Data Breach Notification Duties under the GDPR – In the EU everyone will hear you scream

In 1979, Academy Award nominated director Ridley Scott released the critically acclaimed film Alien with the tagline “In space no one can hear you scream”. While the movie dealt with breaches of a very different kind, in the case of personal data breaches “no one can hear you scream” is a rather fitting description of the legal environment and current lack of general breach notification obligations in most member states of the European Union.
 
Actually, of the 28 EU-member states only three – namely Austria, Germany and the Netherlands – currently have data breach notification requirements set forth by law. However, if one was to discount the Netherlands, as they have merely opted to put the notification requirements of the General Data Protection Regulation (“GDPR”) into force sooner by introducing those provisions into their own data protection law, only two member states out of 28 remain. So how did this situation develop and how will it change, especially in Austria, come 25 May 2018 and the enforcement of GDPR?
 
On 23 November 1995, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, colloquially known as Data Protection Directive, was published in the Official Journal of the European Union.
 
This Directive first introduced a common minimum level of data protection to each and every member state of the European Union. One aspect that was missing, however, were rules on whether notifications should be made in case a data breach is discovered; and if yes, to whom. While in a time where the internet and networked environments in general were still in their infancy in Europe, this omission seems understandable. From today’s point of view, and considering that most data breaches are caused from inside a company rather than by e.g. hackers from the outside, it was nevertheless an omission.
 
In 2009, Austria decided to rectify this situation by introducing a general data breach notification duty in Article 24 para. 2a of the Austrian Data Protection Act, which entered into force on 1 January 2010. The first thing that is remarkable about the Austrian notification duty is that, in contrast to the German and Dutch rules, it does not require the national data protection authority to be notified. Rather only the data subject, thus the natural person concerned by the breach, needs to be informed but only if the personal data is “systematically and seriously misused” and if the data subject may suffer damages from such misuse. While this quite unclear wording may already seem suitable to restrict the practical applicability of this provision, there even exists an exception to the notification duty. Namely a notification is not required if the information of the data subject would require an disproportionate effort, taking into consideration that only minor damage to the data subject is likely or the cost of informing all persons concerned.
 
In the original version of this provision, both the two criteria of minor damage and (disproportionately high) notification costs needed to be fulfilled for the exception to apply. However in the course of parliamentary discussions, the “and” was changed to an “or”, thus making the exception extremely broad and the data notification duty almost inapplicable.
 
A step into the direction of a common data breach notification duties in the EU was taken in 2013, albeit the step was a sector-specific-one. Regulation 611/2013 introduced a personal data breach notification duty for providers of publicly available electronic communications services which required them to generally inform the competent national authority and, in severe cases, additionally the subscriber. While Austria transposed this provision into its Telecommunications Act, the data breach notification duty of the Data Protection Act remained unaltered.
 
2016 finally saw the official text of the “Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data”, better known as the General Data Protection Regulation or GDPR, published. In its Articles 33 and 34 the GDPR, similarly to Regulation 611/2013, to contains provisions on when the national data protection authority or, additionally, any concerned person needs to be notified.
 
According to Article 33, the national data protection authority needs to be informed within 72 hours, unless the breach is unlikely to result in a “risk to the rights and freedoms of natural persons”, i.e. where it is unlikely that the abuse of the data will cause damage to the data subject, be it financial or other. This can for instance be the case if the data is encrypted with a secure algorithm. Thus, as a rule, in case of a data breach the authority most likely needs to be notified.
 
Where the notification is not made within the deadline or not all required information can be provided within the same, the notification has to be made in phases and the reasons for the delay need to be stated. While in practice a deadline of 72 hours is rather short for the notification of a data breach, this deadline is nevertheless much longer than the 24 hours set forth by Regulation 611/2013.
 
However even if no data breach notification needs to be made, the controller, thus the person (usually a company) controlling the collection and use of the personal data in question, is still required to document any personal data breaches, including the facts relating to the breach, its effects and the remedial action taken. This documentation then needs to be provided to the national data protection authority upon request.
 
The provision of information to data subjects on a personal data breach is regulated in Article 34 of the GDPR. In addition to informing the data protection authority, the natural persons concerned need to be notified “without undue delay” if the breach is likely to result in a high risk to their rights and freedoms. However, exceptions apply. Therefore notification of the data subjects may be omitted if, i) appropriate protection measures have been applied to the affected personal data; ii) subsequent measures were taken which make a high risk to the rights and freedoms of data subjects unlikely. Should the notification involve disproportionate effort, the notification of the affected persons may, in contrast to the current rule in Austria, not be omitted but can performed by means of public communication or similar measures instead of the individual notification of each affected person.
 
In case of doubt the national data protection authority may decide whether the notification of the data subjects is required or not.
 
All in all, the data breach notification duty of the GDPR will mean a new set of rules the like of which few controllers outside of the telecommunications sector have experienced before. Especially the documentation requirements, which apply irrespective of any actual duty to notify, will place a burden on the controllers and require appropriate organisational measures. On the positive side however, controllers who implement strong security and e.g. encryption measures will benefit from the new notification rules of the GDPR by diminishing the likelihood of them being required to notify the data subjects.
 
Thus even under the broad notification rules of the GDPR, with the proper technical and organisational measures, “In the EU not everyone can hear you scream”.
 
Árpád Geréd
Firm:      Maybach Görg Lenneis Geréd Rechtsanwälte GmbH
Office: Museumstraße 5/14
1070 Vienna
Austria
Tel:         +43 1 997 19 66
Fax:        +43 1 997 19 66 – 100
Email:    a.gered@mglp.eu
 
Árpád Geréd is an international IT-lawyer, founding partner of Viennese business law firm Maybach Görg Lenneis Geréd Rechtsanwälte GmbH and recognised in Who’s Who Legal as one of the leading experts in Austria for Data Protection and Data Security.
 
With a passion for everything related to information technology, Árpád has specialised in consultation in and negotiating of technology-related deals, with a strong focus on Cloud Computing, Cyber Security and Data Protection. In his practice, Árpád combines technological know-how with legal expertise, allowing him to communicate likewise with business- and IT-decision-makers, a skill which his international client value highly.