Data breaches – what can we expect from the EU?

In January 2012, the European Commission unveiled its draft data protection Regulation (Regulation), intended to update and harmonise EU data protection law. Three years later, the draft is still being hotly debated.  The European Parliament has approved its own proposals and the European Council has published provisional proposals on parts of the Regulation. The Regulation has been described as the most lobbied legislation in EU history and few issues have caused more consternation than the proposals around dealing with data security breaches.

Under the current draft of the Regulation there would be mandatory reporting of data security breaches. Organisations would have to inform the relevant data protection authority (DPA) of a breach "without undue delay and, where feasible, not later than 24 hours of becoming aware of it". In addition, they would then have to inform data subjects "without undue delay" unless the relevant DPA was satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption. Data processors would be subject to the still more onerous requirement to inform data controllers "immediately" of any data security breach.

What are the issues?

Most obviously, in the Commission's draft, there are no exceptions to the requirement to notify data security breaches to DPAs. This means that every security breach, no matter how insignificant, would, in theory, have to be reported. Not only would this place a huge administrative burden on organisations, the EC does not appear to have thought about how DPAs would process, much less act on, this information. In addition, in order to comply with the time frames, data controllers are likely to have to provide incomplete notifications to be supplemented at a later date, thereby adding to the administrative burden for all concerned.

There is nothing in the Commission's draft which stipulates how DPAs are supposed to deal with notifications of security breaches. Despite the tight time constraints on data controllers and processors, there are no time limits within which the DPA needs to respond. This is particularly important given the stipulation in Article 32 of the Regulation that it is unnecessary to inform a data subject of a breach if the controller can demonstrate to the DPA that the data was encrypted or otherwise protected from access. Another issue with the lack of guidance to DPAs on time of response is the possibility of getting comeback on a data security breach from the DPA long after it has been dealt with by the data controller.

With an increased administrative burden come increased costs. Again, these would be felt both by businesses and by DPAs (or in other words, Member States). In its impact assessment of the Regulation, the UK's Ministry of Justice highlighted the data security breach notification requirements as adding a potential £104m to the compliance bill.

Where are things headed?

It does seem highly likely that there will be some watering down of the data security breach reporting requirements in the next draft of the Regulation. With considerable pushback from the DPAs as well as from business and Member State governments, the EC has said it will look again at the proposals.  Other regulation applicable to data breaches is less draconian as are alternative proposals coming from the European Parliament and the Council.

The Regulation on notification of personal data breaches by public electronic communications service providers

Some clues as to the direction the EC is ultimately likely to take may be found in the new Regulation on notification of personal data breaches by public electronic communications service providers (Regulation 611/2013). While the breach reporting requirements mirror that of the Regulation in many ways, there are some subtle but significant differences.

Regulation 611/2013, has been introduced under technical implementing measures set out in the Privacy and Electronic Communications Directive and applies to providers of publicly available electronic communications services in the EU.

Companies subject to Regulation 611/2013, are required to notify their national competent authority within 24 hours of any personal data breach. They are required to give certain information about the breach including the date and time of the incident, the number of people affected and the sensitivity of the relevant data. If not all the information is available, they can supply it within a further three day period after the initial 24 hour period. If they still cannot give all the required information after that, they need to supply a "reasoned justification" for their failure to do so.

Relevant service providers also have to inform individuals of data breaches "without undue delay" where the breach "is likely to adversely affect the personal data or privacy" of those individuals. In assessing whether a breach needs to be notified to data subjects, factors like the sensitivity of the data, the circumstances of the breach and the recipient of the data will be relevant. Companies are exempt from requirements to notify data subjects if they can show they were using certain protective technological measures. The EC will be publishing a definitive list of these.

On the plus side, the assessment about whether to notify data subjects of a breach is left to the data controller rather than to the regulatory authority. In addition, a definitive list of technological measures which would exempt a data controller from the requirement to notify data subjects is sensible. However, while Regulation 611/2013 does show some relaxation on timing of breach notifications to regulators, compared with the current provisions in the Regulation, the time frames remain tight and there is still no exemption for breaches of a minor nature.

The European Parliament's draft

After protracted negotiations, the European Parliament adopted its proposed changes to the Commission's draft Regulation towards the end of 2013, and the breach reporting provisions had indeed been somewhat watered down. The revised Article 31 states that a data controller has to report a breach to the supervisory authority "without undue delay" and the requirement to do so within 24 hours has been removed. The requirement on the processor to inform the controller of a breach has been changed from "immediately" to "without undue delay". Information regarding the breach can also "if necessary, be provided [to the regulator] in phases". It is interesting that the corresponding Recital to Article 31, Recital 67, has been amended so that the duty to report a breach to the supervisory authority within 24 hours has been changed to 72 hours. The Recitals serve to provide guidance on interpretation of the Articles of legislation. The 72 hour time limit is, confusingly, not set out in the Article itself, so it is unclear as to how much force it has. The supervisory authority is required to keep a public register of the types of breaches notified.

In terms of Article 32, which deals with reporting data breaches to data subjects, there were no significant changes proposed, other than a slight extension of the circumstances under which data breaches need to be reported to include any adverse impact on the "rights or legitimate interests of the data subject".

The European Council's proposals

The Council has published its proposed compromise text for certain parts of the Regulation.  It is important to note that they will not be agreed until there is agreement on the entire text.

The proposals for changes to Articles 31 and 32 go further than those made by the Parliament (perhaps unsurprisingly).  Like the European Parliament, the Council suggests that data breaches be reported to the supervisory authority "without undue delay and, where feasible, not later than 72 hours of becoming aware of it".  The Council does, however, also include a qualification on the nature of the breaches which warrant reporting, saying that only a data breach "likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, ['breach of ... pseudonymity], damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage" need be reported.   In addition, no notification to a supervisory authority is required unless notification of the data subject is also required.

Article 32 contains the same qualification on the type of data breaches which need to be reported to data subjects as that in Article 31.  In addition, the data subject does not need to be notified of the breach if the data controller has implemented appropriate technological and organisational protection measures in relation to the data.  The Council adds that this includes encryption and then introduces the concept that there need be no notification where the controller has taken subsequent measures to ensure that the high risk to data subjects is no longer likely to materialise.  The requirement for the DPA to say whether or not these measures are sufficient to exempt the breach from notification has been deleted.  The Council also allows for notification of data subjects by a public communication if it would involve disproportionate effort to notify individually.

The Council's proposals do address the issue of what to do in case of minor or insignificant breaches but still fail to place any obligations on DPAs in terms of the timing of their response.  However, this is a more sensible risk-based approach which places the onus on data controllers to make their own decisions as to when notification is required.

What next?

We still need to wait for the next official draft of the Regulation to see whether the lobbying has paid off and the data security breach reporting requirements become more realistic.  This will only happen after the Council draft is officially approved and following trialogues between the Commission, the Parliament and the Council to rationalise the different proposals.  The Council's current proposals are significantly different to those of the Commission and the Parliament.  It's the Council which holds the real power in the game but it's unclear who will win on this issue.