Breach Notification Is Coming to the EU

A Pan-European breach-notification requirement will be applicable for the first time under the European General Data Protection Regulation (GDPR) as of May 25, 2018. The new requirements include the obligation to notify the local data protection authority (DPA) of any personal data breach, except for a breach that is “unlikely to result in a risk to the rights and freedoms of individuals.” As in the Philippines, the notification to the DPA should be made within 72 hours of the entity “becoming aware” of the breach. This is a significant departure from the notification period in most other countries, where the standard is “without undue delay” or “as soon as reasonably practical.” Individuals must also be notified of a breach if the breach results in a “high risk to the rights and freedoms of individuals.” The period for providing this notice is more aligned with what is typically found in breach legislation and is “without undue delay.”

In addition, the group of European Data Protection Authorities, the Article 29 Working Party (“WP29”) has just issued new guidelines that seek to clarify how some of the obligations should apply (the “Guidelines”). The Guidelines address five major topics: (i) the concept of a personal data breach; (ii) the obligation to notify the relevant DPA of such breach; (iii) the obligation to notify the individual of such breach; (iv) the risk assessment for a personal data breach; and (v) the documentation of personal data breaches. As discussed below, some of the clarifications set forth in the Guidelines regarding the notification trigger and the timing of notification when processing is being carried out by a processor appear to exceed GDPR requirements.

The WP29 is accepting public comments on the draft guidelines through November 28, 2017. Submissions should be sent to JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr.

1. Personal Data Breach

The GDPR (art. 4(12)) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The WP29 distinguishes three types of data breaches (as set out in Opinion 3/2014 on Personal Data Breach Notification) and discusses at a high level the difference between a data security incident and a noticeable breach.

2. Notification of the DPA

All personal data breaches must be reported to the DPA, except those that are unlikely to result in a risk to the rights and freedoms of individuals. Note that all breaches must still be recorded (see below) and that the risk must be periodically reevaluated. The Guidelines do not mention a time frame or limitation to this reevaluation. For example, the Dutch DPA mentions that data breaches that must not be reported due to security measures, such as encryption, must be reevaluated at least once per year for a period of three years.

The Guidelines provide examples of breaches that are unlikely to result in a risk to the rights and freedoms of individuals. These examples include:

• A breach that is limited to information that is already publicly available;
• A breach of personal information that is encrypted, hashed, or otherwise made unintelligible for unauthorized users; and
• A breach that causes very limited risk for the individual, such as any breach at a media company that causes the inability to send a newsletter to the individual.

When: Without delay and, where feasible, within 72 hours of becoming aware of the personal data breach

Notification must be provided without delay and, where feasible, within 72 hours of becoming aware of the personal data breach. The Guidelines advise that a data controller becomes “aware” of a personal data breach when it has a “reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.” After being informed of a potential breach, the data controller may take a short period to conduct a preliminary investigation, during which period the data controller is not considered “aware” of a personal data breach.

If the notification is not made within 72 hours of the controller becoming aware of the breach, the notification must include the reasons for the delay. The Guidelines state that such reasons could include multiple similar breaches over a short period of time, affecting large numbers of data subjects in the same way. In such case, the controller may submit a bundled notification representing all of these similar breaches at once. A bundled notification does require that the breaches concern the same type of personal data, breached in the same way over a short period of time.

The Guidelines further advise that mere temporary unavailability of personal information may qualify as a noticeable breach. The example provided by the WP29 is when data are encrypted and become temporarily unavailable even for a limited period of time. However, nothing in the GDPR suggests that personal information must be available at all times. In particular, if data are encrypted, there is no risk that the information can be misused. There may be a loss in the service that the individual may obtain, but that would be a contractual question, not a breach notification question. The WP29’s proposed “loss of availability” standard would take the breach notification concept far beyond what is required under the GDPR.

The Guidelines also note that the processor can make the notification on behalf of the controller, provided that the controller has authorized the processor to do so.

How: Provide relevant information to the (lead) DPA

According to Art. 33(3) GDPR, the information included in the notification to the DPA should:

• Describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• Describe the likely consequences of the personal data breach; and
• Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Guidelines clarify that the “categories” of individuals should be understood to refer to the types of individuals (e.g., employees, customers, or children). Similarly, the “categories” of personal information should be understood to refer to the types of personal information (e.g., health data, educational records, financial information).

The GDPR allows for notification in phases, if it is not possible to provide all relevant information at the time of the initial notification. The Guidelines advise to always indicate in the notification whether additional information will be provided later on. Also, the Guidelines indicate that such additional information could lead to the conclusion that no personal data breach has occurred after all. The Guidelines state that, in such cases, the notification to the DPA may be amended.

