On 25 March 2014, the Article 29 Working Party (“WP 29”) issued Opinion 03/2014 (the “Opinion”). The Opinion provides guidance to data controllers to help them decide whether to notify data subjects about a personal data breach.
In the first part of the Opinion, the WP 29 considers the notification obligations of telecommunications service providers that are imposed by the Directive 2002/58/EC. This Directive requires personal data breaches to be notified to the competent national authority. In addition, when the data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller must also notify the data subject about the breach without undue delay.
However, the Directive 2002/58/EC as well as the Proposed EU General Data Protection Regulation (the “Proposed Regulation”) contain an exemption to this notification obligation. That is, if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures to render the data unintelligible to any person who is not authorized to access it and if those measures were applied to the data concerned by the security breach, then notification of a personal data breach to a data subject is not required.
The WP 29 advises controllers to take appropriate technological and organizational measures to ensure a level of security that is appropriate to the risk represented by the processing so that they can rely on the exemption and avoid the need to notify the data subject. In this respect, the WP 29 notes that data controllers should proceed with notification when they have doubts about the likelihood of the adverse effects on the personal data or privacy of the data subjects.
In the second part of the Opinion, the WP29 lists both examples of data breaches where the affected data subjects should be notified as well as examples of cases where notification to the affected data subjects would not be required. The WP 29 also gives examples of technical measures which, if they had been in place prior to the breach, might have allowed for the avoidance of the need to notify the data subject, such as a confidentiality data breach that only concerns either encrypted data with a state of the art algorithm or salted/keyed, hashed data with a state of the art hash function (assuming all the relevant keys and salts are not compromised).
Finally, the Opinion talks about the various considerations companies face when assessing whether or not to notify the affected data subjects. The WP 29 emphasizes the need to factor in likely secondary adverse effects on the data subjects and indicates that companies should notify even if only one data subject is affected.
The Opinion can be found on http://ec.europa.eu/justice/data-protection/article-29/.
Steffie De Cock