In May 2014, eBay announced that it had fallen victim to a cyber-attack. It stated that a large database of passwords and non-financial personal data had been compromised and advised users to change their passwords.
On 27 May 2014, the Luxembourg data protection authority, the Commission Nationale pour la Protection des Données ("CNPD"), which is competent given eBay is established in Luxembourg, subsequently announced that it was looking into the circumstances of the data breach as well as the consequences for the integrity and confidentiality of the personal data of eBay users in the EU.
The revelation of the data breach is hardly shocking, as eBay is yet another name on the long list of e-commerce businesses and other online platforms having suffered data breaches. eBay, however, has subsequently been blamed for mishandling the data breach and failing to adequately notify its clients, with the President of the CNPD labelling the incident a global disaster. The question therefore arises whether there is a better way to deal with a data breach in Luxembourg, and if so, how. This is not an easy question as Luxembourg data protection law so far does not provide for any legal framework regarding the notification of data breaches, a situation that may change in the near future.
1. Luxembourg legal framework
a) Before the breach
The Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data ("Data Protection Law") (as amended) imposes a number of obligations on a "data controller". The latter is defined as the natural or legal person, which solely or jointly with others determines the purposes and methods of processing personal data. By Article 22, the controller must implement appropriate security measures to prevent unauthorised access to the data or accidental or unlawful destruction or loss. Furthermore, the controller must remain in control of the security measures and must therefore, if choosing to sub-contract processing activities, choose a sub-contractor that provides sufficient guarantees of security.
Article 23 specifies that the necessary measures to use will depend on the risk of a data breach as well as the state of the art and the cost of their implementation. As such, the controller must first assess the risk that the processing activities entail and should thus in principle proceed to a privacy impact assessment. It must subsequently decide on the various security measures to put in place. In practical terms this means, of course, that low-level data processing of publically available information will not need to be subject to measures as stringent those required for personal information such as financial data. On the other hand, choosing to sub-contract will necessarily entail a high risk element and all agreements with the sub-contracts must therefore be rigorously reviewed to ensure that the sub-contractor offers a sufficient level of security measures.
In order to verify that each controller complies with this requirement, the CNPD may request a description of the measures in place as well as any subsequent major changes. These must be sent to them within fifteen days. Controllers must therefore ensure that they have clear documentation detailing the measures in order to expediently comply with the CNPD's request.
Furthermore, most personal data processing activities are subject to a general notification to the CNPD, in which the security measures must be described in a general fashion. Some critical processing activities, however, require a prior authorisation from the CNPD (e.g., the processing of the results of the monitoring of the use of IT tools), in which case a more detailed description of security measures need to be provided and the CNPD will assess the sufficient character of the security measures in the course of the authorisation procedure.
b) After the breach
In Luxembourg, data breach notification requirements exist only in sector specific legislation:
- Legislation applicable to telecom providers requires the latter to notify a breach to the CNPD within 24 hours. Where the breach is likely to negatively affect the personal data or the privacy of an individual, the telecom provider must inform this person without undue delay. If the service provider has not informed the persons concerned of the breach, the CNPD may, after having examined the circumstances of the case, demand that the service provider do so. On the other hand, if the service provider proves to the CNPD that appropriate security measures had been put in place and that they had been used in relation to the data that had been compromised in such a way as to render them illegible to anyone not authorised to access them, the service provider will not need to notify the person affected by the data breach. Therefore, service providers who use encryption may not need to notify persons concerned by a security breach.
- According to Circular 11/504 of the CSSF, the Luxembourg financial sector surveillance authority, financial establishments have the duty to report IT attacks and most certainly when an IT attack gives rise to an actual data breach.
The Data Protection Law, however, contains no provisions obliging controllers to notify neither the CNPD nor the affected data subjects of any security breach. However, it can be more than useful to notify the breach to the CNPD (albeit informally) or to the data subjects:
- Firstly, the CNPD will be more inclined to work with the controller where the controller has demonstrated a willingness to counteract any damage that the data breach might have caused.
- Secondly, according to general principles of Luxembourg (contractual or tort) liability law, a party causing damage to another party has the obligation to adopt damage mitigating measures. This means that where the controller has suffered a data breach, it has the obligation to notify the breach to the data subject, if such a notification is likely to diminish the damage caused.
Once aware of the breach or suspecting of a breach, the CNPD may conduct investigations into the processing activities of the controller. By Article 32 of the Data Protection Law, the CNPD is entitled to carry out the necessary checks to ensure that the controller complies with data protection requirements. This includes direct access to the premises of the controller. In the eBay case, for instance, the CNPD will look into the security measures that the business had in place and assess their effectiveness. Thus, for data breaches, clear documentation from the CNPD will prove useful in complying with requests from the CNPD.
