Author: Alexander Dix

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

 

A. Preliminary remarks

Directly related to the controller’s duty to ensure a level of security appropriate to the risk (Art. 32) are the obligations to notify and to communicate violations of this security (Art. 33 and 34). The Regulation – following the model of provisions in US law on “security breach notifications” or “data breach reporting”[1] and Art. 4 of the Directive on privacy in electronic communications[2] – attributes a considerable incentivising effect to the publicity of security breaches for improved compliance and enforcement alongside the sanctions for violations of security requirements (Art. 83 para. 4 lit. a). US practice shows the importance of breach notification duties: since 2005 more than 9000 security breaches concerning more than 11,5 billion data sets were publicised in US states with breach notification laws. The number of data subjects affected was even higher.[3] At the same time Art. 33 – like Art. 34 – reflects the risk-based approach of the Regulation,[4] which has led to the restriction of the previous obligation under Directive 95/46[5] to notify any data processing (which turned out to be ineffective) to specific security breaches. Articles 33 and 34 provide for a two-tier concept of transparency for data breaches. Not all data breaches which have to be notified to the supervisory authority have to be communicated to the data subject, but all breaches thus communicated have to be notified under Art. 33.[6] An additional indirect level of transparency may be created by individuals requesting access to data breach notifications under national law (→ Art 86). Articles 33 and 34 provide for legal consequences of data breaches after they occurred. The need for preventative measures e.g. against human errors derives from Art. 25 (“privacy by design and by default”).[7] There are other – partly overlapping – obligations to notify under secondary Union law.[8]

 

B. Legislative history

Already the Commission proposal of 2012 contained two provisions governing the controller’s duty to notify in case of security breaches. The obligation to notify to the supervisory authority was separated from the start from the obligation to communicate to the data subject. The Commission had originally proposed to provide for an obligation to notify to the supervisory authority any security breach without any violation of the data subject’s privacy. If such violation took place the breach had to be communicated to the data subject. This two-tier system of obligations to notify and communicate was accepted by the European Parliament. During trilogue a compromise was reached which kept the two-tier approach but restricted the obligation to notify to the supervisory authority to cases where material thresholds were met. This threshold was formulated in a negative manner so as to exclude an obligation to notify under Art. 33 only when the security breach is unlikely to result in a risk to the rights and freedoms of natural persons. This risk analysis was however not – as proposed by the Council – accompanied by a catalogue of examples.

With respect to the reaction time the Commission had proposed a notification without undue delay and within 24 hours at most after discovery of the data breach. The Commission took its Regulation 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications as a model.[9] While the European Parliament proposed to skip the maximum time limit the Council suggested to extend it to 72 hours and to require reasons once this time limit is not met. The compromise here was to provide for a notification without undue delay and within 72 hours at most after discovery of the breach. Reasons have to be given if this maximum time limit is not met. The Directive 680/2016 on data protection in the police and justice sectors contains an equivalent provision in Art. 30 which even contains rules for transborder security breaches.[10]

C. Controller’s obligations to notify the supervisory authority (Art. 33 para. 1)

I. Prerequisites of the obligation to notify

(Art. 33 para. 1, 1st sentence)

1. “Having become aware” of the breach

An obligation to notify only arises if there has been a personal data breach as defined in Art. 4 No. 12.[11] It is one of the tasks of the European Data Protection Board to develop guidelines, recommendations and best practices for establishing the personal data breaches (Art. 70 para. 1 lit. g). Taking into account the Regulation 611/2013 for implementing the E-Privacy-Directive[12] the controller will have to have acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification.[13] The controller is not obliged to notify on the mere suspicion that a breach has occurred,[14]  his obligation is however triggered as soon as he has information on the type, circumstances and time of the security breach as well as on the categories of data affected by the breach[15] He does not need to have secure informations on all details enumerated in Art. 33 para. 3 (e.g. the likely consequences of the breach and the measures taken to mitigate them) before he makes his first notification to the supervisory authority. It is sufficient if he has factual grounds to believe that there is a high likelihood for a data breach. Whether the controller considers certain facts to constitute a personal data breach in the sense of Art. 4 No. 12 may only be relevant for determining a sanction under Art. 83 para. 4.

 

2. Addressees of the duty to notify and recipients of the notification

All controllers of personal data within the meaning of Art. 4 No. 7 are obliged to notify. Controllers not established in the Union have the same obligation if the GDPR applies to them (Art. 3 para. 2). They have to notify the supervisory authority in the Member State where the controller’s representative according to Art. 27 is established.[16] The duty to notify under the GDPR differs from the obligation to report under the NIS 2-⁠Directive.[17] This Directive requires only operators of essential and important entities to notify the competent authority of certain incidents even if no personal data are at stake.[18] The notification is to be given to the competent supervisory authority according to Art. 55.[19] The competent authority is to be determined depending on where the processing of personal data takes place (Recital 122). In cases of transborder processing by non-EU controllers the Article 29 Working Party had recommended a one-stop-shop reporting mechanism whereby the supervisory authority for the establishment of the controller’s representative under Art. 27 is competent to receive notifications.[20] However, the European Data Protection Board has now – at least provisionally – taken the view that in line with earlier guidelines on the identification of the lead authority the designation of a representative does not trigger the one-stop-shop system.[21] Should the EDPB in spite of criticism[22] voiced during the consultation period finally adopt this stance non-EU controllers would have to deal with supervisory authorities in all Member States where they are bound by the GDPR under Art. 3 para. 2. If notification is directed to the wrong (not competent) supervisory authority the question may arise whether this notification is still in time (→ mn. 13). Joint controllers should determine in their agreements required under Art. 26 the respective compliance requirements under Art. 33 and 34.[23] Processors have a duty to notify the controller of any personal data breaches (→ mn. 12). Moreover, the Article 29 Working Party has recommended that data protection officers which have been designated either under Art. 37 or voluntarily is promptly informed about the existence of a data breach and is involved throughout the breach management and notification process.[24]

