After four years of negotiations, on the 27th of April 2016, the European Union finally adopted the General Data Protection Package consisting of the General Data Protection Regulation (GDPR) and the Directive for data processing by law enforcement for the purposes of prevention, investigation, detection or prosecution of criminal offences. The adoption of the package serves as a milestone development bringing a wide array of cyber security related implications for EU Member States and the private sector. The general nature of the reform was described in several of our older posts here and here. This INCYDER brief will focus on a specific change of the reform in relation to cyber security by addressing the requirement to notify personal data breaches as a mechanism to limit identify theft.
Context
Firstly, it is important to note that the scope of the new Regulation is much wider than before applying to all data controlling and processing activities in the EU. Furthermore, it will also apply to data controllers and processors established outside of the EU whose processing activities relate to the offering of goods and services to individuals in the EU and who monitor individual’s behaviour. Such extended territorial scope, however, has not been afforded for the purposes of law enforcement processing under the new Directive.
In order to ensure the confidentiality, availability, integrity and resilience of systems and data, the Regulation imposes certain cyber security rules for organisations handling personal data. In particular, they have to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk such as pseudonymisation and encryption. The wording of the Regulation further encourages the up-take of appropriate risk assessments in order for the rights and freedoms of natural persons to be protected.
The Regulation introduces some novelties such as the right to be forgotten,1 the right to data portability,2 data mapping obligation, 3 data protection impact assessments,4 the principle of data protection by design and by default;5 and some other areas where rules have been reinforced such as the transfer of data to third countries.6 One of the most noteworthy changes that the GDPR brought about is the mandatory data breach notification obligation7 that is applicable to a wide range of actors such as “natural or legal persons, public authorities, agencies or other bodies”.8 As a result, data breach rules will be unified across the European Union. This may become one of the biggest compliance hurdles for the actors within the EU.
The GDPR defines personal data breach as: ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.9 The GDPR makes some fundamental changes to the definition of personal data by including a persons’ name, location data, an online identifier and genetic data meaning all IP addresses, mobile IDs and such are covered.10 Until now, the EU required only the telecommunications sector to notify data breaches under the e-Privacy Directive11) and it plans to introduce a broader incident notification requirement under the Network and Information Security Directive (NIS Directive). Under such a requirement, organisations have to notify incidents that may have a significant impact on the continuity of the essential services they provide.12
Personal data breach notification
Both the Regulation and the Directive enshrine the notification requirement. In particular, it follows that the data controller must notify the personal data breach without undue delay not later than 72 hours after having become aware of it, to the responsible national supervisory authorities.
The threshold to determine the necessity of notification is whether the breach can result in a risk to the rights and freedoms of natural persons (e.g. the right to privacy). In case such risk is unlikely, the notification is not necessary. Indeed, this leaves ample room for interpretation by companies and authorities of what triggers the notification requirement as this is very broad and is far less strict than the original Commission Proposal for the GDPR.
Furthermore, the notification needs to describe the nature of the breach, the number of individuals as well as the number of records affected. Name and contact points of the data protection officer must also be added to the notification for the purposes of ease of access for more information. The controller of the data also needs to describe any likely consequences that the breach might entail as well as the measures that they have taken in order to mitigate the effects of such a breach. Such information needs to be provided to a ‘supervisory authority’ in the country where the data breach occurred.
When the breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must notify the breach to the individual (data subject) without undue delay, in clear and plain language and including the information described in the preceding paragraph in the notification (except the nature of the breach and the numbers affected). The wording of this section is also much less strict than the original Commission Proposal that triggered notification when the breach would likely adversely affect the protection of the personal data or privacy of the data subject. Such a broad threshold is difficult to understand, especially since the Proposal’s wording was also in line with the wording of the e-Privacy Directive.
Interestingly, as an incentive for the companies and bodies handling data, such notifications are not required if they have adopted appropriate technical and organisational protection measures (e.g. ? encryption) which are applied to the personal data and render such data unintelligible to any person who is not authorised to access it or taken any subsequent measures to ensure that high risk is not likely to materialise. More importantly, a breach notification is also not required when such a notification would involve a disproportionate effort. In such circumstances, a public communication will be used instead.
As a further safeguard, the reform includes an obligation to document any personal data breach and which needs to be available to the authorities in case of need of verification. It must also be noted that under the new reform, significant fines, up to 2 % of the company’s annual turnover, can be imposed on the actors that fall under the scope of the Regulation.
Way forward
These requirements go hand in hand with the soon to be adopted NIS Directive which imposes requirements for operators of essential services and digital service providers to notify security incidents that have a significant impact on the continuity of their services without undue delay. The precise implications on how different actors must deal with incidents where both security and personal data is breached, remains to be seen and should be made clear by the authorities.
Furthermore, the precise effect of the personal data breach notification requirement will remain to be seen. More importantly, it will be interesting to see whether this law will actually provide enough incentives for the actors to notify the incidents or whether it will prove to have enough loopholes to avoid notification considering the wide scope for the notification trigger. Also, how will the efficacy of this law be measured?
The Directive is to be implemented by 6 May 2018, and the Regulation will apply from 25 May 2018. The INCYDER team will keep an eye on the relevant developments in the context of cyber security and will keep you updated.
Mari Kert-St Aubyn
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
- Article 17 of the GDPR [↩]
- Article 18 of the GDPR [↩]
- Article 28 of the GDPR [↩]
- Article 33 of the GDPR [↩]
- Article 25 of the GDPR [↩]
- Article 40 of the GDPR [↩]
- Article 31 of the GDPR [↩]
- Article 4 of the GDPR [↩]
- Article 4(9) Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [↩]
- Article 4 of the GDPR; ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; [↩]
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications [↩]
- Article 14(2) of the Final Compromise text in view to an agreement of the NIS Directive [↩]