Greetings from Bretagne!

Perhaps I should say salutations de Bretagne, mes amis! I write to you from the northwest coastline of France, where I am taking a break with my family-in-law. For the record, they are Parisians, and this is our annual family outing. This year we decided to pay les Bretons a visit. Pretty landscapes, breathtaking beaches and coastal vistas—I recommend it.

An interesting data breach article in the Digest this week emanates from Germany. The Bavarian Data Protection Authority (DPA) has fined two implicated companies—both seller and purchaser—for unlawfully transferring customer data as part of an asset deal. The acquiring company went on to use the “acquired" customer records for advertising purposes without the appropriate customer consent. This particular case is probably more common than most DPAs across Europe would like to acknowledge, and it speaks to the compromised integrity of customer data passing through business supply chains. The Bavarian DPA made a good point here, stating that personally identifiable customer data may not be treated or sold like any other commodity or asset. Both the acquiring and selling companies are considered “controllers" in this scenario under current EU data protection law, and they can therefore be held liable for noncompliance with legal requirements. The total amounts of the fines remain undisclosed; however, the DPA emphasized that they were significant.

The interview with UK Information Commissioner Christopher Graham that appeared in Computing this week was also particularly interesting. Graham airs his views on the status quo of European data law and where the GDPR might take us. While the last three or four years have been geared toward revision of the current law, this has been a challenge for most European DPAs—the UK included. Graham notably questions the potentially prescriptive nature of the GDPR, stating that one needs discretion to take risk and proportionality into consideration if one is expected to uncover—and fine for—data breaches. Graham advocates for a risk-based approach to data breach enforcement, where resources target the worst offenders doing the most damage. At the end of the day, one needs to balance resources to attain the greater good with a pragmatic and reasonable outlook. In short, the GDPR hasn’t happened quickly enough, although it remains to be seen how it can be implemented in an increasingly global economy with global players and borderless technology. The ICO has looked beyond Europe in cases, and it remains keen to cooperate with non-EU authorities to makeinternational enforcement co-ordination efforts meaningful and to ensure that a framework is in place to act effectively when issues come to the fore.

It’s a message of global urgency, and while we wait for the final GDPR, one can only speculate as to the international impact of its pending implementation beyond EU borders.