Last week, the Article 29 Data Protection Working Party published a non-binding Opinion on data breach notifications, titled Opinion 03/2014 on Personal Data Breach Notification (the Opinion). The Opinion provides helpful new guidance to companies seeking to understand whether or not notifications about a breach must be made to European privacy regulators and/or affected individuals in the wake of a data breach. Although the Opinion’s guidance is non-binding, and is not based on clear legal requirements, it is nevertheless likely to shape enforcement practices both inside and outside the EU, given the standing and influence of the Article 29 Working Party.
This post discusses key aspects of the Opinion.
What is a “data breach”?
The Opinion explains that data breaches are found in many forms, ranging from accidental loss of data (a lost laptop or USB key, for example) to unauthorized destruction, alteration, or disclosure (caused by employees gone rogue, or hackers, for example). In many cases, company reputations and assets can be put at risk. Data breaches also attract significant attention from regulators – it is notable that the majority of UK ICO enforcement actions in the last several years have focussed on data breaches, rather than other infringements of UK data protection law.
European laws sometimes may require, and regulators may expect, companies to disclose information about breaches to either regulators and/or to individuals affected by the breach, often referred to as breach notification. At present, only a few EU Member State laws explicitly call for breach notification for organizations other than electronic communications service providers, however, as discussed below.
Who must notify?
The Opinion explains that European breach notification requirements currently apply to organizations differently, depending on which type of organization is affected by the breach. Telecommunications companies, in particular, are subject to special breach notification requirements under European laws, and must in certain circumstances notify regulators and/or network subscribers of breaches, or even sometimes of risks of breach.
Non-telecommunications companies and other organizations handling personal data as “data controllers” under European law are not subject to any single harmonized European breach notification requirement at the present time – but the Opinion notes that this will soon change if Europe’s data protection rules are amended by the proposed General Data Protection Regulation (the draft Regulation). The draft Regulation would, if enacted in its present form, impose a broad notification requirement on all controllers within the European Economic Area.
In the meantime, despite the lack of any single pan-European requirement, non-telecommunications companies must still comply with breach notification laws as set out in a patchwork of varying Member State national laws. These laws mean that a company suffering a breach affecting people across Europe may need to make notifications only in certain Member State markets but not in others, or may need to make different types of notifications in different Member States.
Reducing the need for breach notifications
The Opinion then considers a range of data breach scenarios where breach notifications may or may not need to be made under current rules. Interestingly, in some of these cases, the Opinion emphasizes that breach notification requirements can be avoided if controllers take measures in advance to minimize the impact of a breach. For example, some measures, such as encryption, careful code review, quick patch updates to “zero-day” software vulnerabilities, and minimal data collection, can prevent the need for any breach notification in scenarios where notifications would otherwise be required. The Opinion provides useful detailed guidance on some of these measures – for example, it discusses how companies can enhance security by salting and hashing passwords.
Companies are still left to make a judgment, however
The Opinion, perhaps predictably, encourages companies to “err on the side of caution” and to opt to make breach notifications when there is any uncertainty about the legal requirements. The Opinion also encourages all companies to make such notifications quickly, as per the “undue delay” standard required of telecommunications companies. (The phrase undue delay is defined in the requirements relevant to telecommunications companies as being up to 24 hours following the discovery of a breach, where feasible, but extensible up to 72 hours in certain cases.)
These expectations do not appear to be grounded in firm legal requirements, and in some cases may appear unworkable to companies seeking to balance speed of notification with accuracy, but will nevertheless grow in importance as the Opinion influences enforcement practices. Companies should study the Opinion and take its recommendations into account in the aftermath of a breach in order to maximize the chances of reducing enforcement penalties.