[snowwolf]

Yes, exactly that if the email provider hasn’t put in place sufficient defences. Why wouldn’t they be liable? They have a duty of care under GDPR to protect your personal data. If they are negligent in that duty then absolutely they should be liable.

[vivan]

I'm not saying Deliveroo isn't in the wrong here - they absolutely should have more defenses, but I still think this argument makes little sense. What if they have the defences in place but you choose to disable them? Who is liable then? I personally have 2FA on my GMail, but plenty of people choose not to - is it Google's fault for not forcing it on them?

[snowwolf]

You’re forgetting something. This isn’t my argument. This is what GDPR states. Unauthorised access to personal data constitutes a data breach. Does someone accessing your personal data who is not you using a stolen password count as unauthorised? Yes.

It will ultimately come down to a test case, but as I said before, you will be hard pressed to find a lawyer who would tell a company that they definitely won’t be liable.

[astura]

It depends on how "unauthorized" is defined. Does it actually define "unauthorized" somewhere else in the statute?

[snowwolf]

I think unauthorised has a fairly clearly defined definition in the English language (without permission or authority). And I’m fairly sure that’s the definition already used in courts of law. So in the absence of any contradicting definition in GDPR (and there isn’t) I would be pretty confident that is the definition that would be used.

But even so I struggle to think of a definition where accessing someone else’s account without their permission or authority wouldn’t be classed as unauthorised.

[bertil]

For what it’s worth, it’s very common for close people to share their Deliveroo account, a bit like Netflix.

I would never but one of my two housemates was very confused why they couldn’t have my password so that they could look at the menu and each add their option to the order. (The third housemate was also a developer so he was surprised that I could remember it and I got sermoned about 1Pass over pizza.)

I also have heard of cases of close (female) friends who know each other’s password; when one had a health incident (miscarriage), the other took upon herself to order for the first one, to comfort her. She tried from her own account but failed (couldn’t remember the name of the restaurant), so connected to her grieving friend’s account, changed it to use her debit card. It was fully appreciated, but a surprise.

“Authorised” in that sense falls somewhere between:

- I know who those people are;

- we are part of the same household;

- I know that they can have access to my account;

- they made sure that I know they are on my account;

- I actively allowed them to be on my account right now;

- the device is shared.

[astura]

>without permission or authority

Permission or authority from who though?

If someone steals a key and unlocks a lock, is that considered "unauthorized access?" From the perspective of the person whose key was stolen, absolutely. From the perspective of the lock, no, the access was authorized.

We define terms in statutes and contracts for a damn good reason.

[snowwolf]

Good look using that as your defence in a court of law :)

[jwdunne]

That's the problem with GDPR. It leaves much to be defined by ratifying member states. For example, it says you need a Data Protection Officer if you do "large scale" processing. There's no definition, no threshold defined for "large scale". You might not find the definition for unauthorized access in the GDPR and it may depend on jurisdiction.

[snowwolf]

I'm not sure why this is being downvoted. All I am doing is pointing out what the current law is under GDPR. You may not agree with the law, but that doesn't change what it says.