It has been reported this week that Google’s social media app, Google+, is to close down for consumers after it was revealed that a bug had exposed the personal data of up to 500,000 accounts.
In a blog published by Google, it was revealed that a bug in the software meant that numerous third-party applications had access to up to 500,000 accounts. Information subject to the breach included user names, email addresses, occupations, genders and ages.
Google decided not to publicise any information on the bug when it was discovered, which was around the same time as Facebook were receiving scrutiny over the Cambridge Analytica scandal. According to the Wall Street Journal, an internal blog by Google they obtained had noted that disclosing the bug would have “generated immediate regulatory interest”.
The above makes for very interesting reading in light of the GDPR. The bug was discovered around March 2018, which was of course prior to the GDPR coming into effect. While Google’s HQ is based in California (and assert that state law did not require the breach to be disclosed), nowadays the GDPR is applicable in a number of circumstances for organisations based outside the EU, for example if organisations monitor the behaviour of data subjects where the behaviour takes place in the EU, or offer goods or services to data subjects in the EU. In any event, with Google having numerous offices throughout the EU, it is clear the GDPR is applicable.
Amongst the provisions of the GDPR is a duty to report breaches to the relevant data protection supervisory authority within 72 hours of discovery if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. As such, Google’s response of March 2018 (that California state law did not require them to disclose) would be very unlikely to satisfy its obligations under the GDPR.
As with all data breaches, legal duties are only one consideration. Clearly, where data breaches are reported, consumer confidence can reduce, as seen with Facebook’s huge drop in share value following the Cambridge Analytica fallout. Organisations need to monitor their security frameworks and have robust response plans (including reporting procedures) in place to help counteract the ever-present threat of security hacks.