Last week the Article 29 Data Protection Working Party released updated guidelines in relation to personal data breach notifications and automated individual decision-making and profiling under the General Data Protection Regulation. This alert focuses on the key updates to personal data breach guidelines.

Our thoughts on the revised automated decision-making and profiling guidelines will follow in a separate alert. 

Key updates to the guidelines on personal data breach include:

  • A welcome and helpful clarification, that controllers are only considered ‘aware’ of a breach which has occurred on their supply chain when the relevant supplier (processor) informs the controller of the breach. The previous guidance stated that controllers were aware once their supplier was aware (whether the supplier informed them of the breach or not) which was entirely impractical. The significance of ‘awareness’ is that this concept triggered when the clock starts ticking to notify the relevant supervisory authority under Article 33(1) GDPR. Controllers must notify ‘without undue delay and, where feasible, not later than 72 hours after having become aware.
  • A clarification that with respect to the obligation on processors to notify controllers of personal data breaches ‘without undue delay’ (Article 33(2) GDPR), the processor should notify when it has established that a breach has occurred; the processor does not need to assess the likelihood of risk arising from the breach as this is a requirement for the controller. In combination with the clarification that controllers are not automatically deemed to be aware once the processor is aware, this is likely to result in slightly softer notification obligations on processors in supply chain agreements, moving away from ‘immediate’ notification requirements to notification ‘without undue delay’.
  • An increased prominence and focus on Recital 87 GDPR which states that:

    ‘It should be ascertained whether all appropriate technical protection and organisational measures have been implement to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject…’

    concluding in particular that this places an obligation on controllers to be aware of any breaches in a timely manner so that they can take appropriate action. Practically, this is likely to require a combination of: technology (e.g. state of the art threat detection and data loss prevention applications); appropriately trained staff who know how to recognise a threat and how to respond; clear procedures and policies to ensure prompt and consistent risk assessments can be made to allow controllers to notify supervisory authorities and regulators where required, plus regular training and effective governance.

  • A helpful clarification that planned system maintenance (which may lead to a temporary loss of access to personal data for example) is not a personal data breach. Although not addressed in the guidelines, presumably emergency system maintenance or maintenance falling outside agreed maintenance windows may be a personal data breach. This point will need to be carefully considered when drafting system support and maintenance agreements.
  • Confirmation that where controllers or processors not established within the EU are nevertheless caught by GDPR by virtue of Article 3(2) or 3(3) (i.e. where they are offering goods or services to data subjects in the EU and/or monitoring the behaviour of data subjects as far as their behaviour takes place within the EU, or where GDPR applies by virtue of public international law), then GDPR will apply, including with respect to data breach notifications. The guidelines provide a helpful recommendation that in the case of such controllers, they should notify the supervisory authority ‘in the Member State where the controller’s representative in the EU is established‘ which also suggests that there may be an opportunity to forum shop when deciding where to appoint an EU representative.
  • Another welcome clarification relates to the dilemma multinational organisations often find themselves in when they are tipped off by a law enforcement agency outside of the EU that they have been hacked with an obligation not to tell anyone while the law enforcement agency completes their investigation. This creates a conflict with GDPR requirements to notify data breaches without undue delay (and indeed with breach notification requirements under other laws and regulations such as PSDII). With respect to the obligation in Article 34(1) GDPR to notify high risk breaches to affected data subjects without undue delay, the guidelines refer to Recital 88 which states that notification of a breach should:

    ‘take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach‘ noting that ‘this may mean that in certain circumstances, where justified, and on the advice of law-enforcement authorities, the controller may delay communicating the breach to the affected individuals until such time as it would not prejudice such investigations. However, data subjects would still need to be promptly informed after this time.’

  • Although welcome, the guidelines still leave open the conflict with respect to the obligation to notify supervisory authorities which may also be a breach of commitments made to law enforcement agencies (or local laws). Notably, Recital 88 is not limited to notifications to individuals and could be read more widely to apply to any notification that may prejudice an investigation by law enforcement (though the guidelines apply it narrowly to notifications to individuals only). It also remains to be seen how supervisory authorities will treat advice from non-EU based law enforcement agencies (such as the FBI). Will a recommendation or requirement of the FBI or US law be sufficient to trigger this exception? The practical solution here may be to try to negotiate with the relevant law enforcement authority to agree, at the very least, the right to inform supervisory authorities of personal data breaches.
  • An acknowledgement that the GDPR does not specify a period of retention for documentation of breaches, but clarifies that it is incumbent on the controller to determine an appropriate period of retention in accordance with the principles relating to the processing of personal data and to meet a lawful basis for processing, also taking into account that it must retain documentation insofar as it may be called to provide evidence of compliance with Article 33(5) or with the accountability principle.
  • Guidance that if a breach affects data subjects that the controller has not previously interacted with or who reside in a different Member State/non-EU country from where the controller is established, communication in the local language could be acceptable.
  • A statement that:

“The occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement”.

  • A recommendation that the contractual arrangements between joint controllers include provisions that determine which controller will take the lead on, or be responsible for, compliance with the GDPR’s breach notification obligations.