In this fifth article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we focus on some of the breach-related obligations in a big data context. Where relevant, illustrations from the transport sector will be provided.
In the present article, we will look into the breach-notification obligations under the General Data Protection Regulation ("GDPR") and the Network and Information Security Directive ("NIS Directive"). Subsequently, we will also look into breach notification obligations in the telecommunications sector.
Data breach notification obligation under the GDPR
The breach-related obligations under the GDPR apply whenever personal data is processed (see our second article on Privacy & Data Protection for the definitions of "processing" and "personal data"). Considering that big data analytics in particular may entail massive personal data processing operations, there is little doubt that these GDPR data breach notification obligations will apply to the processing of personal data in a big data context.
The GDPR requires the notification to the supervisory authority, without undue delay and in any case within 72 hours of “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
It follows from such definition that many types of security incidents will be considered as data breaches within the meaning of the GDPR. It moreover goes without saying that the occurrence of breaches in the context of new technologies, including big data, is not hypothetical. This will require abiding by the strict obligations related to the notifications of such incidents to the appropriate data protection authorities across the EU (as well as potentially to other competent authorities across the world in case of certain large breaches).
The table underneath provides an overview of the EU notification obligations imposed by the GDPR on the different actors involved:
It is therefore reminded that anonymisation techniques, as discussed in our third article, can serve as mechanisms to release data controllers from certain specific obligations related to personal data breach, i.e.:
- Notification of a personal data breach to the supervisory authority is not required when the data controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Although the GDPR is not explicit on this point, it could be reasonably advocated that a breach of anonymised or pseudonymised data is less likely, or even unlikely, to result in a risk to the rights and freedoms of natural persons.It is therefore reminded that anonymisation techniques, as discussed in our third article, can serve as mechanisms to release data controllers from certain specific obligations related to personal data breach, i.e.:
- Communication of a personal data breach to the data subject shall not be required if the controller has implemented appropriate technical and organisational protection measures, which were applied to the personal data affected by the breach. The GDPR indeed mentions in particular "those [measures] that render the personal data unintelligible to any person who is not authorised to access it, such as encryption."
Incident notification obligation under the NIS Directive
Under the NIS Directive (see also our previous article here), operators of essential services ("OES") and digital services providers ("DSPs") must notify without undue delay to the National Competent Authority ("NCA") or the Computer Security Incident Response Team ("CSIRT") incidents having a significant impact on the continuity or provision of the services.
On the basis of the NIS Directive, the factors to be considered when determining whether the impact of an incident is significant are the following:
This being said, in addition to the above general rules included under the NIS Directive, the following clarification documents have been published at EU level:Given its nature as a directive, the NIS Directive is not directly applicable in the EU Member States but needs to be implemented in the legal order of each Member State. It can therefore be expected that there will be a difference in implementation of the security incident notification obligations between the different EU Member States, including on the concrete application of the above factors.
- With respect to operators of essential services:
- “Reference document on Incident Notification for Operators of Essential Services – Circumstances of notification”, published by the NIS Cooperation Group in February 2018. Such document details the incident notification scheme for OES but also the parameters used to measure the impact of incidents. It also examines the intricacies of cross-border situations and the interplay of the NIS Directive with notification requirements in other legislations (including the GDPR).
- “Reference document on Incident Notification for Operators of Essential Services – Formats and procedures”, published by the NIS Cooperation Group in May 2018. Such document provides (non-binding) guidance to national competent authorities and CSIRTs with regard to formats and procedures for the notification of incidents by OES, to facilitate alignment in the implementation of the NIS Directive across the EU.
- With respect to digital service providers:
- Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of the [NIS Directive] as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact. Such document notably clarifies four situations in which digital service providers are required to notify the relevant national competent authority or CSIRT, notably: (i) if the digital service is unavailable for more than 5 million user-hours in the EU; (ii) if more than 100,000 users in the Union are impacted by a disruption; (iii) if the incident has created a risk to public safety, public security or of loss of life; (iv) if the incident has caused material damage of more than €1 million.
