Increasingly, news media reports are covering 'massive' data breaches. In the Netherlands, we have examples such as the data breach at the market researcher Blauw (March 2023, affecting 2 million people), JD Sports (January 2023, affecting 10 million people), and the Dutch Municipal or Community Health Service (GGD, May 2022, affecting 6.5 million people). Additionally, there was a recent data breach in the automotive sector; Tesla experienced a data breach in March 2023 affecting hundreds of thousands of individuals. Furthermore, the data breach at market researcher Blauw also resulted in the exposure of personal data from NS customers.

In some of these data breaches, confidential company information was leaked. However, more importantly, a vast amount of personal data from customers (and in some cases even employees) was exposed in each of these incidents. This data includes names, private email addresses, phone numbers, bank and salary details, and sometimes even citizen service numbers.

A data breach can have severe consequences for all parties involved. Contact details, when combined with salary or bank details, could easily be exploited to extort the affected individuals. This could result in both tangible and intangible damages for these individuals.

Additionally, these data breaches could cause significant damage to the affected companies. Firstly, a data breach could result in unprecedented reputational damage for the company. After all, who wants to work for or be a customer of a company that leaks personal data? Moreover, non-compliance with European data protection rules may lead to administrative enforcement measures, such as orders or incremental penalties, as well as administrative fines of up to a maximum of EUR 20,000,000 or 4% of the annual worldwide turnover. For instance, in the case of Tesla, this could amount to 3.26 billion Euros (based on their turnover in 2022), or in the case of JD Sports, it could reach 400 million Euros (based on their turnover in 2022). High fines under data protection laws are no longer the exception, as recent fines from the Irish authority and others have shown.

Lastly, any individuals who have suffered material or non-material damages due to a company's non-compliance have the right to receive compensation for the harm they've experienced, both individually and collectively. These collective claims can accumulate substantial amounts of money. For example, if all those affected by the JD Sports data breach claim 500 Euros each (which is not unlikely), the total amount for the class action claim would reach 5 billion Euros.

These data breaches clearly demonstrate the necessity of considering data protection in the automotive sector. With rapid advancements in connected and autonomous vehicles, advanced driver assistance systems, and smart public transportation, it is crucial to address the legal challenges that arise, especially in the realm of data protection and privacy.

The significant amounts of data generated on a daily basis, resulting from increased vehicle connectivity, usage and behavior monitoring systems, and the interconnectivity of drivers, passengers, and road users, raise important questions about data collection, access, and protection. Moreover, numerous parties involved in the automotive supply chain and public transportation are collecting this data, which brings forth inquiries such as who collects the data, who has access to it, how can we safeguard it from misuse, and what responsibilities do all respective stakeholders hold?

The data breaches are examples of why it is important to have a sharp understanding of your company's role and corresponding responsibilities under the GDPR, and to know precisely what is expected of your company. To shed light on these critical data protection and privacy challenges, we are excited to invite you to our upcoming webinar: 'Privacy Compliance in the Automotive and Public Transportation Sector.'

During this engaging session, we will explore your role in data protection, ways to address privacy concerns, and discuss noteworthy cases and upcoming legislation. We understand the complexity of the automotive supply chain and the involvement of various stakeholders. Our aim is to equip you with the knowledge and tools to navigate towards GDPR compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.