The Article 29 Working Party (the “Working Party”) recently published an Opinion (click link to view) on Personal Data Breach Notification which provides guidance on when individuals should be notified of a security breach that affects their personal data.
Currently, Directive 2002/58/EC, as amended by Directive 2009/136/EC (the “e-Privacy Directive”) (which was introduced into Irish law by the e-Privacy Regulations 2011 (S.I. 336 of 2011)) contains the only EU-wide personal data breach notification requirement. Under the e-Privacy Directive providers of publicly available electronic communications services are required to inform individuals of a security breach that is likely to adversely affect the personal data or privacy of that individual. In Ireland, all other data controllers are subject to the Data Protection Commissioner’s Personal Data Security Breach Code of Practice under which they should give immediate consideration to informing individuals whose personal data is, or may be, affected by a security breach.
The Opinion provides that all data controllers should adhere to the requirement under the e-Privacy Directive to inform individuals of a security breach that is likely to adversely affect the personal data or privacy of that individual and provides guidance on how data controllers should interpret this ‘adverse effect’ test. The Working Party recommends that data controllers should take into account all potential consequences and potential adverse effects on the individual when considering whether the personal data security breach requires notification to the affected individual.
The Opinion also emphasises the importance for data controllers to have in place appropriate security measures to minimise personal data security breaches and appropriate procedures to manage such breaches where they occur. Under the Opinion a data controller will not be required to notify individuals of a personal data security breach if, following notification to the relevant data protection regulator, it can satisfactorily demonstrate that it has implemented appropriate technological safeguards to render the affected personal data unintelligible to any person who is not authorised to access it. The Working Party also makes clear that the number of people affected by the personal data security breach should not impact on the decision as to whether notification is required to the affected individuals.
The Opinion also sets out seven practical examples of personal data security breaches that would require notification to the affected individuals. Each example identifies the potential consequences of the personal data security breach and details security measures that might have reduced the possibility of the security breach occurring or might have removed the need to notify the affected individual.
Although the Opinion does not impose any legal obligations on data controllers, compliance with its guidance on breach notification is regarded as good practice for all data controllers. EU data controllers look set to become subject to EU-wide personal data breach notification requirements under the General Data Protection Regulation (the “Regulation”), which is expected to be adopted next year. By introducing measures to adhere to the Opinion now, data controllers will be in a much improved position to comply with the anticipated personal data breach notification requirements under the Regulation once they become effective.
The Opinion may also be viewed as providing data controllers with useful insight into what data protection regulators will expect from them in order to comply with the Regulation’s anticipated personal data breach notification requirements.