- “Guidelines on notification of Digital Service Providers incidents Formats and procedures”, published by the NIS Cooperation Group in June 2018. Such document provides non-binding technical guidance to national competent authorities and CSIRTs, with regard to formats and procedures regarding the notifications of incidents by DSPs, to facilitate alignment in the implementation of the NIS Directive across the EU.
- “Incident notification for DSPs in the context of the NIS Directive” report published by ENISA on 27 February 2017. Such report includes a comprehensive guideline on how to implement incident notification for DSPs.
Furthermore, some complex situations involving DSPs and OES may arise and require putting in place adequate (contractual) mechanisms. For instance, in case an operator of essential services depends on a digital service provider for the provision of such essential services, any significant impact on the continuity of those services due to an incident affecting the digital service provider must be notified by that operator. The NIS Directive remains however silent as to whether, in such circumstances, the digital service provider is obliged to notify such incident to the operator of essential services. It is therefore to be expected (and highly recommended) that the operator of essential services would require such notification by the digital service provider contractually.
Finally, it is worth noting that the notified NCA or CSIRT shall inform other Member States affected. In such case, the NCA, the CSIRT and the single point of contact shall ensure that the service provider's security and commercial interests are safeguarded and that the information provided remains confidential. The NCA or CSIRT may also decide – after consultation of the notifying operator – to inform the public, where such public awareness would be necessary to prevent or manage an incident.
Essential or digital service providers that do not comply with the security incident notifications laid down by the national provisions adopted pursuant to the NIS Directive may be subject to a penalty, which is to be determined by each EU Member State at national level. Pursuant to Article 21 of the NIS Directive, such penalty must be effective, proportionate and dissuasive.
Breach notification obligations in the telecommunications sector
The Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “e-Privacy Directive”) was the first EU-wide legislative instrument to impose data breach notification obligations. Pursuant to the Directive, publicly available electronic communication service providers (hereinafter “PECS providers”) must, if they suffer a breach of security that leads to personal data being lost or stolen, inform the national authority and, in certain cases, the subscriber or individual.
Regulation 611/2013 on the measures applicable to the notification of personal data breaches (the “Data Breach Notification Regulation”) lays down the circumstances in which PECS providers must notify personal data breaches, the format of such notification and the procedure to follow. Taking into account its nature as a Regulation, the Data Breach Notification Regulation has direct effect in all EU Member States, rendering any national implementation measures unnecessary.
The e-Privacy Directive is currently being reviewed in the framework of the EU Digital Single Market strategy. In this respect, the EU Commission held a public consultation, the report of which was made available in August 2016. In its 'Opinion 03/2016 on the evaluation and review of the ePrivacy Directive', the Article 29 Working Party notably recommended to remove the provisions relating to breach notification from the e-Privacy Directive given their “overlap” with the breach notification obligations under the GDPR (see below). On 10 January 2017, the EU institutions adopted a draft e-Privacy Regulation, which would be directly applicable in all EU Member States. The latest version of the draft does not contain a data breach notification obligation as such, which is justified by the fact that the GDPR will apply to PECS providers.
In recent years the EU has made significant progress in terms of cybersecurity and related incident notification requirements. While it started with specific and scattered initiatives in certain sectors (e.g. telecommunications), the EU-related legal landscape has evolved, notably due to the Cyber Security Strategy and the NIS Directive.
It follows that organisations facing a security incident may need to notify such incident to one or more national competent authorities. The requirement to inform authorities will however depend on certain criteria laid down in the applicable legislations, as clarified by the guidance documents published at EU and national level. Accordingly, the various actors of the data value chain need to implement measures, procedures and policies in order to abide by the strict notification requirements and be prepared to provide the necessary information to the authorities, all within the imposed deadlines. Such requirements will also need to be adequately reflected in the various contracts between the stakeholders involved in the chain in order to adequately address any incident that may occur.