Editor's Note:
The Article 29 Working Party adopted its final guidelines on personal data breach notification on February 6, 2018, available here.
The EU General Data Protection Regulation imposes stricter obligations on data controllers and processors to ensure the security of personal data. One of the new mechanisms introduced to reach this objective is data breach notification, a concept familiar to U.S.-based privacy professionals, but still relatively new to the EU. Specifically, the GDPR requires data controllers to notify the competent supervisory authority about personal data breaches unless “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Moreover, breaches also need to be communicated to individuals if there is a “high risk to the rights and freedoms of natural persons.” Consequences of non-compliance with the personal data breach notifications are substantial, including sanctions or an administrative fine of up to 10,000,000 euros or 2 percent of the data controller’s worldwide annual turnover.
This week, the Article 29 Data Protection Working Party released its proposed guidelines on data breach notifications, which are open to public comment until November 28, 2017 (via JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr). The guidelines provide detailed explanations about the data breach notification mechanism and offer some clarifications on certain key concepts, including notification obligations (both to supervisory authorities and to data subjects) and risk assessment.
Notifying the Supervisory Authority
When a data breach occurs, the GDPR dictates, data controllers must notify the competent supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” But what does it mean to be “aware”? As the WP29 explains in its proposed guidance, a controller becomes aware of a data breach when it has a “reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.” During its initial investigation of the incident, which “should begin as soon as possible,” the controller is not considered to be aware. Whether it is immediately clear that personal data was compromised or this conclusion requires some time to reach, however, “the emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed been breached.” Once the short period of investigation has passed and the controller has identified the incident, it is considered “aware” and notification to the supervisory authority is then required “if this presents a likely risk to individuals.”
Data processors should also notify data controllers of breaches “without undue delay.” This notification should be “immediate” to help the data controller adhere to the time frame requirements. If the processor offers services to more than one data controller, the data processor needs to report the incident and details about it to each of them.
What Information Should be Provided to the Supervisory Authority?
The GDPR requires that the notification to the supervisory authority contain several pieces of information. First, it should “describe the nature of the personal data breach.” This includes a description of the types of individuals whose data was affected by the breach, such as children, people with disabilities, employees, or customers, as well as the number of individuals affected. Moreover, it should also include a description of types of personal data that were affected, such as health data, educational records, or bank account numbers, as well as the number of personal data records affected.
Second, the notification to the supervisory authority should provide the name and contact details for the data protection officer or other point of contact from which the authority can obtain more information.
Lastly, the notification should describe both “the likely consequences of the personal data breach,” as well as “the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.” As the WP29 states, “if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy),” then it is important to note these categories, as they may be relevant to requirement to describe the likely consequences of the breach.
Even if information about the exact numbers of affected data subjects is not available, this should not bar a timely breach notification. The GDPR allows the use of “approximations” about the number of affected individuals and personal data records. Even if the full and precise extent of the breach is not well known, “a notification in phases … is a safe way to meet the notification obligations.” A “notification in phases” may be used in certain cases, especially since “full and comprehensive details of the incident may not always be available” within 72 hours of becoming aware of the breach. When notifying the supervisory authority, the controller should also indicate that it will provide more information at a later point and “the supervisory authority should agree how and when additional information should be provided.”
Furthermore, after the initial notification is made, a controller may update the supervisory authority if a follow-up investigation were to reveal the incident was contained. As the WP29 states, “There is no penalty for reporting an incident that ultimately transpires not to be a breach.”
Delayed Notifications
If data controller cannot notify the supervisory authority within 72 hours, delayed notification may be allowed if reasons for the delay are provided. For example, if a controller experiences “multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way,” it may submit a single, “bundled” notification representing all of the breaches more than 72 hours after first becoming aware of them.
Which Supervisory Authority Should Be Notified?
A data breach may affect individuals in more than one EU member state. When this occurs, and notification is required, “the controller will need to notify the lead supervisory authority.” To be able to respond promptly, controllers should determine the lead authority when drafting a breach response plan. If a data controller fails to identify the lead supervisory authority, it should, at a minimum, notify the local authority where the breach has taken place. A controller may also report the incident to other supervisory authorities where there are affected individuals. Even if the data controller only notifies the lead supervisory authority, WP29 recommends that controllers indicate whether data subjects in other member states are likely be affected or whether the breach affects their establishments in other member states.
When Is Notifying the Supervisory Authority Not Required?
Notifications to supervisory authorities do not need to be made for data breaches that are “unlikely to result in a risk to the rights and freedoms of natural persons.” For example, if a data breach involved personal data that was already publicly available, further disclosure of such data would not constitute a likely risk. Another example would be the theft of securely encrypted data for which the confidentiality of the key remained intact or uncompromised by the breach. As such data would be unintelligible to unauthorized parties, this type of breach would be unlikely to result in a risk to individuals. If, on the other hand, the encrypted data was lost or there was an availability breach (i.e., the controller had no back-up), this could entail adverse consequences for individuals and would require notification.
