On October 3rd 2017, the EU’s Article 29 Working Party (WP29) adopted its draft of ‘Guidelines on Personal data breach notification under Regulation 2016/679 [General Data Protection Regulation]’. Even though the document is still open for comments by stakeholders until November 28th, this article takes a preliminary look at the guidelines’ main takeaways and recalls upon data breach obligations arising from other instruments that payment -, communication- and internet service providers might also have to comply with.
Published in The Paypers Market Guide
This article was published in the Web Fraud Prevention and Online Authentication Market Guide 2017/2018, an online report by The Paypers. You can learn more about web fraud prevention by downloading your free, printable PDF copy of this report HERE.
What are the guidelines about?
In general, the draft Personal data breach Guidelines attempt to (1) provide clarification on the concept of a personal data breach, (2) explain when, how and to whom breaches need to be notified and (3) provide guidance on the assessment of data breach risks. The Guidelines also pay specific attention to (4) communications of personal data breach towards the victims and (5) the obligation to keep record of all breaches.
Article 33(1) of the General Data Protection Regulation (GDPR) requires data controllers to notify the competent supervisory authority in case of a personal data breach, without undue delay and within 72 hours after having become aware of the personal data breach, unless the breach is unlikely to put the rights and freedoms of natural persons at risk. But when does this 72-hour period start and when can a data controller be considered ‘aware’ of the breach?
According to the WP29, a controller becomes ‘aware’ “when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”. Depending on the circumstances of the breach, this may be clear from the outset, but may at times also need further examination. The WP29 clarifies that the controller will not be regarded as ‘aware’ during the short period in which he investigates whether or not a breach has occurred; nevertheless, it emphasizes that the initial investigation - to establish if a breach has taken place or not - should begin as soon as possible. A more detailed investigation can follow later on.
When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must also communicate the personal data breach to the data subjects without undue delay, With the exception of situations where certain conditions are met (article 34 (1,3) GDPR).
Data processers are also expected to notify personal data breaches. Article 33 (2) of the GDPR states that if a processor becomes aware of a personal data breach processed on behalf of the controller, it must notify that controller without undue delay. Since the GDPR does not indicate an explicit time limit for reporting, WP29 recommends processors to notify the controller immediately. Moreover, the WP29 mentions that, in principle, once the processor has become aware, the controller should be considered aware as well (and as a consequence, the 72- hour countdown will start). It is, therefore, of great interest for data controllers to take these considerations into account when contracting with data processors.
The WP29 emphasizes that in order to prevent, detect, react to and address a breach, data controllers should have internal processes and suitable measures in place (e.g. data flow and log analysers), including incident response plans.
When is notification (not) needed?
The GDPR doesn’t require data controllers to notify every personal data breach. The competent supervisory authority should be notified only “where a breach is likely to result in a risk to the rights and freedoms of individuals” The threshold to communicate a breach to data subjects is even higher, says the WP29. A personal data breach should be communicated to the data subjects only if it is likely to result in a high risk to the rights and freedoms of individuals. Thus, the data controller has a major responsibility of assessing the potential risk resulting from an incident. WP29, therefore, recommends the following criteria to be taken into account when assessing the risk:
- The type of breach
- The nature, sensitivity and volume of personal data
- Ease of identification of individuals
- Severity of consequences for individuals
- Special characteristics of the individual
- The number of affected individuals
- Special characteristics of the data controller.
The WP29 stresses furthermore that in case of doubt, the controller should err on the side of caution and notify the potential breach. It also reminds controllers that while notification may initially not be required if there is no potential risk to the rights and freedoms of individuals, this may change over time and the risk would then have to be re-evaluated.
Which information should be provided?
When a controller decides to notify a breach to the supervisory authority, he should, in accordance with article 33(3) GDPR “at the minimum (a) describe the nature of the personal data breach […], (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained, (c) describe the likely consequences of the personal data breach, and (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”
When describing the nature of the personal data breach, the GDPR requests, if possible, to include the categories and approximate numbers of data subjects and personal data records concerned. While the GDPR does not further define these categories, the WP29 suggests that the categories of data subjects may include, amongst others, children and other vulnerable groups, people with disabilities, employees, customers and more.
