EU Draft Data Breach, Profiling Guides Released by Privacy Chiefs

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

What companies operating in the European Union should consider about when to notify regulators and individuals about data breaches is the focus on new draft guidance issued Oct. 17 by a group of EU privacy chiefs.

The Article 29 Working Party, which is made up of privacy officials from the 28 EU countries, also Oct. 17 issued draft guidance on requirements for automated data processing that may profile individuals.

Both guidance documents relate to obligations contained in the new EU privacy regime, the General Data Protection Regulation (GDPR), which takes effect in May 2018. The GDPR requires companies that control the collection and use of personal data to notify government authorities within 72 hours of “becoming aware of” a breach that could put individual rights at risk. On profiling, the GDPR sets out when profiling can be done, and gives individuals the right to object to decisions made on an automated basis.

The documents are, in general, comprehensive and clear, Martin Braun, an information technology and data protection partner with WilmerHale in Frankfurt, told Bloomberg BNA Oct. 17. It is likely they will remain largely unchanged after the consultation period, he said. Public comments are due by Nov. 28.

Data Breach Awareness

Failure to notify authorities of a data breach could, under the GDPR, trigger a fine of up to 10 million euros ($11.75 million) or 2 percent of the company’s worldwide revenues.

The guidance is helpful in clarifying that although “all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches” requiring notice to regulators, Carlo Piltz, a privacy attorney with Reuschlaw in Berlin, told Bloomberg BNA Oct. 17

The draft guidance tackles the question of what it means to become “aware” of a breach, thereby triggering the 72 hour notice period. The working party guidance arguably raised the bar by adding that a company which controls the collection and use of data should be considered to become aware of a breach only when it “has a reasonable degree of certainty” that a breach that compromised personal data has occurred, Piltz said.

The GDPR also requires companies that process data notify the data controllers that ordered the processing of data breaches. According to the draft guidance, the controller would be considered to be aware of the breach as soon as the processor’s notice is received, triggering the 72-hour deadline for the controller to notify authorities.

This stipulation “might have significant consequences in practice” because a controller might be forced to notify regulators of a breach before having time to conduct its own investigation, Piltz said.

Profiling, Decision-Making

The draft guidance on profiling sets out an approach to the automated use of personal data by companies to categorize data subjects and to make decisions based on those categorizations.

Under the GDPR, violations of provisions on profiling and automated decision-making could attract a fine of up to 20 million euros ($23.5 million) or 4 percent of the company’s worldwide revenues.

Braun said the difference between profiling and automated decision-making based on profiles can cause confusion, and the Art. 29 guidance “clarifies that they are separate.” The draft guidance clarifies that “profiling is doable,” but with conditions, he said.

Under the GDPR, data subjects have the right to object to decisions taken about them based solely on automated decision-making. For example, a data subject could challenge a decision not to grant the potential buyer a loan if that decision is taken only on the basis of automated credit scoring.

In such situations, the data controller must provide “a simple way” for data subjects to exercise the right to object to automated decision-making and contest the automated decision, according to the draft guidance

“Human intervention is a key element” in any review of automated decisions, and reviews should include “a thorough assessment of all the relevant data, including any additional information provided by the data subject,” according to the draft guidance.

To contact the reporter on this story: Stephen Gardner in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The Art. 29 draft guidance on data breach notifications is available at

The Art. 29 draft guidelines on profiling can be found at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security