On March 25, 2014, the Article 29 Working Party (the “WP29″) issued Opinion 03/2014 On Personal Data Breach Notification in order to help data controllers to assess whether to notify data subjects of a personal data breach.
Currently, only providers of telecommunications services are required to notify data subjects in the event of a personal data breach likely to adversely affect such data subjects’ personal data or privacy. Nevertheless, this obligation will be expanded in coming years to all data controllers, whatever their business sectors, with the upcoming adoption of the EU General Data Protection Regulation.
Anticipating the adoption of that Regulation, the WP29 has issued an opinion to provide general guidance for data controllers to assess, on a case-by-case basis, whether a breach is likely to adversely affect the personal data or privacy of data subjects, and therefore should be notified to data subjects.
In this opinion, the WP29 provides examples of data breaches likely to adversely affect the data subjects’ personal data or privacy, and gives some recommendations in terms of appropriate measures that, if implemented beforehand, may prevent such breaches (e.g., using an appropriate encryption product with a sufficiently strong and secret key, etc.). The WP29 also lists some scenarios where notification to data subjects would not be required (e.g., a personal data breach only relating to confidentiality where the data was securely encrypted with a state-of-the-art algorithm).
In addition to these practical examples and recommendations, the WP29 addresses key issues that data controllers may face while considering whether to notify data subjects. In particular, the WP29 underlines the need to notify even if only one data subject is concerned by the breach. In case of doubt regarding the likelihood of adverse effects on the personal data or privacy, the WP29 recommends to “err on the side of caution and proceed with notification“.