< Back

Share |

Dealing with data security breaches – the future

September 2013

In January 2012, the European Commission unveiled its draft data protection Regulation (Regulation), intended to update and harmonise EU data protection law.  Eighteen months later, the draft is still being hotly debated with the European Parliament currently considering more than 3000 suggested amendments to the draft.  The Regulation has been described as the most lobbied legislation in EU history and few issues have caused more consternation than the proposals around dealing with data security breaches.

What are the proposals?

Under the Regulation there would be mandatory reporting of data security breaches. Organisations would have to inform the relevant data protection authority (DPA) of a breach "without undue delay and, where feasible, not later than 24 hours of becoming aware of it".  In addition, they would then have to inform data subjects "without undue delay" unless the relevant data protection authority were satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption.  Data processors would be subject to the still more onerous requirement to inform data controllers "immediately" of any data security breach.

What are the issues?

Most obviously, in the current draft there are no exceptions to the requirement to notify data security breaches to DPAs.  This means that every security breach, no matter how insignificant, will, in theory, have to be reported.  Not only would this place a huge administrative burden on organisations, the EU does not appear to have thought about how DPAs would process, much less act on this information.  In addition, in order to comply with the time frames, data controllers are likely to have to provide incomplete notifications to be supplemented at a later date, thereby adding to the administrative burden for all concerned. 

There is nothing in the Regulation which stipulates how DPAs are supposed to deal with notifications of security breaches.  Despite the tight time constraints on data controllers and processors, there are no time limits within which the DPA needs to respond.  This is particularly important given the stipulation in Article 32 of the Regulation that it is unnecessary to inform a data subject of a breach if the controller can demonstrate that the data was encrypted or otherwise protected from access.  Another issue with the lack of guidance to DPAs on time of response is the possibility of getting comeback on a data security breach from the DPA long after it has been dealt with by the data controller.

With an increased administrative burden comes increased costs.  Again, these would be felt both by businesses and by DPAs (or in other words, member states).  In its impact assessment of the Regulation, the U.K.'s Ministry of Justice highlighted the data security breach notification requirements as adding a potential £104m to the compliance bill.

Where are things headed?

It does seem that there may be some watering down of the data security breach reporting requirements in the next draft of the Regulation. With considerable pushback from the DPAs as well as from business and member state governments, the EC has said it will look again at the proposals.

MazeSome clues as to the direction the EC is likely to take may be found in the new Regulation on notification of personal data breaches by public electronic communications service providers (Regulation 611/2013).  While the breach reporting requirements mirror that of the Regulation in many ways, there are some subtle but significant differences.

Regulation 611/2013, has been introduced under technical implementing measures set out in the Privacy and Electronic Communications Directive and applies to providers of publicly available electronic communications services in the EU.

Companies subject to Regulation 611/2013, will be required to notify their national competent authority within 24 hours of any personal data breach.  They will be required to give certain information about the breach including the data and time of the incident, the number of people affected and the sensitivity of the relevant data.  If not all the information is available, they can supply it within a further three day period after the initial 24 hour period.  If they still cannot give all the required information after that, they will need to supply a "reasoned justification" for their failure to do so.

Relevant service providers will also have to inform individuals of data breaches "without undue delay" where the breach "is likely to adversely affect the personal data or privacy" of those individuals.  In assessing whether a breach needs to be notified to data subjects, factors like the sensitivity of the data, the circumstances of the breach and the recipient of the data will be relevant.  Companies will be exempt from requirements to notify data subjects if they can show they were using certain protective technological measures.  The EC will publish a definitive list of these shortly.

On the plus side, the assessment about whether to notify data subjects of a breach is left to the data controller rather than to the regulatory authority.  In addition, a definitive list of technological measures which would exempt a data controller from the requirement to notify data subjects is sensible.  However, while Regulation 611/2013 does show some relaxation on timing of breach notifications to regulators, compared with the current provisions in the Regulation, the time frames remain tight and there is still no exemption for breaches of a minor nature.

Fountain penWe can also look at suggestions made in the so-called 'Irish draft' which is a re-draft of the Regulation proposed by the Irish Presidency to the Council in May 2013 and then subsequently extended and addressed to a working party.  This draft has been leaked and should not be taken as the Commission's official position but again, it may show which way matters are trending.  The Irish draft significantly waters down the breach notification provisions.  There is a higher threshold for reporting which means not every single breach has to be notified.  The relevant DPA must be notified "without undue delay" and not later than 72 hours after the breach.  No notification is required where the data subject is not identifiable due to technological measures.  Fewer details regarding the breach need to be submitted and if the information is not available at the time of notification, it must be submitted "without undue further delay". 

In terms of notifying data subjects of a breach, only breaches likely to "severely affect the rights and freedoms of the data subject" must be notified.  There is no requirement to notify a data subject where the controller has:

  • implemented appropriate technological measures so as to make the data unintelligible to anyone not authorised to access it; or
  • the controller has taken measures to ensure the data subjects rights and freedoms are no longer likely to be severely affected; or
  • it would involve disproportionate effort (in which case a public communication might be appropriate); or it would adversely affect a substantial public interest. 

This represents a significant reduction in scope compared with the official draft.  In addition, the DPA would not be able to require a data controller to notify the data subject if the controller has decided there is no need to do so.

What happens next?

LaptopWe need to wait for the next official draft of the Regulation to see whether the lobbying has paid off and the data security breach reporting requirements become more realistic.  With the European Parliamentary vote delayed until at least the autumn, the Regulation still looks a long way off.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Debbie Heywood

Debbie Heywood      

Debbie looks at the EU's proposals for dealing with data security breaches.

"Every security breach, no matter how insignificant, will, in theory, have to be reported.  Not only would this place a huge administrative burden on organisations, the EC does not appear to have thought about how DPAs would process, much less act on this information."