Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
What companies operating in the European Union should consider about when to notify regulators and individuals about data breaches is the focus on new draft guidance issued Oct. 17 by a group of EU privacy chiefs.
The Article 29 Working Party, which is made up of privacy officials from the 28 EU countries, also Oct. 17 issued draft guidance on requirements for automated data processing that may profile individuals.
Both guidance documents relate to obligations contained in the new EU privacy regime, the General Data Protection Regulation (GDPR), which takes effect in May 2018. The GDPR requires companies that control the collection and use of personal data to notify government authorities within 72 hours of “becoming aware of” a breach that could put individual rights at risk. On profiling, the GDPR sets out when profiling can be done, and gives individuals the right to object to decisions made on an automated basis.
The documents are, in general, comprehensive and clear, Martin Braun, an information technology and data protection partner with WilmerHale in Frankfurt, told Bloomberg BNA Oct. 17. It is likely they will remain largely unchanged after the consultation period, he said. Public comments are due by Nov. 28.
Failure to notify authorities of a data breach could, under the GDPR, trigger a fine of up to 10 million euros ($11.75 million) or 2 percent of the company’s worldwide revenues.
The guidance is helpful in clarifying that although “all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches” requiring notice to regulators, Carlo Piltz, a privacy attorney with Reuschlaw in Berlin, told Bloomberg BNA Oct. 17
The draft guidance tackles the question of what it means to become “aware” of a breach, thereby triggering the 72 hour notice period. The working party guidance arguably raised the bar by adding that a company which controls the collection and use of data should be considered to become aware of a breach only when it “has a reasonable degree of certainty” that a breach that compromised personal data has occurred, Piltz said.
The GDPR also requires companies that process data notify the data controllers that ordered the processing of data breaches. According to the draft guidance, the controller would be considered to be aware of the breach as soon as the processor’s notice is received, triggering the 72-hour deadline for the controller to notify authorities.
This stipulation “might have significant consequences in practice” because a controller might be forced to notify regulators of a breach before having time to conduct its own investigation, Piltz said.
The draft guidance on profiling sets out an approach to the automated use of personal data by companies to categorize data subjects and to make decisions based on those categorizations.
Under the GDPR, violations of provisions on profiling and automated decision-making could attract a fine of up to 20 million euros ($23.5 million) or 4 percent of the company’s worldwide revenues.
Braun said the difference between profiling and automated decision-making based on profiles can cause confusion, and the Art. 29 guidance “clarifies that they are separate.” The draft guidance clarifies that “profiling is doable,” but with conditions, he said.
Under the GDPR, data subjects have the right to object to decisions taken about them based solely on automated decision-making. For example, a data subject could challenge a decision not to grant the potential buyer a loan if that decision is taken only on the basis of automated credit scoring.
In such situations, the data controller must provide “a simple way” for data subjects to exercise the right to object to automated decision-making and contest the automated decision, according to the draft guidance
“Human intervention is a key element” in any review of automated decisions, and reviews should include “a thorough assessment of all the relevant data, including any additional information provided by the data subject,” according to the draft guidance.
To contact the reporter on this story: Stephen Gardner in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)