Hacker News new | ask | show | jobs
by snowwolf 2699 days ago
You’re forgetting something. This isn’t my argument. This is what GDPR states. Unauthorised access to personal data constitutes a data breach. Does someone accessing your personal data who is not you using a stolen password count as unauthorised? Yes.

It will ultimately come down to a test case, but as I said before, you will be hard pressed to find a lawyer who would tell a company that they definitely won’t be liable.
1 comments
astura 2699 days ago
It depends on how "unauthorized" is defined. Does it actually define "unauthorized" somewhere else in the statute?
link
snowwolf 2699 days ago
I think unauthorised has a fairly clearly defined definition in the English language (without permission or authority). And I’m fairly sure that’s the definition already used in courts of law. So in the absence of any contradicting definition in GDPR (and there isn’t) I would be pretty confident that is the definition that would be used.

But even so I struggle to think of a definition where accessing someone else’s account without their permission or authority wouldn’t be classed as unauthorised.

link
bertil 2699 days ago
For what it’s worth, it’s very common for close people to share their Deliveroo account, a bit like Netflix.

I would never but one of my two housemates was very confused why they couldn’t have my password so that they could look at the menu and each add their option to the order. (The third housemate was also a developer so he was surprised that I could remember it and I got sermoned about 1Pass over pizza.)

I also have heard of cases of close (female) friends who know each other’s password; when one had a health incident (miscarriage), the other took upon herself to order for the first one, to comfort her. She tried from her own account but failed (couldn’t remember the name of the restaurant), so connected to her grieving friend’s account, changed it to use her debit card. It was fully appreciated, but a surprise.

“Authorised” in that sense falls somewhere between:

- I know who those people are;

- we are part of the same household;

- I know that they can have access to my account;

- they made sure that I know they are on my account;

- I actively allowed them to be on my account right now;

- the device is shared.

link
astura 2699 days ago
>without permission or authority

Permission or authority from who though?

If someone steals a key and unlocks a lock, is that considered "unauthorized access?" From the perspective of the person whose key was stolen, absolutely. From the perspective of the lock, no, the access was authorized.

We define terms in statutes and contracts for a damn good reason.

link
snowwolf 2699 days ago
Good look using that as your defence in a court of law :)
link
jwdunne 2699 days ago
That's the problem with GDPR. It leaves much to be defined by ratifying member states. For example, it says you need a Data Protection Officer if you do "large scale" processing. There's no definition, no threshold defined for "large scale". You might not find the definition for unauthorized access in the GDPR and it may depend on jurisdiction.
link