Privacy & Cybersecurity Law Blog

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

Adding to the general notification obligation under the proposed EU General Data Protection Regulation (the “Proposed Regulation”), the Opinion provides a non-exhaustive list of examples of data breaches from multiple sectors, where individuals should be notified. In each case, the Opinion also gives examples of technical measures that could have prevented a notification obligation had they been in place prior to the data breach.

The Opinion lists examples of cases where notification to the affected individuals would not be required, such as a confidentiality data breach that only concerns either encrypted data with a state of the art algorithm or salted/keyed, hashed data with a state of the art hash function (assuming all the relevant keys and salts are not compromised). The Opinion also discusses various considerations companies face when assessing whether or not to notify affected individuals, emphasizing the need to factor in likely secondary adverse effects on the individuals and indicating that companies should notify even if only one individual is affected.

According to the Opinion, providing notification in the example cases constitutes a good practice pending the adoption of the Proposed Regulation. The European Parliament recently formally adopted the compromise text of the Proposed Regulation. The next steps for the Proposed Regulation are for the EU Council of Ministers to formulate a position and for trilateral negotiations between the European Commission, Parliament and Council to begin.