EU Proposals for Dealing with Data Security Breaches: The Future Remains Unclear

In January 2012, the European Commission unveiled its draft Data Protection Regulation (Regulation), intended to update and harmonise EU data protection law see analysis at WDPR, February 2012, page 4. Eighteen months later, the draft has been described as the most lobbied piece of legislation in EU history, and few issues have caused more consternation than the proposals around dealing with data security breaches.

Businesses and national regulators have all taken issue with the proposals, and the waters have been further muddied by the Commission’s introduction of the Regulation on notification of personal data breaches by public electronic communications service providers and by reporting requirements under the Commission’s draft Network Information Security Directive.

A revision of the draft Regulation was recently adopted by the lead European Parliamentary Committee of Civil Liberties, Justice and Home Affairs (LIBE), which sees a slight softening of the proposals, and a leaked draft by the Irish Presidency to the European Council goes further still.

Exactly what the final version of the legislation will contain remains a matter for speculation.

What Are the Current Proposals?

Under the Regulation, there would be mandatory reporting of data security breaches. Organisations would have to inform the relevant data protection authority (DPA) of a breach “without undue delay and, where feasible, not later than 24 hours of becoming aware of it”. In addition, they would then have to inform data subjects “without undue delay” unless the relevant data protection authority was satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption. Data processors would be subject to the still more onerous requirement to inform data controllers “immediately” of any data security breach.

What Are the Issues?

Most obviously, in the current draft of the Regulation, there are no exceptions to the requirement to notify data security breaches to DPAs. This means that every security breach, no matter how insignificant, would, in theory, have to be reported. Not only would this place a huge administrative burden on organisations, but also the Commission does not appear to have thought about how DPAs would process, much less act on, this information. In addition, in order to comply with the time frames, data controllers are likely to have to provide incomplete notifications to be supplemented at a later date, thereby adding to the administrative burden for all concerned.

There is nothing in the Regulation which stipulates how DPAs are supposed to deal with notifications of security breaches. Despite the tight time constraints on data controllers and processors, there are no time limits within which the DPA needs to respond. This is particularly important, given the stipulation in Article 32 of the Regulation that it is unnecessary to inform a data subject of a breach if the controller can demonstrate to the satisfaction of the DPAs that the data was encrypted or otherwise protected from access. Another issue with the lack of guidance to DPAs on time of response is the possibility of getting comeback on a data security breach from the DPA long after it has been dealt with by the data controller.

With an increased administrative burden come increased costs. Again, these would be felt both by businesses and by DPAs (or, in other words, EU member states). In its impact assessment of the Regulation, the U.K. Ministry of Justice highlighted the data security breach notification requirements as adding a potential 104 million pounds (U.S.$166.1 million) to the compliance bill.

Where Are Things Headed?

It seems that there may be some watering down of the data security breach reporting requirements in the next official version of the Regulation. With considerable pushback from the DPAs as well as from business and member state governments, the Commission has said it will look again at the proposals.

The Regulation on Notification of Personal Data Breaches by Public Electronic Communications Service Providers

Some clues as to the direction the Commission is likely to take may be found in its Regulation on notification of personal data breaches by public electronic communications service providers (Notification Regulation), which came into force in September 2013 see WDPR, July 2013, page 19. While the breach reporting requirements mirror that of the Regulation in many ways, there are some subtle but significant differences.

The Notification Regulation was introduced under technical implementing measures set out in the Privacy and Electronic Communications (e-Privacy) Directive, and applies to providers of publicly available electronic communications services in the European Union.

Companies subject to the Notification Regulation are required to notify their national competent authority within 24 hours of any personal data breach. They are required to give certain information about the breach, including the date and time of the incident, the number of people affected and the sensitivity of the relevant data. If not all the information is available, they can supply it within a further three day period after the initial 24 hour period. If they still cannot give all the required information after that, they have to supply a “reasoned justification” for their failure to do so.

Relevant service providers also have to inform individuals of data breaches “without undue delay” where the breach “is likely to adversely affect the personal data or privacy” of those individuals. In assessing whether a breach needs to be notified to data subjects, factors such as the sensitivity of the data, the circumstances of the breach and the recipient of the data will be relevant. Companies are exempt from requirements to notify data subjects if they can show they were using certain protective technological measures. The Commission will publish a definitive list of these shortly.

On the plus side, the assessment of whether to notify data subjects of a breach is left to the data controller rather than to the regulatory authority. In addition, a definitive list of technological measures which would exempt a data controller from the requirement to notify data subjects is sensible.

However, while the Notification Regulation does show some relaxation on the timing of breach notifications to regulators, compared with the current provisions in the Regulation, the time frames remain tight, and there is still no exemption for breaches of a minor nature.