If a personal data breach affects individuals in multiple EU Member States, the controller only has to notify the lead DPA as set out in art. 56(6) GDPR. The Guidelines suggest that the controller should assess which DPA qualifies as the lead DPA when drafting its incident response plan.

3. Notification to the Individual

A high risk to the rights and freedoms of individuals is present if the breach may cause physical, material, or non-material damage to the individual, such as discrimination, identity theft, or fraud. This is likely the case if the breach involves sensitive personal information or information relating to criminal offences (art. 9 and 10 GDPR).

The Guidelines indicate that a breach is not likely to result in a high risk to the rights and freedoms of individuals if:

• The information is encrypted, hashed, or otherwise made unintelligible for unauthorized users; and
• Immediately following a breach, the controller has taken steps to ensure that the high risk is no longer likely to materialize, which would be the case if a breach is caused by a single person, and the controller immediately after the breach took action against this individual to ensure that the person could not do anything with the information.

The data controller also does not have to notify the individuals if this would involve a disproportionate effort. The Guidelines suggest a limited explanation of this exception, for example, if the contact details of the individuals were lost in the breach or if the controller never had these contact details in the first place. In this case, the controller has to make a public communication to inform the individuals in an equally effective manner.

When: Without undue delay

The notification to the individual must be made without undue delay. The Guidelines explain that this means as soon as possible. In exceptional cases, the notification to individuals must be made even before notifying the DPA. The Guidelines indicate that examples of such exceptional cases could be an immediate threat of identity theft and online disclosure of sensitive personal information.

The GDPR also requires a processor to notify a controller without undue delay. The controller is then given 72 hours to notify the DPA. However, the Guidelines state that if a data controller makes use of a processor, then the controller is considered “aware” once the processor has become “aware.” This means that the controller is not considered aware during the processor’s preliminary investigation, but is considered aware once the processor is reasonably certain that a personal data breach has occurred, regardless of whether or not the processor has informed the controller of this fact. The WP29’s interpretation essentially eliminates the period afforded to the processor under the GDPR of “undue delay” and replaces it with an “immediate”  period.

How: Provide relevant information to individuals

Art. 34(2) GDPR lists the information that should, at a minimum, be included in the notification to the individual.

• A description of the nature of the breach;
• The name and contact details of the data protection officer or other contact point;
• A description of the likely consequences of the breach; and
• A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Guidelines indicate that, where appropriate, the notification should also provide specific advice to help the individuals protect themselves from possible consequences of the breach. An example could be to advise the individuals to change their passwords in case of a confidentiality breach relating to access credentials.

The individuals should be notified of the breach in the relevant language in a dedicated message unless it would involve disproportionate effort. If a direct message would be disproportionate, the controller should choose one or more methods of communication that maximize the chance of informing all affected individuals, such as prominent website banners or notifications, postal communications, and prominent advertisements in print media.

4. Assessing the Risk of a Personal Data Breach

The risk of a (potential) data breach should be assessed by considering the likelihood of the potential consequences and the damage that would be suffered if these consequences were to materialize. In assessing this risk, the following criteria should be taken into account:

• The type of breach – a confidentiality breach is likely to entail a larger risk than an availability breach.
• The nature, sensitivity, and volume of personal information – the sensitivity of the personal information involved is a key factor. Consideration should also be given to already available personal information, with which the breached personal information could be combined.
• Ease of identification of individuals – the breach entails a higher risk if the information allows for identification of the individuals without special research.
• Severity of consequences for individuals – a higher risk exists if information is breached that could be used for fraud or identity theft purposes.
• Special characteristics of the individuals – the risk is generally greater if the breached information pertains to children or other vulnerable individuals.
• Special characteristics of the data controller – the nature or role of the data controller can also contribute to the risk of the data breach, for example, if the data controller is a hospital or financial institution.

Besides these criteria, the WP29 refers to ENISA’s recommendations for a methodology of the assessment of severity of personal data breaches.

5. Accountability and Record-Keeping

Based on the accountability principle, the GDPR (art. 33(5)) requires that all personal data breaches be recorded. This includes the breaches that do not have to be reported. For each breach, the data controller should record the:

• Facts relating to the breach;
• Effects of the breach;
• Remedial actions taken;
• Reasoning for the decisions taken in response to the breach, especially if the decision was made not to report the breach;
• Justification for delayed notification, if the notification is not made within the time frame set out above; and
• Notifications to individuals.

Besides this, the WP29 recommends that controllers and processors document their notification procedure and are able to demonstrate that employees have been informed of this procedure and know how to react to breaches. The failure to have a documented procedure can be a separate violation.

The Guidelines are available.