for all of us.

Other data privacy news

Edge Of Sovereignty: Navigating Data Security And Compliance In Latin America's Evolving Tech Landscape

Data sovereignty has become a critical concern for governments, businesses and individuals worldwide as cloud computing rises in popularity and data generation and storage cross borders.

An Expert View on the Critical Data Privacy Issues for 2023 and Beyond

Data privacy veteran Jennifer Garone—who is currently the Senior Director of Privacy and Information Governance at Carnival Corporation talkas about the critical issues to look out for in 2023.

Zero Trust Data Security: It’s Time To Make the Shift

How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not.

Post of the week

Elon has stopped Tweets from populating in Substack, so here’s the link to see the thread.