On December 1, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Personal Data Breach Notification (the “Guidelines”). The Guidelines were adopted by the Working Party on October 3, 2017, for public consultation.

The EU General Data Protection Regulation (“GDPR”) introduces specific breach notification obligations for data controllers and processors. CIPL’s comments on the Guidelines commend the Working Party for drawing lessons from the experiences of other jurisdictions where breach notification has been a longstanding requirement. Additionally, CIPL’s comments welcome the discussions surrounding at what point a data controller is deemed to be aware of a personal data breach, as well as the recognition of the need to allow a phased notification of the supervisory authority in some circumstances.

CIPL’s comments, however, also emphasize several key issues that it believes need further clarification. The key recommendations for improving the Guidelines include the following:

Availability Breaches

  • The definition of an “availability breach” used in the Guidelines does not fit the GDPR’s Article 4(12) definition of a “personal data breach.” The Working Party should revise the definition of an “availability breach” in the Guidelines to refer only to a breach in which there is an accidental or unlawful loss or destruction of personal data.

Risk Assessment

  • The Working Party should, when discussing the term “data breach,” distinguish between a personal data breach per Article 4(12) of the GDPR and a “notifiable” personal data breach per Articles 33 and 34.
  • Some of the examples discussed in the section on Risk Assessment fail to include an analysis of both the severity and the likelihood of a breach resulting in a risk to individuals’ rights and freedoms. Several of the breach examples in Annex B should be amended to reflect both aspects of the risk assessment.
  • Data controllers should not be required to continuously reassess the risk posed by a past data breach in light of future technological developments long after the breach occurred. The Guidelines should clarify that such a reassessment need only be undertaken if a major breakthrough occurs immediately or within a short time period after the breach.

Criteria to Consider in Assessing Breach Risk

  • To help supervisory authorities manage the number of breach notifications they receive and to enable them to deal with those reports effectively, a threshold of breach size for internal administrative purposes might be established. The threshold size (e.g., between 250 and 500 individuals) should be consistent across all jurisdictions.
  • The Working Party should also consider setting a threshold for the number of individuals affected by a breach that would trigger the requirement to notify the supervisory authorities, except where the breach poses a high risk to individual rights and freedoms.
  • The imputation that any data breach involving a large number of individuals or special categories of personal data should automatically be deemed to have a likelihood of risk to individuals’ rights and freedoms should be eliminated. The likelihood and severity of the risks should be considered regardless of the number affected or the type of personal data involved.

Timing of Notification

  • The Guidelines should clarify that the 72 hour deadline for notification does not begin until after the data controller has completed an investigation that results in awareness that the incident involved personal data and is likely to result in a risk to individuals’ rights and freedoms.
  • An organization’s decision to hire a forensics firm or engage in a technical investigation does not automatically mean the organization is aware of a notifiable breach.
  • The Working Party should make clear that as part of a phased notification, a data controller may avail itself of a mechanism for keeping reported information confidential until its investigation is complete.

Controller-Processor Responsibilities

  • The description of a data processor’s timeline to notify a data controller about a breach should be changed from “immediate” to “prompt.” Immediate notification is an unclear and unrealistic expectation that could imply that data processors should notify data controllers of any and every security incident, without any prior investigation.
  • The Working Party should clarify that joint data controllers can designate responsibility for notification, or jointly notify the supervisory authority and jointly communicate with affected individuals.

Supervisory Authority to Notify

  • The Guidelines should clarify which supervisory authority should be notified by a data controller that does not have an establishment in the EU, and which authority should be notified by a data controller when a breach affects only individuals not located in the jurisdiction of the data controller’s lead authority.

Methods of Communication to Individuals

  • The potential drawbacks of email and SMS as a sole communication method for notifying individuals about a personal data breach should be highlighted, as these communication channels are fraud-prone.

CIPL’s comments were developed based on input by the private sector participant’s in CIPL’s ongoing GDPR Implementation Project, which includes more than 85 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics the Working Party prioritizes.