Unlike several other national authorities in the EU, the CNPD has no powers of financial sanctioning. Article 33 of the Data Protection Law, however, grant it administrative sanctioning powers, such as a temporary or definitive ban on processing or ordering the publication of the decision. A ban - be it temporary or definitive - would certainly prevent the controller from effectively carrying out its business. The publication of the CNPD decision would result in affected data subjects becoming aware of the breach, which increases the risk of the latter seeking remedies against the controller.
Additionally, the CNPD or the data subjects concerned can defer the case to the criminal authorities. Per Article 25 of the Data Protection Law, the controller can be liable to a prison sentence of between eight days and six months and/or a fine of between 251 and 125,000 EUR if found not to have implemented sufficient security measures. Thus, while the CNPD may have no powers of direct financial sanctioning, controllers may nevertheless have a fine imposed on them.
2. Data breaches in the rest of the Benelux
Luxembourg is not alone in needing to find an efficient way to deal with data breaches. Across the European Union, legislators and data protection authorities are increasingly looking to impose notification obligations on controllers. This is particularly true for the two other Benelux countries:
- The Dutch legislator is currently debating a bill which introduces a duty to notify the Dutch Data Protection Authority ("CBP") and the relevant data subjects in the event of a breach. The controller must immediately notify the CBP of a breach, if it can reasonably be assumed that there is a significant risk of negative consequences for the protection of personal data. If the breach will probably have unfavourable consequences for the data subject, the latter must equally be notified immediately.
- The Belgian Data Protection Authority, the Privacy Commission, has issued a recommendation which provides for a stricter duty to notify data breaches. In the event of a breach, the Privacy Commission must be notified of the cause of the breach and the resulting harm within 48 hours. The controller must thereafter launch a public information campaign within 24 to 48 hours of the former notification. While the guidelines are merely recommendations, the Commission states that controllers are expected to strictly follow the procedures set out therein.
3. European Union Initiatives
a) Proposed General Data Protection Regulation
European Union legislation currently in the pipeline also provides for obligatory data breach notifications. The proposed General Data Protection Regulation (COM (2012) 11) as approved by the European Parliament ("EP") requires all controllers to notify the national data protection authorities without undue delay in the event of any data breach. Afterwards, the controller must communicate the data breach to the data subjects without undue delay, if the data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject. The draft Regulation foresees certain exceptions to the data subject notification requirement, notably where the national data protection authority is satisfied with the controller's implementation of appropriate technological measures for the data in question.
Moreover, the draft Regulation provides that a controller who conducts processing activities which present specific risks, must carry out a data protection impact assessment. Examples of processing activities presenting specific risks are the processing of the personal data of more than 5,000 data subjects over a 12 month period or the processing of employee data in large scale filing systems.
The impact assessment shall take into account the entire lifecycle of the processing, thus also potential data breaches. It shall be documented and shall contain, amongst others, an assessment of the risks to the rights and freedoms of data subjects as well as a list of safeguards, security measures and mechanisms to ensure the protection of personal data. Controllers shall, furthermore, conduct periodic compliance reviews to ensure that their processing activities comply with the assurances made in the impact assessment.
If the impact assessment indicates that the processing activities involve a high degree of specific risks to the rights and freedoms of data subjects, such as by the use of specific new technologies, the controller's data protection officer, with the involvement of the national data protection authority charged with supervising the controller, should be consulted before the start of the processing activities.
The draft Regulation equally foresees granting all national data protection authorities the power to impose fines. Failure to comply with the data breach notification requirements could entail a fine up to 100,000,000 EUR or up to 5% of the annual worldwide turnover.
The Council of the European Union ("Council") has not yet taken a final position on the full text. However, in December 2013, a text was made public which retained an amended version of the data breach notification requirements.
b) The Network and Information Security Directive
The much less discussed proposal for a Network and Information Security Directive (COM (2013) 48) also provides for data breach notification requirements. Following its approval by the EP, it sets out that all market operators of critical infrastructures (such as energy, transport, banking, stock exchange and healthcare) must notify the relevant national authority of any incident having an impact on the continuity of the service. Such an impact could consist of a data breach and theft of data, for example. The Council has, as of yet, not adopted a position vis-à-vis this proposal but is expected to do so soon.
The sanctions that the CNPD could impose, both now and possibly in the future, make it clear that controllers of personal data should know how to deal efficiently with data breaches. Furthermore, considering the moves across the entire EU to make data breach notifications obligatory, controllers are advised to:
- Proceed to a privacy impact/risk assessment: even when such assessment is not formally required (yet) it is the only manner to assess whether the security measures to put in place are sufficient.
- Maintain documentation related to security measures and keep security measures up-to-date.
- Plan in advance how to deal with a data breach.
- Inform the CNPD of the data breach: even though there is no obligation to notify data breaches (yet), notifying the CNPD (albeit informally) would help the controller determine the potential effects of the data breach including the need to notify concerned persons.