EU Regulation Breach Notice Provisions Pose Problems

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Feb. 16 — Data breach notification provisions contained in the forthcoming European Union General Data Protection Regulation (GDPR) were drafted to minimize burdens on companies but may still test small companies or those that operate only in jurisdictions without similar obligations, industry professionals told Bloomberg BNA.

(Click image to enlarge.)

EU flag photo

Article 31 of the GDPR, which has been agreed but not yet ratified by EU lawmakers, states that “where feasible,” data protection authorities must be notified within 72 hours of any data breach that is likely to put data subjects' rights at risk.

Additionally, data processors must inform controllers of breaches “without undue delay,” and in cases of “high risk” breaches, controllers must inform data subjects without undue delay, according to the GDPR.

Under the heavy sanctions introduced by the GDPR, noncompliance with the data breach reporting provisions could cost companies the higher of 10 million euros (slightly more than $11 million), or 2 percent of their annual worldwide revenues.

EU negotiators Dec. 15, 2015 concluded nearly four years of talks on final text of the GDPR . The European Commission, the EU's executive arm, proposed the GDPR in January 2012 to replace the EU's now over 20-year-old Data Protection Directive (95/46/EC).

Peter Van Dyck, a senior associate with Allen & Overy LLP in Brussels, said that although guidance will be needed on precise issues such as the definition of “high risk,” the regulation's provisions on data breaches would allow companies sufficient leeway to investigate incidents and notify DPAs as appropriate.

Although “72 hours is not a whole lot of time to investigate what happened,” the GDPR took a “practical, pragmatic approach” to data breach notification, Van Dyck said.

The obligation to report serious breaches within the time limit “where feasible,” would “give companies a good argument” if more time was needed to investigate the impacts of a breach before a decision could be taken on how to respond, he said.

Rules Replace Current Patchwork

The rules will harmonize the current varying requirements in EU countries on data breach notification.

For example, data breach notification is mandatory in Germany and the Netherlands, but in France and the U.K., there are no legal requirements for companies to report data breaches. In Belgium, there is no legal obligation, but the Belgian Privacy Commission strongly recommends notification.

Meanwhile, under the EU e-Privacy Directive (2002/58/EC)—as amended in 2009—which covers the application of EU data privacy principles to electronic communications, telecommunications companies are required to provide notice of data breaches .

The EU Network and Information Security (NIS) Directive, a new law that is awaiting ratification, will also introduce a notification requirement for companies in sectors considered critical that are subject to cyberattacks. The directive will cover online marketplaces, search engines and cloud computing services, but would exclude from its scope social networks, such as Facebook Inc.

Nothing New for Multinationals

For multinational companies, existing data breach notification requirements in some jurisdictions mean that adaptation to an EU-wide requirement should be straightforward.

Sue Foster, a member at Mintz Levin LLP in London, noted that multinationals are “attuned” to breach notice obligations and processes as 47 of 50 U.S. states have breach notification laws and there have been many high profile breaches in the U.S.

The provisions in the GDPR “reflect best practices” and are part of “a global movement towards respecting the rights of data subjects by making sure they are informed properly,” if their privacy might be compromised, she said.

Marcin Lewoszewski, a senior associate with CMS Cameron McKenna LLP in Warsaw, said that “we can expect that most multinationals have already implemented data breach policies or are in the process of implementing such policies.”

Nevertheless, companies should view the implementation of the GDPR, including the breach requirements, as “a new, challenging project,” and should “as always in such cases, create a comprehensive implementation plan and dedicated task force,” Lewoszewski said.

Learning from the French Orange Breach

The recent experience of telephone and Internet services operator Orange SA in France could serve as a warning that even multinationals should ensure that they have the right processes in place to handle breach incidents.

In 2014, the French DPA (CNIL) found against Orange for security breaches related to e-mail marketing that led to the leak of about 1.3 million customers' personal data . Orange appealed CNIL's finding, but France's highest administrative court Dec. 30, 2015 rejected the appeal.

Ariane Mole, a partner with Bird & Bird in Paris, said that Orange had failed to comply with “exactly the requirements that appear in the GDPR,” and that both CNIL and France's Council of State examined the case largely in line with what enforcement practice is expected to be under the GDPR.

However, in the Orange case, “CNIL did not have the ability to impose a fine. But of course that's going to change,” Mole said.

Orange had been required to report the breach to CNIL under France's implementation of the e-Privacy Directive, but because France doesn't have other breach notification requirements, for most companies in France, referring a case to CNIL “is not in the law and it's not in the habits,” she said.

In jurisdictions that don't now have privacy breach reporting requirements, “the vast majority of companies in my view are not prepared” for their new obligations under the forthcoming EU data protection regulation, Mole said.

Risks for Small Companies

Small companies in particular may face difficulties in adapting to the GDPR obligations.

Stuart Buglass, a vice president at consultant company Radius, said that the GDPR's breach notice mandate is accompanied by other provisions setting out obligations on data controllers and processors, such as requirements to carry out privacy impact assessments and to appoint data protection officers (DPOs).

However, unless data processing is core to their business, or unless they engage in high-risk processing, smaller companies don't have to carry out privacy impact assessments or appoint DPOs.

But the breach notice requirements don't exempt small companies, and some small companies may therefore be exposed “indirectly” to the need to have extensive safeguards in place, Buglass said.

Small companies involved in processing “will really need to have someone who is in control,” and “would need to have documentary evidence to defend their position,” in case of a data breach brought to the attention of a DPA, Buglass said.

One vulnerable group could be small, high-tech companies, such as application developers, that extensively use social media and permit flexible working and bring-your-own-device schemes. Such companies could potentially face breaches of sensitive data but be poorly equipped to deal with them, Buglass said.

“The big companies may already have systems in place,” but small companies “really are light on internal controls,” in the face of potential privacy breach notification obligations, he said.

Guidance Crucial to Avoid Problems

Much will depend on future guidance from the new European Data Protection Board (EDPB) on how the privacy breach reporting requirements should be implemented. During the two-year transition period before the GDPR takes effect, the EDPB will replace the Article 29 Working Party of EU data protection officials from the 28 EU member states.

Razvan Antemir, director of government affairs with the European eCommerce and Omni-Channel Trade Association, which represents online vendors, said “the question is what triggers the need to notify. Consumers and authorities should definitely be informed, but companies should have a chance to understand what happened.”

Sometimes “it can take weeks or months to get at the root of a breach,” and companies would be wary of reporting to DPAs too early in case of false alarms, he added.

Foster said there was a risk that the privacy breach notification requirements could lead companies to “over disclose” data leaks. “They will have a fear of not disclosing because of the incredibly high fines,” she said.

Controller-Processor Relationships

Guidance will also be needed on controller-processor relationships, because the GDPR requires controllers to ensure the security of processing by processors, and creates an obligation for processors to notify controllers of data breaches.

Lewoszewski said that “due diligence will be one of the most challenging and resource-intensive tasks for data controllers.”

“Most businesses operating internationally use hundreds of data processing services from various vendors, such as payroll, data storage, analytical, marketing, accounting and other purposes.” The GDPR's security requirements would likely lead to “higher costs of data processing services,” Lewoszewski said.

Guidance on privacy breach notification obligations is unlikely before 2017, however. The Art. 29 Working Party has said that during 2016, its priorities will be guidance on the data portability right introduced by the GDPR, and on controller obligations, including privacy impact assessments and appointment of data protection officers.

Van Dyck said that guidance on breach reporting was “apparently not part of the priority issues.”

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at