There are certainly many headline-grabbing elements in the European Commission’s proposed Data Protection Regulation – a directly applicable regulation replacing local implementation of a European Directive which imposes fines of up to 2% of offending organisations’ global turnover and significant extension of the law’s territorial scope.
Equally as attention grabbing is the requirement for mandatory security breach notifications. This are required to be made to the relevant data protection authority and, in certain cases, the individuals whose information has been lost or accessed. But this had been a long expected addition to the European data protection regime – indeed, a very similar obligation already applies to telecommunications companies thanks to relatively recent amendments to the e-Privacy Directive.
Instead, what has caught the imagination of privacy professionals and IT chiefs are the timeframes that are to apply.
To refresh memories, the proposed Regulation requires security breaches to be reported to the relevant data protection authority (DPA) without undue delay and, where feasible, not later than 24 hours. Notification to affected individuals is similarly to be made without undue delay, although this will only be required where there is an adverse affect on the individual’s personal data or privacy. (As an aside, it is worth considering whether any organisation would be brave enough to argue that customer records left behind on a train, for example, does not constitute a “security breach” – but perhaps that is a discussion for another time.)
The proposed Regulation’s position is a significant scale back from that revealed in a leaked previous draft of the Regulation – this simply required notification to the DPA and individuals within 24 hours. No test of feasibility. Certainly the latest position will allay some of the concerns of in-house privacy lawyers and their IT counterparts, but it raises the question of whether reference to a specific timeframe is of any benefit at all.
Much concern about the original 24 hours notice period surrounded the feasibility of an organisation establishing sufficient information to enable it to make the required notifications. What information has been lost or accessed? Which individuals where affected? How has the breach occurred and what remedial steps should the organisation take, both on a technical and customer relationship level? Even for slickest of organisations, 24 hours for this process seemed a real challenge.
It would appear that the ‘feasibility’ test has been introduced to deal with this concern. Presumably, organisations would be able to justify a delay beyond 24 hours on the basis of an insufficient amount of information being available to permit a reasonably informed notification being made. Indeed, they will need to do so in writing, as the proposed Regulation requires notifications made beyond 24 hours to be accompanied by ‘reasoned justification’ for the delay.
But if this will be the approach, why require the 24 hour period at all? On this basis, it seems inevitable that almost all organisations would be able to construct a justification for delay in almost all data breach scenarios. This would render the 24 hour period meaningless, and simply lead to an unhelpful administrative burden requiring justification to accompany all data breach notifications.
Or will the data protection authorities adopt the approach that the ‘insufficient information’ justification is not good enough, and require notification within 24 hours other than in exceptional circumstances. Aside from the obvious operational strains this would introduce, this would surely reduce notifications to a simple ‘box-ticking’ exercise, greatly reducing the value of breach notification beyond, perhaps, easily identifying to the authorities the worst offenders. But given the lack of any de minimus test to which breaches must be notified, authorities should expect to be inundated with notifications large and small, sensitive and trivial.
Or, could the worst case scenario arise, where varying approaches to this issue are adopted by DPAs across Europe?
There would appear two obvious solutions: (i) remove any reference to a specific timeframe and, as is tradition in data protection law, place the emphasis on the data controller; or (ii) introduce a more realistic timeframe and permit only very specific exemptions from meeting it.
Will either such approach be adopted? Or will the political desire for reference to a strict, and potentially unworkable, 24 hour period to be included win out? I know which outcome my money would be on.