The author of the article seems to be confused about the GDPR notification requirements. In the event of a personal data breach, the controller is required to notify the supervisory authority without undue delay, and where feasible, no later than 72 hours after becoming aware of the breach—not the users themselves. However, when it comes to informing end users, the GDPR requires that they be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms. It’s mind-boggling that FlightAware took three weeks to inform users, which raises concerns about their handling of the situation. It’s also suspicious that they haven’t clarified whether they are aware if the exposed data was actually copied by bad actors—one should assume it was.
croemer|1 year ago
> Please note that this notification was not delayed as a result of a law enforcement investigation.
Was there a law enforcement investigation or wasn't there? The sentence can either mean:
a) A law enforcement investigation happened, but it didn't delay the notification
b) It may or may not have been delayed, but a law enforcement investigation played no causal role in a delay - whether it had happened or not
c) A law enforcement investigation happened, and it delayed the notification, but not in the legal sense of a "late notification"