On December 1, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Personal Data Breach Notification (the “Guidelines”). The Guidelines were adopted by the Working Party on October 3, 2017, for public consultation.
The EU General Data Protection Regulation (“GDPR”) introduces specific breach notification obligations for data controllers and processors. CIPL’s comments on the Guidelines commend the Working Party for drawing lessons from the experiences of other jurisdictions where breach notification has been a longstanding requirement. Additionally, CIPL’s comments welcome the discussions surrounding at what point a data controller is deemed to be aware of a personal data breach, as well as the recognition of the need to allow a phased notification of the supervisory authority in some circumstances.
CIPL’s comments, however, also emphasize several key issues that it believes need further clarification. The key recommendations for improving the Guidelines include the following:
Availability Breaches
- The definition of an “availability breach” used in the Guidelines does not fit the GDPR’s Article 4(12) definition of a “personal data breach.” The Working Party should revise the definition of an “availability breach” in the Guidelines to refer only to a breach in which there is an accidental or unlawful loss or destruction of personal data.
Risk Assessment
- The Working Party should, when discussing the term “data breach,” distinguish between a personal data breach per Article 4(12) of the GDPR and a “notifiable” personal data breach per Articles 33 and 34.
- Some of the examples discussed in the section on Risk Assessment fail to include an analysis of both the severity and the likelihood of a breach resulting in a risk to individuals’ rights and freedoms. Several of the breach examples in Annex B should be amended to reflect both aspects of the risk assessment.
- Data controllers should not be required to continuously reassess the risk posed by a past data breach in light of future technological developments long after the breach occurred. The Guidelines should clarify that such a reassessment need only be undertaken if a major breakthrough occurs immediately or within a short time period after the breach.
Criteria to Consider in Assessing Breach Risk
- To help supervisory authorities manage the number of breach notifications they receive and to enable them to deal with those reports effectively, a threshold of breach size for internal administrative purposes might be established. The threshold size (e.g., between 250 and 500 individuals) should be consistent across all jurisdictions.
- The Working Party should also consider setting a threshold for the number of individuals affected by a breach that would trigger the requirement to notify the supervisory authorities, except where the breach poses a high risk to individual rights and freedoms.
- The imputation that any data breach involving a large number of individuals or special categories of personal data should automatically be deemed to have a likelihood of risk to individuals’ rights and freedoms should be eliminated. The likelihood and severity of the risks should be considered regardless of the number affected or the type of personal data involved.
Timing of Notification
- The Guidelines should clarify that the 72 hour deadline for notification does not begin until after the data controller has completed an investigation that results in awareness that the incident involved personal data and is likely to result in a risk to individuals’ rights and freedoms.
- An organization’s decision to hire a forensics firm or engage in a technical investigation does not automatically mean the organization is aware of a notifiable breach.
- The Working Party should make clear that as part of a phased notification, a data controller may avail itself of a mechanism for keeping reported information confidential until its investigation is complete.
Controller-Processor Responsibilities
- The description of a data processor’s timeline to notify a data controller about a breach should be changed from “immediate” to “prompt.” Immediate notification is an unclear and unrealistic expectation that could imply that data processors should notify data controllers of any and every security incident, without any prior investigation.
- The Working Party should clarify that joint data controllers can designate responsibility for notification, or jointly notify the supervisory authority and jointly communicate with affected individuals.
Supervisory Authority to Notify
- The Guidelines should clarify which supervisory authority should be notified by a data controller that does not have an establishment in the EU, and which authority should be notified by a data controller when a breach affects only individuals not located in the jurisdiction of the data controller’s lead authority.
Methods of Communication to Individuals
- The potential drawbacks of email and SMS as a sole communication method for notifying individuals about a personal data breach should be highlighted, as these communication channels are fraud-prone.
CIPL’s comments were developed based on input by the private sector participant’s in CIPL’s ongoing GDPR Implementation Project, which includes more than 85 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics the Working Party prioritizes.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code