During large security breaches, organizations are often swamped with requests for access and information by concerned individuals (i.e., data subject requests) that are difficult to process in a timely manner while the organizations are investigating, remediating and handling various notification requirements.

The U.K. Information Commissioner's Office and the Netherland's Autoriteit Persoonsgegevens have issued guidance that companies in this situation cannot extend the one-month response period for DSRs with two additional months in accordance with Article 12(3) of the EU General Data Protection Regulation. The data protection authorities suggest instead that the period to respond can only be extended if the same individual issues several DSRs and not when an organization is dealing with myriad DSRs from a multitude of individuals (for example, following a security breach).

Such a position imposes unreasonable burdens on organizations in the midst of a large security breach. It is also contrary to the legislative history of the GDPR and the guidance of other European DPAs, such as France, Belgium and Spain. Given the stakes for companies not complying with DSRs in a timely manner, it is high time the European Data Protection Board provides uniform guidance in line with the legislative history of the GDPR.

Security breaches are major drain on organizations’ resources

When an internal investigation and remediation of a data security breach are in full swing, organizations are mostly still trying to find out exactly what happened. At the same time, they are dealing with forensic IT specialists, lawyers, auditors, concerned business partners, investors, shareholders and other interested parties. On top of that, an organization is also often subject to increased media scrutiny, falling share prices and compliance issues with its regulatory obligations. The latter usually includes notifications to large numbers of affected individuals and relevant supervisory authorities around the world. Notifications are often followed by regulatory investigations of the organization’s security practices. And all this comes on top of everything else that needs to be done. In short, the entire situation puts an incredible strain on the organization’s personnel and resources.

A general counsel once mentioned that it is like having two jobs: the regular one and another on top of the regular one. The day-to-day work cannot be paused to give the breach undivided attention. Jobs are at stake, protecting customers and employees is crucial and the company has to move forward. This means double shifts, sleepless nights, and no weekends off or vacations, many times for months on end.

Dealing with concerned individuals comes on top of everything else

The moment a global breach becomes public, concerned individuals from all over the world start contacting the organization for more information. They demand to know whether their personal data were breached, what they need to do and, in some, cases even demand compensation. The process for dealing with these DSRs quickly becomes clogged up. Individuals sometimes issue several DSRs at once or in succession over a short span of time. A large number of individuals might get upset, emotional, hostile or are even uncertain about what they want. Many are reluctant or simply unwilling to cooperate by verifying their identity and providing further clarifications about their DSRs. Frustrated, the individuals often turn to regulators with their complaints, which can result in additional regulatory investigations.

It can quickly become impossible to deal with large numbers of incoming DSRs

Whatever personnel and resources for dealing with DSRs were sufficient and appropriate prior to the breach, organizations can be quickly overwhelmed and unable to deal with the situation in a timely manner. The only option is to engage additional personnel, possibly external contractors, to assist with the process of responding to DSRs. However, it is practically impossible for an organization with large and complex systems to train additional personnel to handle DSRs within the one-month period, as required by the GDPR.

Note that organizations are not in a position to control the rate at which they receive DSRs in extraordinary situations. They need to be able to set up their DSR processes based on reasonable assumptions and expectations that apply to day-to-day activities. They should not be required to plan for and maintain unnecessary resources to stand by because they might experience a breach and get overwhelmed by extraordinary amounts of DSRs all at once. This would, after all, mean (1) training a large number of personnel who will likely never have to deal with these kinds of DSRs; and (2) giving access to systems that could be compromised to personnel who do not need access to them in the ordinary course.

The GDPR allows an extension of the response period in such situations

The GDPR appears to have anticipated the situation described above. Article 12(3) of the GDPR provides that organizations need to respond to DSRs “without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.” This final sentence has generally been understood to allow organizations to extend the one-month period if (1) the DSR is sufficiently complex; and/or (2) the organization has received a large number of DSRs from many individuals at once or in a short span of time, both of which are true in the breach situation described above.

Some DPAs are placing unwarranted limits on the response period extension in Article 12(3)

The U.K. and the Dutch DPAs, however, appear to interpret this language differently. In their online guidance (available here and here), they take the position that the period to respond can be extended only if the same individual issues several DSRs. This suggests that if an organization is dealing with many DSRs all at once from multiple individuals, it cannot rely on the time extension in Article 12(3). 

At first glance, Article 12(3) seems to leave room for this interpretation by the two DPAs. As is often the case, however, the GDPR cannot be taken at face value. It requires a review of its legislative history and the underlying rationale of the relevant provisions to determine the correct application. Looking at the underlying intention of the EU legislators, the original language in the 2012 proposal document for the GDPR stated that the period could be extended “if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller.”

This language clearly alludes to DSRs received from multiple individuals, demonstrating that the EU legislators always had an eye towards a scenario that could potentially place a disproportionate burden on the organization. The specific reference to DSRs from “several data subjects” was subsequently removed, but not because of an agreement that the provision should only apply in cases of multiple DSRs by a single individual. The article was simplified because some EU governments expressed the concern that the requirement was unclear. The final version of the article is therefore only an abbreviated version of the original draft language and it was never intended to limit the application to DSRs from the same individual. 

This interpretation is supported by the fact that Article 12(5) of the GDPR already regulates excessive DSRs from one individual: Organizations may refuse DSRs from one individual, if such DSRs are “excessive,” and they may even be allowed to charge a handling fee.

Other DPAs support a broad interpretation of the response period extension in Article 12(3)

A number of other DPAs have issued guidance that supports the broader interpretation. For example, the Belgian Data Protection Authority's guidance states that an extension is permitted if a DSR from an individual is complex or the organization has to handle too many DSRs that exceed the organization’s capacity. Similarly, the French Commission nationale de l'informatique et des libertés’s guidance states that an extension is possible depending on the complexity or the number of DSRs that the organization has received, as does the Spanish Agencia Española de Protección de Datos’s guidance.

The DPAs limiting Article 12(3) should reconsider and align their positions with other DPAs

Article 12(3) of the GDPR is evidently a conduit for organizations to have a measure of protection during the multiple-individuals scenario, as in the one described above. Any other interpretation could potentially put organizations in a position where they could not feasibly respond to DSRs within the required legal period, and despite their best efforts, would therefore be unable to comply with the law.

Placing unreasonable burdens on organizations was never the intention of the GDPR. The protection of Article 12(3) of the GDPR, therefore, helps limit the risk that organizations facing multiple DSRs in extraordinary situations are made subject to a disproportionate burden or otherwise unfairly placed in a position of forgoing their legal duties.

When the number of total DSRs submitted to an organization significantly exceeds that which would normally be expected by an organization of its type and size, the organization should be able to extend the one-month deadline by another two months, as provided in Article 12(3) of the GDPR.

Photo by ThisisEngineering RAEng on Unsplash