 

 

 

[…]

 

 

 

 

 

[1]The first statute of this kind was adopted 2002 in California and came in to force on1 July 2003, cf. California Civil Code s. 1798.29 und s. 1798.82. 47 US states have adopted equivalent statutes but there is no federal law yet. For an updated worldwide overview of legislation on this issue see Breach Law Radar, https://www.radarfirst.com/breach-law-library/ (last accessed 11 January 2021); Maurushat, Data Breach Notification Laws Across the World from California to Australia (2009); Westin, Privacy Laws & Business international newsletter (2007) 87, 22.

[2]Art. 4 of Directive of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy Directive), last amended by Art. 2 of Directive 2009/136/EC of 25 November 2009, OJ L 337, 1. With respect to the implementation of this Directive cf. the Commission’s Regulation (EU) No. 611/2013 of 24 June 2013 on measures  applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications, OJ L 173, 2. The e-Privacy Directive is to be replaced by a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) 10 final) according to a proposal by the Commission of 10 January 2017 (COM(2017) which shall oblige the providers of electronic communications services in addition to the duties under the GDPR (cf. Art. 1 para. 3, Art. 4 para. 1 lit. a of the Commission proposal) to inform users about risks to network security and security of services offered (Art. 17 of the Commission’s proposal).

[3]Cf. www.privacyrights.org/data-breaches, an overview which is currently updated (last accessed on 11 January 2021). In the first eight months since the GDPR came into force European supervisory authorities received 41.502 notifications under Art 33, European Commission, GDPR in numbers (2019) https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf (last accessed on 11 January 2021); however, these figures may not give a complete picture since some supervisory authorities in Europe do not make available any information about breach notifications they receive whereas others publish statistics without identifying the controller, cf. Letter by the EDPB Chair of 23 January 2019 to the Australian Information and Privacy Commissioner, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_response_to_the_australian_information_commissioner_and_privacy_commissioner_en.pdf (last accessed on 11 January 2021). The GDPR is silent on whether breach notifications may be published. Cf. also footnote 46 below.

[4]Martini in Paal/Pauly, Art. 33 mn. 3.

[5]Art. 18; cf. Recital 85 GDPR.

[6]The EDPB has published detailed guidelines with extensive practical examples of cases where notifications and communications may be required and which measures have to be taken to prevent breaches (Guidelines 1/2021, cf. also Guidelines 9/2022).

[7]Cf. International Conference of Data Protection and Privacy Commissioners, Resolution on the role of human errors in data breaches (2019), https://globalprivacyassembly.org/document-archive/adopted-resolutions/ (last accessed 15 January 2021), which also calls for the building of a workplace culture where privacy and personal data security are organisational priorities; EDPB, Guidelines 1/2021, paras. 71 et seq.

[8]Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation); Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive); Directive 2009/136/EC (Citizens Directive); Regulation (EU) 611/2013 (Breach Notification Regulation); Directive (EU) 2015/2366 on payment services in the internal market (PSD2 Directive). Cf. Art. 29 Working Party, WP 250 rev. 01, 28 et seq.

[9]Art. 2 para. 2: “The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible.”

[10]Art. 30 para. 6.

[11]Cf. → Art. 4 mn 1 et seq.

[12]The Regulation will however be adapted to the proposed E-Privacy Regulation once it comes into force.

[13]Art. 2 para. 2, 2nd sentence Regulation 611/2013.

[14]Recital 8 Regulation 611/2013.

[15]Cf. Marschall, DuD 2015, 183, 186.

[16]Art 29 Working Party, WP 250 rev. 01, 18.

[17]Directive (EU) 2016/1148 of the European Parliament and the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OF L 194, 1.

[18]Art. 23 NIS 2-Directive.

[19]The original text of the Regulation contained a drafting error (reference to Art. 51) which has been corrected by the Council, Corrigendum of 27.10.2016, 12399/16, Interinstitutional File 2012/0011 (COD).

[20] Article 29 Working Party, WP 250 rev. 01, 17 et seq., endorsed by the EDPB in Endorsement 1/2018.

[21] EDPB, Guidelines 9/2022, para. 73 (for public consultation).

[22] Schmitz-Berndt, EDPL 2022, 517, 519 et seq. illustrates the practical problems of such an approach.

[23]Art. 29 Working Party, WP 250 rev. 01, 13.

[24]Art. 29 Working Party, WP 250 rev. 01, 28.