The Article 29 Working Party recently released an opinion on data breach notification in the EU. The opinion addresses two main issues:
- Experience to date with the existing breach notification rules in the ePrivacy Directive.
The breach notification obligation imposed by article 4.3-5 of the ePrivacy Directive (2002/58/EC) only applies to providers of electronic communications services. EU Member States are still in the process of transposing the rules into their national laws. However, as most of them are unlikely to meet the deadline of May 25, the Working Party had little to go on for its evaluation. The Working Party underscores the need for harmonization and highlights the areas where such harmonization may be threatened, in particular (i) divergences in the scope of the breach notification obligation; (ii) diverging national guidelines on the modalities of the notification; and (iii) diverging interpretation of what constitutes “protected data” (e.g., encrypted data) that is not subject to some aspects of the breach notification obligation. In order to help ensure harmonization and to increase coordination in cross border breaches, the Working Party has decided to set up a sub-group on breach notification.
- Expansion of the breach notification obligation to other sectors.
The Working Party welcomes the European Commission’s intention to adopt a horizontal breach notification obligation as part of the revision of the Data Protection Directive. In particular, the Working Party stresses that the new regime should be similar to the one in the ePrivacy Directive; that is, with the same harm threshold, the same notification procedure and the same modalities. More so, the Working Party invites the Commission to propose secondary legislation under the ePrivacy Directive that could also serve under the expected general breach notification, once introduced in the Data Protection Directive.
While the Working Party’s position comes as no surprise, three points are worth highlighting:
- First, it is good to see that the Working Party has taken to heart the need for harmonization. This concern appears very prominently in the opinion, and the Working Party is taking pro-active steps to make it happen.
- Second, the Working Party’s insistence on expanding the existing regime under the ePrivacy Directive to all sectors is worrying. The existing regime contains some burdensome requirements that now risk being implemented throughout the market. For example, the ePrivacy regime requires in principle that any breach (without threshold of harm) of any personal data (including protected/encrypted data) be notified to the competent authority. While this is already unworkable for the limited, sectoral ePrivacy Directive, it is difficult to see how the authorities will deal with this on a cross-sectoral level. Moreover, the threshold for notifying individuals under the ePrivacy Directive (breaches likely to adversely affect the personal data or privacy of individuals) is fairly low and would thus also be applied across the board to all data controllers in the EU.
- Third, it is interesting to see how the Working Party squarely ignores the work of ENISA. Only a couple of months ago, ENISA released a report on breach notification rules in the EU. Among other things, the report highlighted concerns related to notification fatigue and concerns by regulators about lacking appropriate resources and the need for prioritizing notifications to those that cause real harm. The report does not seem worthy of a reference.