The ‘Irish Draft’

We can also look at suggestions made in the so-called “Irish draft”, which is a redraft of the Regulation proposed by the Irish Presidency to the Council in May 2013 and then subsequently extended and addressed to a working party. This draft has been leaked (a version appeared on the Statewatch website) and should not be taken as the Council’s official position, but, again, it may show which way matters are trending.

The Irish draft significantly waters down the breach notification provisions. There is a higher threshold for reporting, which means that not every single breach has to be notified. The relevant DPA must be notified “without undue delay” and not later than 72 hours after the breach. No notification is required where the data subject is not identifiable due to technological measures. Fewer details regarding the breach need to be submitted, and, if the information is not available at the time of notification, it must be submitted “without undue further delay”.

In terms of notifying data subjects of a breach, only breaches likely to “severely affect the rights and freedoms of the data subject” must be notified. There is no requirement to notify a data subject where the controller has:

• implemented appropriate technological measures so as to make the data unintelligible to anyone not authorised to access it; or

• the controller has taken measures to ensure the data subject’s rights and freedoms are no longer likely to be severely affected; or

• it would involve disproportionate effort (in which case a public communication might be appropriate); or

• it would adversely affect a substantial public interest.

This represents a significant reduction in scope compared with the official draft. In addition, the DPA would not be able to require a data controller to notify the data subject if the controller has decided there is no need to do so.

The LIBE Committee Draft

Predictably, the European Parliament draft proposed by the LIBE Committee and adopted on October 21, 2013, takes a tougher stance than the Irish draft. Based on leaked versions (like a draft which appeared on the European Digital Rights website) of this document, it appears that, while there is some relaxation of the original proposals, the changes do not go as far as those proposed in the Irish draft.

In the LIBE draft, it appears that the 24 hour requirement to notify the supervisory authority of a data breach has been removed, so the provision now requires reporting “without undue delay”. Much has been made of the change from a 24 hour reporting period to a 72 hour reporting period, but, in fact, the 72 hour time period is mentioned only in the draft Recital 67. Recitals are used to guide interpretation of articles, but it is surprising that a definite time limit is given in the draft recital but not in the article.

Another change is that information about the breach can be provided in phases if necessary, although there is no reduction in the nature of information which must be supplied. In addition, processors have to inform data controllers of a breach “without undue delay” rather than “immediately”.

Crucially, there is still no exemption for breaches of a minor nature or for breaches involving encrypted data as far as notifying the regulator is concerned.

As far as the requirements for notifying data subjects of breaches go, if anything, these have been slightly strengthened.

Breaches which adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject must be communicated to the data subject without undue delay after the supervisory authority has been informed. In addition to the previous information requirements, the data subject must be given information about his or her rights, including redress.

The provision stating that no notification of the data subject is required if the controller can demonstrate to the satisfaction of the supervisory authority that the data was encrypted remains, with all its problems. How will the supervisory authority handle being inundated with information? What if it takes a long time to respond to the controller? How then is the data controller supposed to comply with its notification provisions in this scenario?

Certainly the LIBE draft gives some ground in relation to data breach notification, but it is unlikely to reassure data controllers that the final provisions will be clear cut and impose achievable obligations.

[Editor’s Note: An analysis of the LIBE draft appears in the Special Reportin this issue.]

What Happens Next?

With pressure mounting to agree and pass the legislation before the end of the current Parliament in May 2014, we expect to see a lot of movement in the coming months. But the revelations about the U.S. National Security Agency’s alleged interception of EU citizens’ electronic communications have clearly hardened the Parliament’s position see WDPR, July 2013, page 18, and seem to have pushed them into making political rather than practical changes. This may mean that negotiations with the EU Council will take longer than originally expected if members like the United Kingdom continue to hold out for a softening of the legislation.

The LIBE Committee and the Commission are aiming for a vote by a full sitting of the Assembly before next May. They are hoping to vote on a negotiated compromise position which will signal the introduction of the law, but if there is no agreement, the plenary vote may go ahead anyway with negotiations continuing in the next Parliament.

But if the Parliament shifts considerably in makeup in the next elections and the legislation has not been passed, there is a risk that the new Parliament will force the legislation back to the drawing board.

Other possible scenarios are that huge compromises will be accepted in the desire to push the legislation through by May 2014, or that the legislation passes in 2015, but with a shorter implementation period, so that the changes would still come into force by 2016.

Ultimately, we need to wait for the next official draft of the Regulation to see whether the lobbying has paid off and the data security breach reporting requirements become more realistic.

Both the Irish draft and the LIBE draft indicate a softening (to varying degrees) of the original approach on the specific point of breach reporting, but neither goes as far as most data controllers would like.

Debbie Heywood is a Professional Support Lawyer with Taylor Wessing LLP, London. She may be contacted at d.heywood@taylorwessing.com.