Cyber-attacks have become a frequent theme in daily news. In Germany, the attacks on Deutsche Telekom and the parliament Deutsche Bundestag have proven that companies are regular and prime target for hackers. Cyber incidents like the attacks on Yahoo or Sony and many others show that criminals are especially interested in personal user information.
In case of such data breaches, pursuant to German data protection law, companies have to notify the responsible supervisory authority and the data subject. Those provisions are currently to be found in Section 42a of the German Federal Data Protection Act (BDSG). In order to strengthen and unify the data protection law within the European Union, the European Parliament and the European Council have adopted the new General Data Protection Regulation (GDPR) in April 2016 which will apply as of 25 May 2018.
In its Articles 33 and 34, the GDPR defines obligations to notify the supervisory authority and the data subject after a data breach took place. As a regulation, the GDPR is binding in its entirety and applicable in all member states of the European Union. All national laws that fall in the GDPR's scope will be replaced by the regulation. After 25 May 2018, Section 42a BDSG will therefore no longer be applicable. German (and other European) companies dealing with personal data are thus facing a new legal framework how to react to a data breach.
The relevant provision to date, Section 42a BDSG, states that private and public bodies will have to notify both the responsible supervisory authority and the data subject if the body determines that special types of personal data, ie personal data subject to professional secrecy, personal data related to criminal offences or to the suspicion of punishable actions or to administrative offences, or personal data concerning bank or credit card accounts have been unlawfully transferred or otherwise unlawfully revealed to third parties and if there is the threat of serious harm to the data subject's right or legitimate interests. Therefore, the obligation to report unlawful access to data is only relevant after special data breaches and if the result is a serious harm to the data subject's rights or legitimate interests.
Article 33 GDPR on the other hand now stipulates the obligation to notify the supervisory authority in case of any personal data breach, unless the personal data breach is unlikely to result in a risk to the rights of natural persons. According to Articles 4 paragraph 12 GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. This is why every data breach taking place after 25 May 2018 and likely to result in a risk to a natural person's rights will trigger the data breach notification obligation. This means that Article 33 GDPR reverses the precept of rule and exception of Section 42a BDSG. Article 34 GDPR furthermore states that the target of a data breach also has to inform the data subject about the breach. Unlike Article 33 GDPR, this duty only applies if the personal data breach is likely to result in a high risk to rights of natural persons. The new law can therefore lead to the situation that the target has to inform the supervisory authority but not the data subject.
Section 42 sentence 6 BDSG regulates that authorities can only use the information they gathered from a notification in criminal proceedings with the consent of the target. Articles 33 and 34 do not include a similar provision. It will be interesting to see if the German legislator introduces a new provision regarding this aspect. When it comes to criminal procedural law, the German legislator remains competent.
The GDPR does not only affect the reporting obligation after a data breach but it also changes and increases sanctions that can result from infringements of the applicable provisions. Infringements of Section 42a BDSG only led to fines up to EUR 300,000. In contrast, Article 83 paragraph 4 GDPR now provides that an infringement of Articles 33 and 34 can lead to fines of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of an undertaking of the preceding financial year, depending on which amount is higher. The GDPR thus not only leads to higher requirements for companies dealing with personal data but also drastically increases potential fines in case of a violation of these requirements. Accordingly, data law compliance will become even more important under the regime of the new GDPR.