[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text]
The final version of the Data Protection Regulation’s breach notification proposals has addressed many of my concerns with the original draft. Rather than applying the same rules to all breaches, notification is now concentrated on those where it will have most benefit: breaches likely to have a serious impact and those where prompt action by individuals can reduce the likely harm. The timescales for notification are more realistic, though they will still demand a swift and well-organised response by organisations that suffer incidents. Finally Article 79 gives a hint that reporting breaches and cooperating with the regulator should be recognised in any sanctions that may be applied – a useful incentive.
The Regulation takes a broad view of the harm that may be caused by a breach of information security, recognising the possibility that individuals may suffer “physical, material or moral” damage (recital 67) if their personal data are not taken proper care of. According to Article 4(9) breaches include “accidental or unlawful destruction, loss, alteration”, not just unauthorised disclosure of, or access to, personal data. Breaches that create a “risk for the rights and freedoms of individuals” need to be reported to the regulator “without undue delay” and an explanation must be provided if this takes more than 72 hours from the time the breach was discovered (Article 31). However there is a recognition in Article 31(3a) that it may take longer than this to determine the extent of a breach, so information such as the categories and numbers of affected data subjects and records may be provided in stages. The nature of the breach, likely consequences and steps taken and proposed by the data controller also need to be reported. There is also an explicit requirement on data processors to notify data controllers of any breach they experience (Article 31(2)). Whether or not they are reported, organisations need to keep a record of all breaches affecting personal data and how they responded (Article 31(4)).
Where a breach is likely to create a high risk to individuals – Recital 67a suggests this should be determined in cooperation with the regulator – then the affected individuals should also be notified (Article 32). No fixed timescale for this notification is given, though the Recital appears to recognise that notification is more urgent when it will enable individuals to do something to protect themselves. Information about such actions should be included in the notification. For situations where the data controller is unable to contact individuals or this would require disproportionate effort Article 32(3)(c) allows a public notice to be used instead.
The new Regulation, like sector-specific provisions in other European laws, is a welcome recognition that, in an environment where all organisations are under attack, notification is best used as a tool to help reduce the number and impact of privacy breaches, rather than to “name-and-shame” organisations that try to help their customers and peers. If punishment is required, that should be done using other powers in the Regulation.