Increasingly, news media reports are covering 'massive' data breaches. In the Netherlands, we have examples such as the data breach at the market researcher Blauw (March 2023, affecting 2 million people), JD Sports (January 2023, affecting 10 million people), and the Dutch Municipal or Community Health Service (GGD, May 2022, affecting 6.5 million people). Additionally, there was a recent data breach in the automotive sector; Tesla experienced a data breach in March 2023 affecting hundreds of thousands of individuals. Furthermore, the data breach at market researcher Blauw also resulted in the exposure of personal data from NS customers.
In some of these data breaches, confidential company information
was leaked. However, more importantly, a vast amount of personal
data from customers (and in some cases even employees) was exposed
in each of these incidents. This data includes names, private email
addresses, phone numbers, bank and salary details, and sometimes
even citizen service numbers.
A data breach can have severe consequences for all parties
involved. Contact details, when combined with salary or bank
details, could easily be exploited to extort the affected
individuals. This could result in both tangible and intangible
damages for these individuals.
Additionally, these data breaches could cause significant damage to
the affected companies. Firstly, a data breach could result in
unprecedented reputational damage for the company. After all, who
wants to work for or be a customer of a company that leaks personal
data? Moreover, non-compliance with European data protection rules
may lead to administrative enforcement measures, such as orders or
incremental penalties, as well as administrative fines of up to a
maximum of EUR 20,000,000 or 4% of the annual worldwide turnover.
For instance, in the case of Tesla, this could amount to 3.26
billion Euros (based on their turnover in 2022), or in the case of
JD Sports, it could reach 400 million Euros (based on their
turnover in 2022). High fines under data protection laws are no
longer the exception, as recent fines from the Irish authority and
others have shown.
Lastly, any individuals who have suffered material or non-material
damages due to a company's non-compliance have the right to
receive compensation for the harm they've experienced, both
individually and collectively. These collective claims can
accumulate substantial amounts of money. For example, if all those
affected by the JD Sports data breach claim 500 Euros each (which
is not unlikely), the total amount for the class action claim would
reach 5 billion Euros.
These data breaches clearly demonstrate the necessity of
considering data protection in the automotive sector. With rapid
advancements in connected and autonomous vehicles, advanced driver
assistance systems, and smart public transportation, it is crucial
to address the legal challenges that arise, especially in the realm
of data protection and privacy.
The significant amounts of data generated on a daily basis,
resulting from increased vehicle connectivity, usage and behavior
monitoring systems, and the interconnectivity of drivers,
passengers, and road users, raise important questions about data
collection, access, and protection. Moreover, numerous parties
involved in the automotive supply chain and public transportation
are collecting this data, which brings forth inquiries such as who
collects the data, who has access to it, how can we safeguard it
from misuse, and what responsibilities do all respective
stakeholders hold?
The data breaches are examples of why it is important to have a
sharp understanding of your company's role and corresponding
responsibilities under the GDPR, and to know precisely what is
expected of your company. To shed light on these critical data
protection and privacy challenges, we are excited to invite you to
our upcoming webinar: 'Privacy Compliance in the Automotive and
Public Transportation Sector.'
During this engaging session, we will explore your role in data
protection, ways to address privacy concerns, and discuss
noteworthy cases and upcoming legislation. We understand the
complexity of the automotive supply chain and the involvement of
various stakeholders. Our aim is to equip you with the knowledge
and tools to navigate towards GDPR compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
