How does a data controller know, in the case of a personal data breach, whether it must report the breach to the supervisory authorities? How can we prevent "notification fatigue" or meaningless notifications to authorities? This article will explore such questions. 

In the majority of jurisdictions, personal data protection regulations impose a mandatory requirement to notify individuals and/or supervisory authorities when a personal data breach has occurred, even where personal data is not affected. The objective of this notification is to assist in mitigating the risks of serious injury or damage for data subjects, such as identity theft, and to verify controllers' compliance with their policies, procedures, and controls. For example, the General Data Protection Regulation indicates, “Such notification may result in an intervention of the Supervisory Authority in accordance with its tasks and powers laid down in this Regulation ... including the power to prohibit processing operations."

In keeping with the GDPR, notification is mandatory for all breaches involving the confidentiality, availability and integrity of a certain kind or kinds of personal data. If the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, this mandatory requirement does not exist.

In order to ensure a consistent interpretation of the circumstances in which a controller must (or must not) notify a breach, which either compromised or could have compromised personal data, the company can carry out a personal data-breach impact assessment before notifying that incident to its supervisory authority. To do so, a personal data breach impact assessment should include the following matters relevant in the circumstances:

  • All strategies used by the controller to identify and mitigate the risks, also to determine the existence of concrete, particularized and impending harms to the data subjects, and especially to prevent future injuries to them (it is important to note that a personal data breach could not be itself considered an impending risk of harm, see Chantal Attias v. Carefirst);
  • The existence of serious interference with the right to privacy of individuals regarding their personal data;
  • The categories and approximate number of data subjects affected by the data breach, either as a specific number or as a proportion of the relevant population (see the letter sent to Yahooby the WP29); 
  • The kind/s and sensitivity of the data involved in the data breach, including, financial account numbers such as credit or debit card numbers, health data or other sensitive information, and data about children;
  • The persons, or the kinds of persons, who have obtained, or who could obtain, the data;
  • The scale of the data breach, i.e., whether it is significant, its magnitude or scope (e.g. the geographical extent, volume of data potentially involved and the duration of the issue), the security measures used in relation to the data, and the record of personal data breaches suffered by the controller, and not all the matters listed will necessarily be particularly relevant in all circumstances.

In following this line of thought, to determine whether a personal data breach must (or must not) be reported to supervisory authorities, the personal data breach impact assessment must indicate in at least one the following results: First, the controller successfully mitigated the data breach (e.g., the company revoked or changed computer access codes). It includes reducing the residual privacy risks on the data subject to a negligible level, following those remedial actions.

Second, the data breach does not mean a real risk of serious harm to data subjects or their privacy (see In Re: VTech Data Breach Litigation). In this case, the data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

To identify the risks of serious harm to data subjects, the controller can develop methods based on a "reasonable person test." For example, a scoring methodology. This would allow the controller to determine the degree of probability and what kind of harm occurred.

Third, the possible risk of a future injury is too speculative, contrary to be concrete and particularized in both a qualitative and temporal sense, or the harm will not occur, unless the happening of a series of contingent events.

Concluding that injuries cannot manufacture effects in the future merely by inflicting harm on data subjects based on their fears of hypothetical future harm that is not certainly impending. 

Fourth, the event is an exception in relation to the operation of a data breach notification regime, based on specified circumstances in which they are available. For example, number of data subjects concerned (See California’s Civil Code Section 1798.82)

Regarding this point, it is important to say that the Personal Data Protection Commission of Singapore is proposing a review of the Personal Data Protection Act to include the mandatory requirement to notify a personal data breach based on certain criteria. Consequently, the organizations would only be obliged to notify to that government agency where the scale of the data breach is significant, even if the breach does not pose any risk of impact or harm to the affected individuals, for example, where the data breach has affected 500 or more individuals.

Whatever the basis, the personal data-breach impact assessment must be conducted as reasonable and expeditiously as possible in the circumstances, in any case, prior to the time limit established by law to notify a personal data breach (unless an exception applies to do so, or a temporary deferral). For instance, the GDPR establishes a time of 72 hours after having become aware of incident to do it.

Importantly, to enhance transparency and to demonstrate compliance with the Regulations, the assessment and its methodology must be kept up-to-date to the satisfaction of the Supervisory Authorities. Preferably, such information should be documented under a record. However, the assessment must be done on a case-by-case basis.

From a legal scenario, this tool is similar to the GDPR method, the data-protection impact assessment (Article 35). Therefore, the supervisory authorities should take into account the personal data breach impact assessment as a useful and positive activity that aids legal compliance by the controllers. Its use may be more appropriate when considering low-impact breaches.

Finally, the personal data breach impact assessment should be used as a notification guide for all breaches. It can help Controllers determine when to notify regarding a breach. This, in turn, may help prevent "notification fatigue" or meaningless notifications for authorities.