With regards to categories of personal data records, it refers to different types of records, such as health data, educational records, social care information, financial details, bank account numbers, passport numbers and so on. The WP29 also explains that the controller, if necessary, may choose to provide further details on the breach that go beyond what’s required by article 33(3). For instance, a controller may find it useful to name its processor if it is at the root cause of the breach.
The GDPR recognizes that controllers will not always have all of the necessary information concerning a breach within 72 hours of becoming aware of it, and thus, allows for notification in phases (for example, in case of more complex breaches, such as cyber security incidents). A follow-up with additional information is hence permissible, the WP29 says, if the controller informs the supervisory authority at the time of first notification that more information will be provided later on and if the controller gives reasons for the delay (as required by article 33(1)). Delayed notification is also permissible when upon investigating a breach, the controller notices similar breaches with different causes. To avoid being overly burdensome, the controller may in that case submit a ‘bundled’ notification representing all those breaches, providing that they concern the same type of personal data, breached in the same way. This should nevertheless remain the exception, not the rule.
A follow-up investigation may reveal evidence that the security incident was contained and no actual breach has occurred. In such case, the controller could update the supervisory authority and there will be no penalty for reporting the incident that ultimately didn’t constitute a breach, the WP29 stresses.
When notifying a breach to individuals, article 34(2) of the GDPR specifies that the communication shall at least provide the following information: a description of the nature of the breach, the name and contact details of the data protection officer or other contact point, a description of the likely consequences of the breach, and a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible side effects.
And to whom?
According to article 33(1) of the GDPR, personal data breaches that are likely to result in a risk to the rights and freedoms of individuals need to be notified to the competent supervisory authority.
Nevertheless, whenever a breach affects the personal data of individuals in more than one Member State (e.g. cross-border processing) and notification is due, the controller will need to notify the lead supervisory authority. If the controller has doubts about the identity of the lead supervisory authority, then it should at least notify the local supervisory authority where the breach has taken place. This should, according to the WP29, be kept in mind when drafting data response plans.
Personal data breaches that are likely to result in a high risk to the rights and freedoms of individuals, on the other hand, should - under certain circumstances and also without undue delay - be communicated to the affected individuals. ‘Undue delay’ here, once again, means ‘as soon as possible’, the WP29 clarifies. Furthermore, the WP29 indicates that breaches should be communicated to the victims in a clear and transparent way, through dedicated messages. Examples of such communication include direct messaging (e.g. email, SMS, direct message), prominent website banners or notification, postal communications and prominent advertisements in print media. A mere press release or corporate blog will not suffice. The WP29 also -not surprisingly- explains that controllers should ensure that the communications are accessible in alternative formats and relevant languages and that the means of communication should, in general, maximize the chance to properly communicate with the victims
The GDPR requires controllers to document all breaches, regardless of whether or not the breaches need to be notified. In this respect, the WP29 encourages controllers to establish an internal register of breaches, even if notification is not due. In addition to this, the WP29 recommends data controllers to keep record of their reasoning for decisions taken in response to a breach and, when a breach is not notified, the justification for that decision. Failure to properly document a breach allows the supervisory authority to exercise its powers and impose an administrative fine, the WP29 notes.
If controllers fail to comply with data breach notifications even though all requirements are fulfilled, an administrative fine can be imposed as well as other corrective measures. This fine can amount up to EUR 10 000 000 or 2% of the total worldwide annual turnover of an undertaking. In some cases, a breach can reveal the absence of security measures or inadequate security measures. Such situation would allow for the supervisory authority to issue another sanction for absence or inadequacy of security measures.
As these are, in the WP29’s opinion, two separate infringements, they could both cause a 2% fine. As a consequence, 4% of an undertaking’s worldwide annual revenue could be at stake.
