EU data protection body issues important new Opinion on breach notification by Belinda Doshi

24/07/2014 07:06

Summary and implications

The Article 29 Working Party (the Working Party) has issued a new Opinion on personal data breach notification that will have important repercussions for all data controllers in the European Union.

Data controllers are strongly advised to read the Opinion and to consider what changes, if any, they may wish to make to their current data protection policies and procedures.

What is the Article 29 Working Party?

The Working Party is an independent European advisory body on data protection which was set up under the Data Protection Directive 1995/46/EC (the Directive). It is made up of representatives from each of the European Union national data protection authorities, the European Data Protection Supervisor and the European Commission. Its Opinions do not have the force of law but are highly influential.

Who are data controllers?

Data controllers are companies or other bodies that – either alone or jointly with others – determine the purposes and means of processing of personal data.

What is a “personal data breach”? What is the current EU law on breach notification?

A “personal data breach” is defined in the Directive on Privacy and Electronic Communications 2002/58/EC (the e-Privacy Directive) as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community”.

The e-Privacy Directive contains the only European Union legal obligation on data controllers to notify personal data breaches. As can be seen, this applies only to a very limited category of data controllers who provide publicly available electronic communications services (each, an ECS provider) such as internet service providers. An ECS provider is obliged to notify any personal data breach to the relevant data protection authority – and also to the data subjects themselves where the breach is likely to adversely affect the personal data or privacy of the data subjects.

Where is EU data protection law heading?

There has been a growing international trend towards personal data breach notification. This has meant that certain countries such as Germany and Ireland have introduced more stringent national data breach notification requirements than those provided under the e-Privacy Directive.

The latest draft of the proposed General Data Protection Regulation (the Draft Regulation) which is anticipated to replace the Directive contains a mandatory obligation for all data controllers to notify personal data breaches. These notifications are to be made to the relevant data protection authority and to the data subjects themselves where the breach is likely to adversely affect the protection of their personal data or privacy.

What does the Opinion mean for data controllers?

The Opinion – which was adopted by the Working Party on 25 March 2014 –expands on the personal data breach notification requirement in the e-Privacy Directive. It sets out a non-exhaustive list of examples of personal data breaches which, in the opinion of the Working Party, would “adversely affect” data subjects and, therefore, require notification to data subjects. The Opinion states that the notification should be made “without undue delay” after the detection of the personal data breach. Such decisions should be made on a “case by case basis”.

The Opinion also sets out the Working Party’s views on personal data breach management. The Opinion states that: “Companies should also define in advance appropriate plans to deal with personal data breaches, which can ensure that they respond quickly and effectively to a personal data breach.”

It is important to stress that the Opinion does not have the force of law. It is only guidance. However, given the role and make-up of the Working Party, many data controllers may wish seriously to consider amending their data protection policies and procedures to reflect the Opinion. This will be an individual decision for each data controller based on their culture, values and approach to data protection compliance. To access the full text of the Opinionclick here.

Working Party approach to encryption

Finally, the Opinion contains some interesting developments on the Working Party’s approach to encryption.

Firstly, the Opinion states that: “even when data is encrypted, a loss or alteration can have negative effects for data subjects when the data controller has no adequate back-ups. In this case, notification to data subjects should still be required even with encryption protection measures in place” (our italics).

Secondly, the bar for encryption appears to be set very high. The examples given in the Opinion where notification of a personal data breach would not be required include an example where “a personal data breach only relat[es] to confidentiality, where data was securely encrypted with a state of the art algorithm, the key to decrypt the data was generated so that it cannot be ascertained by available technological means by any person who is not authorised to access the key” (our italics).

As a result, data controllers are advised to consider whether personal data breach notification is required even where encryption technologies have been used.