The WP29 notes, however, that even if notification is not required initially, “this may change over time and the risk would have to be re-evaluated.” For example, if the key turns out to have been compromised, or a malfunction is detected in the encryption software, then notification would be required. Moreover, loss of data resulting from a breach that takes substantial time to restore may compromise the rights of individuals and, therefore, be subject to the notification requirements.
Communication to the Data Subject
Communicating personal data breaches to data subjects is mandatory “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.” WP29 explains that the higher threshold for notifying people is intended to protect them from “unnecessary notification fatigue.” If required, the notification should be made “without undue delay,” so that they can take steps to protect themselves from the negative consequences of the breach.
What Information Should be Communicated to Data Subjects?
The GDPR specifies that, at minimum, data controllers should provide information to data subjects on “the nature of the breach,” “name and contact details of the data protection officer or other contact point,” “the likely consequences of the breach,” and “the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.” Where appropriate, data controllers can also include specific advice to people as to how they can protect themselves.
Affected data subjects need to be communicated with “directly” unless it will require a disproportionate effort. In that case, public communication or another measure that ensures data subjects are informed “in an equally effective manner” should be used. The communication regarding the breach should be “clear and transparent,” or not sent as an attachment to a newsletter or other standard messages. According to the WP29, examples of transparent communication methods include email, SMS, direct message, and prominent website banners.
While warning that a press release or blog post will not be an effective tool to communicate with individuals, WP29 recommends that controllers “choose a means that maximizes the chance of properly communicating information to all affected individuals.” Rather than a “single contact channel,” several methods of communication may be employed. Controllers need to ensure that communication on the breach is accessible to individuals, and may also seek advice from supervisory authorities as to the appropriate messages to use in their notifications and the best ways to contact them.
When Is Notifying the Data Subject Not Required?
Notification to individuals is not required under certain conditions set forth by the GDPR. These conditions include when the controller has used “appropriate technical and organizational protection measures … that render the personal data unintelligible to any person who is not authorized to access it.” Another instance when notifying data subjects is not required occurs when the controller has taken immediate steps “to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialize.”
Moreover, notifying data subjects is not required if it “would involve disproportionate effort” and instead another means of public communication that can inform data subjects “in an equally effective manner” is used.
Although notification of data subjects may not be required initially, “this may change over time and the risk would have to be re-evaluated.” The supervisory authority may also require data controller to notify the data subjects if it considers that the breach is likely to result in a high risk to data subjects. In addition, if the supervisory authority deems that a decision not to notify individuals of a data breach was not well founded, it may impose sanctions within its power on the data controller.
WP29 also notes that controllers should be aware of any breach notification requirements that may be applicable to them set out by other legislation, such as the eIDAS Regulation, the NIS Directive, the Citizens’ Rights Directive, the Breach Notification Regulation as well as professional, medical, or legal notification duties.
Assessing Risk to Determine Notification Requirements
As the WP29 explains, “risk to the rights and freedoms of individuals” is the “key trigger” for the notification requirement to the supervisory authority, while “high risk to the rights and freedoms of individuals” is the “key trigger” for communication to data subjects.
Risks can be said to result when a data breach that may lead to “physical, material or non-material damage for the individuals whose data have been breached” occurs. Examples of such damage includes “discrimination, identity theft or fraud, financial loss and damage to reputation.” When the breach involves personal data that reveals special categories of data, such as racial or ethnic origin or political opinions, the risk of such damage is high.
Thus, while assessing risks, data controllers should consider “the likelihood and severity of risk to the rights and freedoms of data subjects.”
WP29 recommends that the risk assessment following a data breach consider the following criteria:
- Type of breach
- Nature, sensitivity, and volume of personal data
- Ease of identification of individuals
- Severity of consequences for individuals
- Special characteristics of individuals (e.g., children)
- Number of affected individuals
- Special characteristics of the data controller
As a general matter, the WP29 also recommends that when in doubt, “the controller should err on the side of caution and notify.”
Accountability and Record Keeping
Regardless of whether notification requirements are applicable or not, data controllers must document all breaches. In line with the accountability principle of the GDPR, WP29 encourages data controllers to keep an internal register of data breaches. Key elements to include in these records include the “effects and consequences of the breach, along with the remedial action taken by the controller.” In addition, WP29 recommends that data controllers document their reasoning for the decisions it takes in response to a data breach, including its justification(s) for not notifying the supervisory authority (i.e., “reasons why the controller considers the breach is unlikely to result in a risk to the rights and freedoms of individuals.”) Failure to do so can result in an administrative fine from the supervisory authority.
Conclusion
The detailed information provided by WP29 on the issue of data breach notifications, which outlines the obligations of the data controllers and processors and provides useful examples (Annex B) as well as a flowchart on notification requirements, will be very useful for data controllers. Failure to meet these obligations can lead to the imposition of substantial fines under the GDPR.