Privacy Advisor

EU Data Breach Notification Rule: The Key Elements

August 27, 2013

By Laura Vivet Tañà, CIPP/US, CIPP/E

In light of the European Commission Regulation (EU) Nº 611/2013 of 24 June about measures applicable to the notification of personal data breaches for the European telecommunications industry, we are wondering if it will be the best reference for the proposed new EU Data Protection Regulation, which includes a section about the same issue but not just limited to the telecommunications sector.

Through the mentioned telecommunications regulation, we can appreciate an interest to notify the competent national authority of all personal data breaches using a very broad definition. And only when the personal data breach is likely to adversely affect the personal data or privacy of individuals, providers shall in addition notify the individual. Only in this last case, the regulation specifies the circumstances that should be assessed to consider whether a personal data breach is likely to adversely affect the personal data or privacy of individuals.

In addition, the notification should be made no later than 24 hours after its detection, where feasible.

The proposed new EU Data Protection Regulation in its current wording also includes broad definitions and short deadlines for the notification of personal data breaches, which could cause certain issues into practice. This article analyses the key elements of this proposed new EU Regulation.

What Should Be Considered a “Personal Data Breach”

Before analyzing what could be considered a personal data breach, and under what circumstances the notification requirement should be triggered, it is important to remember the aim of this new obligation and to consider the experience of other countries.

Unlike other states that have more experience with data breach notification regulations, mainly based on the prevention of identity theft or fraud, the new regulation’s explanatory memorandum goes further and also includes the prevention of social harm to the individual, including physical harm, significant humiliation or damage to reputation that could result when a data breach is not addressed in an adequate and timely manner.

This is an important nuance, since it will define which data need to be subject to data breach notification requirements.

For example, in the U.S. some data breach notification requirements are part of federal laws regulating certain sectors, e.g., healthcare and financial services, and there are more than 46 state laws imposing notification obligations on organizations that discover a breach of security involving personal information. Many of these state laws are modeled on the California security breach notification law, which came into force on July 1, 2003.

Under the U.S. scheme, the purpose of the myriad data breach laws in force today is to prevent identity theft, hence the definition of “protected personal information.” It generally includes certain identification data that are necessary to commit a fraud, i.e., personal first name and last name in combination with any of the following: Social Security/National Insurance number, driver’s license number, ID card number, bank account/credit card number with a security access code or password. Therefore, if there is a leak of another type of information, or if the protected personal information is encrypted (except in some cases), the duty to notify is not usually required.

However, if we take the ambitious purpose of the new regulation into consideration, we will also have to consider a new and wide range of data that are not easy to define, for example, video/voice, pictures, e-mail messages.

We should not lose sight of the fact that, historically, the legislation has always been elaborated after the facts, as the law serves to regulate real situations where we know the issues and consequences. Considering that identity theft has been the main reason for passing data breach laws at the international level, it is not be desirable to distort their purpose if the consequence is a more protective, albeit less effective, rule.

The Notification Requirement: When, and To Whom?

The new regulation imposes an imperative and immediate notification to the supervisory authorities within 24 hours of controller discovering a breach. Only when the breach is likely to affect the privacy of the individual adversely shall the controller, after the above-mentioned notification, communicate it to the data subject without undue delay.

The Article 29 Working Party points out that the scope of the duty to notify the DPA should be more focused and restricted in order to avoid overburdening the supervisory authorities with minor data breach notifications that are unlikely to adversely affect the rights of data subjects. This recommendation may also be applicable when the notification is issued to the data subjects.

A number of approaches emerge if we look at international experience in this field. In the U.S., not all the states of the union consider it necessary to disclose security breaches to the authorities; in some states, the notification is only issued to the affected individual because his/her collaboration is essential to prevent the identity theft, e.g., Arizona, Iowa.

In other states, disclosure to the authorities only applies when the breach affects more than a certain number of individuals, e.g., 500 in California or 1,000 in Alaska and Hawaii. In other countries where notification is required, the disclosure must be simultaneously sent to the authorities and to the individuals concerned (Germany).

At this point, it could be useful to focus on the most important objective that the notification seeks to achieve.

Indeed, if we wish to prevent identity theft, it would probably be very useful to warn the individual concerned as soon as possible when certain data have been illegally accessed or when there are reasons to believe that this could lead to serious harm to the individual or their rights. The number of individuals is not important; only the type of data and notification to the data subject will be helpful to minimize the damage.

The decision to notify the individuals has to lie with the controller as the person/entity that will respond for any potential harm to them. The supervisory authorities cannot take this decision on the controller’s behalf without assuming responsibilities if they are wrong.

Furthermore, the notification to the authorities could be useful vis-à-vis the preparation of statistics and recommendations to better adjust the legislation to experience and new threats, even though immediate notification may not be needed. In fact, during the first 24 hours it could be more useful to focus on taking appropriate measures to mitigate any potential damage and find the cause of the incident.

If we wish to justify immediate notification to the authorities by arguing that the purpose is to seek assistance in order to manage the incident, perhaps the 24-hour notification should be voluntary, not mandatory.

Generally, if there is a security breach, the controller is best placed to assess the risks and their consequences because he/she has all the inside information and also has a greater interest in acting correctly, because he/she will be responsible for any damages, including to brand reputation.

What About the Consequences of the Security Breach?

Indeed, the new regulation includes large fines—up to 1,000,000 Euros or, in the case of an enterprise—up to two percent of its annual worldwide turnover. If there is a breach, the controller will not only have to deal with the high penalties that could result if the breach is not properly managed but also those arising from not implementing appropriate measures, not ensuring a level of security appropriate to the risks and liability for damages suffered by data subjects, not to mention the harm to the brand reputation.

With these terms the new regulation certainly does not promote the disclosure of security breaches. This could be a mistake if the ultimate aim is to prevent identity theft.

Under the American scheme security breach rules are framed in a different system in which the subjects are not protected by a general privacy right, so the mere notification of a security breach is not directly associated with any right to compensation. This does not mean that a class-action could not succeed, if the data subjects prove the causal relationship between the harm and the breach. Besides, mere notification does not always result in penalties, and if the incident is appropriately handled there may be no harm and no fines.

For this reason the new regulation perhaps needs to include an exception to certain penalties related to data breaches in order to reinforce its effectiveness.

Therefore, if controllers are sure about the consequences they may be more likely to disclose a breach, considering that—in all cases—they will have to deal with brand reputation issues and potential compensation to individuals, if there is a proven causal relationship between the harm/damages and the breach.

It may also be of interest to the controller who is subject to the data breach requirements to set up an emergency plan that would be applied when a security breach occurs or to anticipate a “Safe Harbor” in which the controller would not be considered liable.

Additionally, an insurance policy for security breaches could be mandatory in certain cases, such as when processing a large amount of special categories of data.

In conclusion, the new EU data breach notification rule is an important instrument that could help to improve trust in the online environment when reducing identity theft. It could also lead controllers to take serious steps to avoid security breaches, while reinforcing the right to privacy at the same time. It is important to have a proportional and effective regulation that could be applicable and useful to all sides, even if it would only be applied initially to certain sectors where the need for application is more urgent and essential. If the experience is positive, it would be easier to extend it to other fields.

Laura Vivet Tañà, CIPP/US, CIPP/E, is an associate lawyer with Adade Group in Barcelona. Besides her more than 10 years experience in the area of privacy and new technologies, she is also an experienced litigator in commercial law. She’s a member of the Barcelona Bar Association and is a collaborating professor at different programs in privacy and information at the University Pompeu Fabra, Barcelona. She can be reached at lvivet@adade.es.