This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.
Question: Do breach notification laws require me to notify regulators or individuals when my business inadvertently sends an email to the wrong person that contains a small amount of personal information about another person?
Answer: It depends. Breach notification laws around the world are different, and they are interpreted differently. But one recent action by the Polish data protection authority (DPA) would surprise some people.
The notification obligations in the EU are harmonized by the General Data Protection Regulation (GDPR), which provides that businesses are required to notify the competent DPA of a personal data breach if the breach is likely to result in a risk to the rights and freedoms of individuals. However, national EU DPAs interpret this threshold on their own, which could lead to divergence in application, as evidenced by a recent action by the Polish DPA.
A Polish energy company, ENEA S.A., was fined EUR 30,000 by the DPA for not notifying the DPA of a personal data breach. ENEA itself had determined that it was not required to notify the DPA of the incident because of the moderate nature of the data and number of individuals involved.
An ENEA employee had inadvertently sent an email to one unintended recipient outside the company. The email contained an unencrypted attachment with personal information of 259 customers of ENEA. The information included names, surnames, email addresses, phone numbers, and dates of registration. None of this information qualifies as sensitive information under the GDPR.
ENEA did not notify the DPA of the breach because (i) the breach did not involve sensitive information and (ii) the unintended recipient had confirmed that he had permanently removed the attachment containing the personal information. ENEA was therefore of the opinion that there was no risk of harm.
The DPA, however, found that the breach did pose a potential risk to individuals, such that it required the DPA to have been notified. The DPA considered that bad actors would have been able to use the information to (i) send unsolicited marketing communications to the affected individuals, (ii) contact the individuals with the intention to obtain additional information, and (iii) set up accounts in their names on various types of social media sites and other Internet sites. The DPA did not give much weight to fact that the recipient confirmed deletion of the file since ENEA could not have verified the deletion.
It is difficult to assess whether the DPA’s decision should be held to be an EU-wide interpretation. At the EU level, the European Data Protection Board issued Guidelines on Examples regarding Data Breach Notification, which suggest that in cases of mistakenly sent emails, the absence of sensitive data and a low number of affected individuals generally makes a misdirected email not notifiable. The Polish DPA’s decision may set the tone for Poland, but not necessarily for the EU.
Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.