4.5.3 GDPR
4.5.3.1 The Commissions proposal
The provisions concerning data breach notifications are Articles 31 and 32. Article 31 concerns the notification to the supervisory authority: In the case of a personal data breach, the controller shall without undue delay (not later than 24 hours after having become aware of it) and where feasible notify the personal data breach to the supervisory authority. In cases where it is not made within 24 hours, the delay has to be justified.
The notification to the individuals affected is disciplined by Article 32, whose first paragraph states that "(w)hen the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay."
The article's third paragraph, however, exempts from the notification duty"if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach"[30] so that the data results would be unintelligible to unauthorised persons. In any case, according to Article 32's fourth paragraph, if the controller did not notify the affected individuals, the national authority may compel it to do so.
4.5.3.2 The Parliaments version
The Parliament slightly modified Article 31, substituting the 24 hour time requirement to notify the national authority with a broader without undue delay. Article 32, which concerns the notification to the data subject, was amended as well: the notification has to be done "(w)hen the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject" (instead of the mere "the protection of the personal data or privacy") and it needs to be comprehensive and use clear and plain language and provide information about the rights of the data subject, including redress .
4.5.3.3 The Council's latest version
The Councils version of Art. 31 and 32 arguably imposes a less stringent obligation than both the Commissions and the Parliaments one. The notification to the data subject ex Art. 32 is due only when the breach is likely to result "in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, [breach of () pseudonymity], loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage", and the data controller is exempt from the notification duty in four distinct (and broad) cases:
a. the controller () has implemented appropriate technological and organisational [31] protection measures and those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or
b. the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; or
c. it would involve disproportionate effort, in particular owing to the number of cases involved. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner; or
d. it would adversely affect a substantial public interest .
The notification to the national authority ex Art. 31 turned out a weaker requirement as well. The data controller, according to the Council, shall be obliged to notify to the competent authority only a breach "which is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, [breach of () pseudonymity], damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage", and in a longer maximum time span namely 72 hours. Moreover, according to the Councils Article 31, par. 1a, if the controller has implemented appropriate technological and organisational protection measures and those measures were applied to the data or it has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise then the notification to the national authority is no longer due.
4.5.3.4 The Council's latest version
On 15th December 2015, the EU Commission, Parliament and Council of Ministers reached agreement after months of "trialogue" negotiations. This will soon be adopted most likely in Spring 2016 and come into force across the EU two years later on in mid-2018. Under this consolidated version of the GDPR [36] a “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” and is associated with the requirement of a 72 hours notification period. A notification by the data controller to the data protection authority must be provided that “at least”:
- describes the nature of the personal data breach, including the number and categories of data subjects and data records affected;
- provides the data protection officer’s contact information;
- describes the likely consequences of the personal data breach, and
- describes how the controller proposes to address the breach, including any mitigation efforts.
Notification is not required however if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”. When a data processor experiences a personal data breach, it must notify the controller (and not necessarily the data protection authorities). If the data controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects.
[30] Note the similarity of wording compared to the exemption related to security breaches with respect to the ePrivacy Directive discussed above.
[31] Organisational being a notable addition by the EU Council.
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.