Facebook-hack: stress test for Irish DPC

Abstract

The Facebook-hack provides evidence that new instruments of GDPR are having significant effect. Firstly, Facebook was required to notify the respective DPA of the incident within 72 hours according to Art. 33 GDPR. Secondly, Facebook adressed the hack to the Irish DPC as lead authority. According to Art. 56 GDPR the Irish DPC is the lead authority for Facebook within the EU. Facebook has its headquarters, which dertermines the purpose and means of the data processing of the Group, in Ireland. Following the principle of 'one stop shop' Facebook solely has to report the incident to one single DPA and not to any national DPA within the EU.1