You would have had to be living under a rock to have missed all the political turmoil in the U.K. over the past few weeks concerning the U.K. government’s “mini-budget.” In essence, even the staunchest government allies now accept it was a mistake to make changes to the U.K. tax system without fully thinking through the consequences of those changes, resulting in the need to make a series of embarrassing political U-turns.
The government’s ill-advised changes should be a cautionary tale for the European Data Protection Board and its recently-proposed “targeted update” to its “Guidelines on Personal Data Breach Notification,” open to public consultation until Nov. 29, 2022.
The proposed “targeted update” concerns only a single, solitary paragraph of the guidelines, and for that reason, privacy professionals could be forgiven for thinking that it is of a minor, surgically precise nature; perhaps one intended to cure a slight, but irritating, affliction that has long proven bothersome.
In fact, nothing could be further from the truth.
History of the current guidelines
But, before we get to that, let’s take a step back to gain some perspective.
The current guidelines were initially adopted by the EDPB’s predecessor, the Article 29 Working Party, in October 2017. When the EDPB was established under the EU General Data Protection Regulation on May 25, 2018, the EDPB endorsed its predecessor’s guidelines in its first plenary meeting — in effect, adopting the former Working Party’s guidelines as its own.
The guidelines attracted controversy straight away, due to a paragraph that said controllers would be deemed “aware” of personal data breaches suffered by their processors as soon as the processor itself had discovered the breach. Whether by design or oversight, the guidelines simply did not allow for the inevitable time delay between a processor discovering a breach and then notifying its controller. This mattered because controllers have to report a data breach within 72 hours, and the guidelines as adopted meant the controller’s clock would count down as soon as the processor became aware of the incident — regardless of how long the processor took to tell the controller, or if it even told the controller at all.
This was unrealistic to the point of being unfair, and so the EDPB changed course and updated the guidelines in February 2018. In its revised guidelines, which are also the current guidelines, the EPDB said only that a processor should inform its controller of a personal data breach “without undue delay.” The controller was no longer explicitly deemed aware of a breach upon the processor’s discovery.
Breach reporting by non-EU controllers under the guidelines
The revised guidelines also made another important and helpful change concerning breach reporting obligations for non-EU controllers.
EU GDPR’s one-stop-shop mechanism — the mechanism that allows an organization established within the EU to be supervised, primarily, by a single “lead authority” — does not apply to organizations established outside of the EU. Under the one-stop-shop mechanism, EU-based organizations need only report personal data breaches they suffer to their lead authority.
By contrast, at that time, non-EU organizations subject to the GDPR would potentially need to report data breaches to supervisory authorities in each of the member states where data subjects were impacted — i.e., up to 27 different supervisory authorities, or 30, if you include EEA supervisory authorities.
Thankfully, the revised guidelines foresaw and addressed this problem, noting the GDPR requires non-EU controllers to appoint an EU representative. The revised guidelines, therefore, recommended a non-EU controller should file any reportable data breach with the supervisory authority in the member state where its EU representative was based:
“Where a controller not established in the EU … experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34. Article 27 requires a controller (and processor) to designate a representative in the EU where Article 3(2) applies. In such cases, WP29 recommends that notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established.”
This was a welcome, pragmatic solution that drastically simplified reporting obligations that would otherwise have proven highly complex and cumbersome for non-EU controllers. This, in turn, enabled critical breach response resources to be focused on investigating, containing and mitigating suspected breaches rather than preparing, translating and filing countless breach notification forms — all ultimately saying the same thing — across multiple EU territories.
Regrettably, it is this very point that the EDPB now proposes to change.
A 'targeted update' to non-EU controller breach reporting?
By now, you’ve probably guessed where this is heading: the EDPB wants to update the guidelines to make clear that non-EU controllers do, in fact, need to report breaches to every EU supervisory authority where impacted data subjects reside.
Specifically, the EDPB proposes to replace the paragraph in the current guidelines highlighted above as follows:
“However, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller.”
In this author’s opinion, this change would be a significant step backward for multiple reasons:
First, a principal stated objective of the GDPR was to remove “red tape.”
Back in January 2012, Viviane Redin, then EU Justice Commissioner, said: “…companies very often are burdened with red tape: cumbersome and costly notification requirements for processing data without bringing a feeling of safety to the citizens. … The [GDPR’s] savings will be achieved by a series of measures. First, by simplifying the regulatory environment and by drastically cutting red tape.”
Granted, Commissioner Redin was referring at the time to data processing notifications required under the old Data Protection Directive, but the sentiment that the GDPR would remove “red tape” and “cumbersome and costly notification requirements” should apply equally to data breach notifications. The EDPB’s proposal is directly at odds with one of the originally stated goals of the GDPR.
Second, the EDPB’s proposals are unnecessary and unworkable. Speaking from extensive personal experience, the regime established for non-EU controllers under the current guidelines works well and does not need to change. When a non-EU organization suffers a data breach, internal response teams fly into action to investigate, contain and mitigate the breach. They do so in the knowledge that they need only prepare, translate and file a single notification to the supervisory authority where their EU representative is located — not countless forms across multiple EU member states. This, in turn, means they can better deploy internal breach response resources where they are most needed: namely, investigating and containing the breach and mitigating harm to data subjects. Unraveling this for bureaucratic regulatory purposes whose benefits are unclear risks real harm to data subjects in data breach scenarios.
Third, if filings must be made to multiple supervisory authorities, then organizations would reasonably expect a single, standardized breach notification form to exist for use across all EU member states. This is not the case. Each authority currently has its own reporting form, and completing several of these is, at best, fiddly and, at worst, downright inefficient and complex.
Inconsistencies will creep in across multiple filings, and cooperating supervisory authorities will most likely view these inconsistencies with suspicion rather than recognizing them for what they are — innocent errors introduced due to the pressure of completing mountains of paperwork in a compressed timescale.
Fourth, and related to the above point, the GDPR requires data breach reports, “where feasible,” are made within 72 hours. This means the facts must be investigated, the relevant reporting forms for each supervisory authority found, completed, agreed with all relevant internal stakeholders (including lawyers), and translated where necessary before being filed with the relevant authorities. I challenge anyone to do this across 27 different countries within 72 hours.
Finally, the EDPB’s proposal inadvertently undermines the appointment of EU representatives. While appointing an EU representative is a legal requirement for non-EU controllers, the reality is the benefit representatives afford non-EU controllers in terms of simplifying data breach filings is often the sole reason why non-EU controllers bother to appoint an EU representative.
While not appointing an EU representative may be a breach of the GDPR, practically many non-EU controllers will be aware that it is much harder for supervisory authorities to enforce the GDPR against an organization that has no local presence, whether in the form of an establishment or a representative. In other words, many non-EU controllers will see appointing an EU representative as increasing their overall enforcement risk profile but accept this risk on the basis that it reduces their data breach reporting obligations. Remove that benefit, though, and see what happens.
The EDPB exists to support the consistent application of the GDPR at an EU-wide level. Yet it is difficult to reconcile this objective with the EDPB’s proposal to revise the guidelines to clarify that non-EU controllers must make individual data breach filings across multiple EU member states. This proposal is, in this author’s opinion, a mistake and a significant regulatory step backward.
If you wish to make a submission to the EDPB on this issue, you can do so here.
