The Irish Data Protection Commission released a guidance note earlier this month explaining breach notice obligations under the EU Data Protection Regulation (GDPR). Based on an interesting (and challenging) question recently posted to a privacy listserv, I thought I’d take that guidance on test drive to see if offered a solution to the real-life query posed. Spoiler alert: It didn’t.
To be fair, the Irish guidance is only five pages long—entitled “A Quick Guide to GDPR Breach Notifications” (emphasis added)—so it’s unlikely it was drafted to address challenging situations. But it does recommend and cross-reference detailed guidance on the same topic published by the Article 29 Working Party (WP29), but even that document falls short.
What’s the situation that escaped the foresight of regulators?
Meet the Team
A business publishes a “Meet the Team” page on its corporate website, which includes the names and photos of employees. So when the business hired a new employee, it took a photo of the individual—initially for ID badge purposes—and posted the photo along with the employee’s full name on the public webpage.
Although the business provides employees with a form saying that it will use the ID photo on the internet and on social media, this particular employee refused to sign the form. Significantly, the form did not seek the employee’s consent.
With the posting of the photo on the company webpage, the employee—who previously had no internet footprint because of a past sensitive job and a past abusive relationship—was now geo-locatable and claimed to be at genuine risk of physical harm.
The business responded to the employee’s concerns by uploading a stock photo and changing the name on the company webpage, but the employee’s real name and image still appear in Google search results.
Does this scenario constitute a reportable data breach?
What is a breach?
The Irish DPC’s guidance parrots the GDPR: “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
Without question, publication of the employee’s name and photo on the webpage constitutes “disclosure” of “personal data.” But was there a breach of “security” that led to that disclosure? In other words, must a breach be a “security” incident?
The WP29 guidance unambiguously states that “a breach is a type of security incident.”
So what constitutes “security”?
Both the WP29 guidance and the Irish guidance note that security relates to ensuring compliance with the principles outlined in GDPR Art. 5, which includes, among other things, lawfulness, fairness and transparency.
Were the employer’s actions transparent?
Arguably, yes. While consent as a legal basis should be avoided in the employment context, consent was not sought here. Rather, the photo ID form (which the employee refused to sign) provided notice of the intent to publish the photo on the website, presumably satisfying the transparency principle.
The most likely legal bases for the processing would be either performance of a contract (here, the employment contract) or legitimate interests (permitting the employer to market its business). It’s unclear, however, whether the form stated either basis explicitly.
A question arises whether the employee was treated fairly when the photo was published notwithstanding the employee’s refusal to sign. But given that the form was not seeking consent, would a refusal to sign have any effect?
GDPR Recital 60 says: “The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.” Presumably, the form did that. However, Recital 60 goes on to say that “the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.” It’s unclear whether the form did that.
Assuming for the sake of argument that the employer’s actions were indeed lawful, fair, and transparent—i.e., that the employer had complied with the applicable principles and suffered no “breach of security”—could this event nevertheless be classified as a breach?
Were potential risks taken into account?
The GDPR requires controllers to implement measures “to ensure a level of security appropriate to the risk,” which refers to the risk of infringing the rights and freedoms of natural persons. GDPR, Art. 32.
Given this employee’s unique history and the alleged threat of physical harm, the risk to the employee is admittedly high. But if that history was unknown to the employer—if the employee never offered reasons for refusing to sign the form accompanying the photo ID—one could argue that such a risk would not be anticipated and the level of security was therefore “appropriate.”
Should the Supervisory Authority nevertheless be notified?
Does high risk alone—i.e., without an underlying “breach of security”—trigger the notification obligation? Stated another way, does subsequent disclosure of a high risk transform a non-security incident into a breach?
Both guidance documents are silent on this explicit issue, as is the GDPR itself. While an assessment of risk is certainly a factor to consider when deciding whether to notify, the assessment comes in the wake of an actual breach.
Practically speaking, notification of the Supervisory Authority could be viewed as an admission of fault by the employer, exposing the employer to even greater liability. Moreover, if the employer were to notify the Supervisory Authority solely because of the high risk to this employee, the GDPR would clearly require the employer to notify the employee as the “at risk” data subject. A rather odd turn of events, since it was the data subject who first notified the controller.
A way out?
A better option would be to view the employee’s complaint as a request for erasure. The actions taken by the employer in the wake the complaint—uploading the stock photo and changing the name on the company webpage—appear to align with a controller’s duties under GDPR Art. 17.
The employer should also consider reaching out to Google and other search engines to request deletion of the data in their cache.
To protect itself in the future, the employer may want to review its photo ID form to ensure that it expressly states the legal grounds for collecting such information and to clarify that employees have discretion to object to any public posting without fear of reprisal.