In this context, it has to be pointed out that on October 3rd 2017, the WP29 also adopted final “Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 [General Data Protection Regulation]”. This document provides guidance for supervisory authorities when assessing non-compliance with the GDPR by data controllers. Noteworthy is that the Guidelines attach great importance to the Data Protection Officer. The WP29 particularly states that unlawful data processing “in spite of advice from the data protection officer” may be considered “intentional” and can therefore result in higher fines. Another important element in the Guidelines relates to the term ‘undertaking’ in the context of administrative fines. The WP29 explicitly recognizes in its Guidelines that ‘an undertaking’ should be interpreted economically and thus refers to the parent company as well as all involved subsidiaries. This consideration can be very important to companies, since it will often raise the basis (total worldwide annual revenue) for which a fine can be imposed. Unfortunately, defining more specific information regarding the fines’ amount, is not part of the Guidelines’ scope. The Guidelines, nevertheless, do reveal that a “detailed calculation work” will likely be addressed in a subsequent set of guidelines.
Data breach obligations under other instruments
Lastly, the WP29 stresses in its Guidelines on Personal data breach notification that controllers should be aware of other legal instruments that may entail notification obligations in case of personal data breaches. It briefly refers to obligations under the eIDAS Regulation, the NIS Directive, the Citizens’ Rights Directive and the Breach Notification Regulation.
Since the WP29 only briefly mentions these other legal instruments, a more broad but quick overview of the diverse EU rules and regulations that impose mandatory breach notification to the regulator is in place.
First of all, the ePrivacy Directive 2002/58, later amended via the so-called Cookies Directive 2009/136 , requires electronic communication service providers, such as telcos and ISPs to notify their competent national authorities of any personal data breaches without undue delay. Notification of victims might sometimes also be required.
Following this example, from the 25th of May 2018 on, the General Data Protection Regulation will, as has been extensively discussed above, oblige data controllers to notify personal data breaches to the data protection authority, and in some cases the victims, within 72 hours. These obligations should be read together with the Guidelines on Personal Data Breach Notification, which are the core topic of this article.
Regarding the telecoms sector, Regulation 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC imposes a duty on electronic communication service providers to notify national authorities and individuals of personal data breaches. The regulation sets out the conditions under which notification needs to be done, also providing a basic template for such notifications.
In addition to the GDPR’s data breach notification requirements, some companies - more specifically, operators of essential services and digital service providers - will also have to comply with the Network and Information Security Directive’s security incident notification requirements (NIS Directive ). This directive may apply to telcos or payment and settlement systems. Also, some customers of a payment service provider may fall within the scope of the NIS Directive, which could mean that such customers are likely to impose a contractual obligation to notify breaches on their PSP.
Payment service providers will likewise have to comply with EBA’s guidelines on major incident reporting under PSD2. These guidelines will enter into effect on January 13th of 2018 and will establish the criteria that PSPs should use to assess an operational or security incident.
Lastly, companies that provide trust services (such as electronic signatures, electronic seals, electronic time stamps or electronic registred delivery systems and certificates) must comply with the new regulation for electronic identification and trust services (Regulation (EU) No 910/2014, referred to as eIDAS). This regulation requires providers of trust services to assess risks, take appropriate security measures to mitigate the risks and notify the supervisory body about significant incidents/breaches.
The obligations put on payment-, communication- and internet service providers in case of a breach of personal data are multi-fold and weighty. In the near future, companies will often have to comply with several breach notification rules at the same time and, as a consequence, might be obliged to report the same incident to several authorities.
1. An advisory body consisting of representatives from the data protection authorities of all EU member states, the European Data Protection Supervisor and the EU Commission.
2. See WP29 Guidelines for identifying a controller or processor’s lead supervisory authority, available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=44102
3. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, O.J. L 337/11, 18 December 2009.
4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), O.J. L 119, 4.5.2016, p. 1– 88.
5. Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications, O.J. L 173, 26.6.2013, p. 2–8.
6. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, O.J. L 194, 19.7.2016, p. 1–30. https://www.eba.europa.eu/documents/10180/1914076/Guidelines+on+incident+reporting+under+PSD2+%28EBA-GL-2017-10%29.pdf
7. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, O.J. L 257, 28.8.2014, p. 73–114.