Author: Alexander Dix
For the purposes of this Regulation:
(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
The definition of “personal data breach” is of key importance for the obligations to notify such breaches to supervisory authorities under Art. 33 and to communicate them to data subjects under Art. 34. Not all breaches lead to obligations to notify or communicate but if there is no personal data breach no such obligation can arise. The European supervisory authorities have defined three categories of personal data breaches: confidentiality breaches, where there is an unauthorised or accidental disclosure of, or access to, personal data, integrity breaches, where there is an unauthorised or accidental alteration of personal data, and availability breaches, where there is an unauthorised or accidental loss of access to, or destruction of, personal data.[1] A breach can concern all or some of these categories at the same time.[2] The European Data Protection Board has illustrated this by extensive Guidelines containing numerous practical examples.[3] Personal data breaches are limited to breaches of technical and organisational security within the meaning of Art. 32 para. 1. Thus the Regulation corresponds with the concept of “data breach notification” or “data security breach reporting” as used in US law[4] on which other Union law rules on data breach notification have been modelled. The Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy-Directive)[5] contains an almost identical definition which is limited to “personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”[6]
The term “security” itself has not been defined in the Regulation. But its importance is highlighted in a number of provisions.[7] It is one of the principles of lawful processing that personal data are “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” (Art. 5 para. 1 lit. f; → Art. 5 mn. 132 et seq.).[8] Art. 32 obliges controllers to ensure a level of security appropriate to the risk for the rights and freedoms of natural persons including a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Art. 32 Abs. 1 lit. d; → Art. 32 mn. 31 et seq.). Although the notion of “security” contains a risk element the definition in Art. 4 No. 12 in contrast to Art. 5 para. 1 lit. f and Art. 32 does not rely on risk assessment but classifies only those security violations as personal data breaches which lead („leading“) to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.[9] In a recent Irish case a bank was found to have violated Art. 32 because due to insufficient technical and organizational measures financial data on data subjects were altered to become inaccurate and later on shared.[10] Data breaches may still occur even if a risk-adequate level of security according to Art. 32 has been ensured[11]. Risk considerations only come into play under Art. 33 and 34 once a personal data breach within the meaning of Art. 4 No. 12 is established (→ Art. 33 mn. 10 et seq., Art. 34 mn. 4 et seq.).
In practice problems may arise in cases where the controller does not or cannot know whether a personal data breach has occurred. If e.g., a mobile computer or storage device has been left in a train or bus it is at first uncertain whether there has been unauthorized access to the stored data. However, there is at least a loss of data if the computer or storage device is not returned or has been forgotten (the latter becoming increasingly likely due to miniaturization). If the computer or device is returned soon the controller will have to check whether there are any traces of unauthorized access. Furthermore, in the context of the emerging Internet of things, connected cars, in a smart home or in smart grids it will be necessary to examine whether the greater complexity and consequently bigger likelihood of security breaches actually lead to illegal (excessive) data transfers.
Personal data breaches under Art. 4 No. 12 do not include any violation of the Regulation or implementing provisions.[12] The European Parliament proposed to delete the restriction to technical security breaches which would have led to the inclusion of any unauthorized erasure or disclosure in the concept of personal data breaches. This proposal was however not adopted in the Regulation. A personal data breach lies not in any unlawful disclosure or access to personal data but in security breaches which lead to such instances of disclosure or access. Conversely, a personal data breach under Art. 4 No. 12 does not imply that the controller has violated his duties to provide for confidentiality and integrity. Personal data breaches may occur even if he has taken the required measures under Art. 5 para. 1 lit. f for processing personal data in an appropriately secure manner (e.g., if a member of his staff loses a mobile computer or device or it is stolen).[13] Personal data breaches are not restricted to attacks on the controller’s IT system from an external source, they include insider attacks e.g., by disgruntled employees.[14]
A personal data breach requires the processing of personal data. The broad definition of Art. 4 No. 1 is referred to. The Regulation does not restrict personal data breaches to specific categories of data the processing of which may cause certain risks. Even trivial data may be the object of personal data breaches. Regardless of the contentious question whether encrypted data are personal data (→ Art. 4 No. 1 mn. 17 et seq.) they can in any event be the object of a personal data breach. If they are disclosed to third persons due to a breach in security this constitutes a personal data breach. Whether this leads to an obligation to notify the breach to a supervisory authority or to communicate it to data subjects depends on the result of the necessary risk analysis under Art. 33 and 34 (→ Art. 33 mn. 6 et seq., Art. 34 mn. 2 et seq.). E.g., dependent on the specific method of encryption used the obligation to communicate the breach to the data subject may under certain circumstances be dispensed with. (→ Art. 33 mn. 8, Art. 34 mn. 9)[15]. On the other hand, security breaches in the IT- infrastructure which do not have consequences on the processing of personal data as described in Art. 4 No. 12 are no personal data breaches even if they may trigger obligations to notify under other provisions.[16]
[…]
[1] Art 29 Working Party, WP 250 rev. 01, 7 (with practical examples). These Guidelines have been endorsed by the EDPB.
[2] Art 29 Working Party, WP 250 rev. 01, 8.
[3] EDPB, Guidelines 1/2021. The Board identifies eight categories of data breaches: ransomware attacks, data exfiltration attacks, internal human risk source, lost or stolen devices or paper documents, mispostal and social engineering.
[4] Cf. the first statute of 2002 in California, California Civil Code s. 1798.29 and s. 1798.82.
[5] OJ L 201, 31/07/2002, 37 as amended by Directive 2009/136/EC, 25/11/2009, OJ L 337, 11.
[6] Art. 2 lit. h of Directive 2002/58. This Directive is to be replaced by a Regulation as proposed by the Commission on 10 January 2017, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (COM(2017) 10 final). This proposal refers to the definitions of the GDPR (Art. 4 para. 1 lit. a).
[7] Cf. e.g., Recitals 39, 49, 83 et seq.
[8] Art. 5 para. 1 lit. f combines two categories mentioned by the Art. 29-Working Party (see footnote 1) but does not mention availability. The fundamental right to confidentiality and integrity of IT systems was first developed by the German Constitutional Court (Bundesverfassungsgericht) in its judgment of 27 February 2008, 1 BvR 370/07 and 1 BvR 595/07, BVerfGE 120, 274, mn. 160 et seq.
[9] For a broader concept of security breaches de lege ferenda Alunge, IDPL 2021, 15 et seq. (forthcoming).
[10] Bank of Ireland (2022) Data Protection Commission IN 19-9-5. Cf. the comments by Chomczyk Penedo, EDPL 2022, 278 et seq.
[11] Jandt in Kühling/Buchner, DS-GVO, Art. 4 Nr. 12 mn. 6.
[12] See Tosoni, ‘Art 4(12)’ in Kuner/Bygrave/Docksey, C 2; Schild in BeckOK DatenSchutzR, DSGVO Art. 4 mn. 133; Jandt in Kühling/Buchner, DS-GVO, Art. 4 mn. 3.
[13] EDPB, Guidelines 1/2021, paras 85 et seq.
[14] Art. 29 Working Party, WP 250 rev.01, 7.
[15] EDPB, Guidelines 1/2021, paras 88 et seq.
[16] Cf. e.g., Art. 14 para. 2 of Directive (EU) 2016/1148 of the European Parliament and the Council of 6 July 2016 concerning measures for a high common level of security of network an information system across the Union (NIS-Directive) or the other provisions of Union law referred to in Art. 33 mn. 1.