The proposal, contained in new draft data breach notification guidelines, is the latest change in a series of updates to the guidelines on personal data breach notification under GDPR by the European Data Protection Board (EDPB) this year. It is particularly relevant to data controllers or processors that are not established in the EU but nevertheless process EU citizens’ personal data for the purposes of offering goods or services or monitoring their behaviour, and which are therefore under article 3 subject to the GDPR regime.
Under article 27 of the GDPR, those controllers or processors must “designate in writing a representative in the Union”, subject to limited exceptions. Failure to comply with it, companies will be fined by EU data protection regulators.
EDPB’s most recent revision of its guidelines on data breach notification proposes that data breaches can no longer solely be notified to the supervisory authority in the member state of the Article 27 representative.
Under the previous guidelines, a breach notification should be made to the supervisory authority in the EU country where the controller’s representative in the EU is established. The new guidelines take a significant U-turn, stating that the “mere presence of a representative in a member state does not trigger the one-stop- shop system”. Therefore, the breach would need to be notified to every single authority for which affected data subjects reside in their member state.
The draft revision has attracted criticism from Pinsent Masons’ data law experts, who view the new requirement as ambiguous and contrary to the enhanced cooperation measures announced by the EDPB earlier this year.
“It should be a task of the supervisory authorities to coordinate amongst each other, to identify which of them should receive a notification that was made to the supervisory authority in the ‘centre of gravity’,” said Amsterdam-based Wouter Seinen of Pinsent Masons.
While there are detailed guidelines for controllers and processors that are established in the EU to identify a lead supervisory authority, there is a lack of clarity for companies that are not established within the EU. The revision is in line with existing EDPB guidelines stipulating that the GDPR’s cooperation and consistency mechanisms only apply to controllers with an establishment or establishments within the EEA, as set out in the EDPB’s guidelines for identifying a controller or processor’s lead supervisory authority.
Several recent enforcement cases in the Netherlands against non-EU companies for failure to designate a GDPR representative and failure to report a data breach have already highlighted the importance of businesses complying with the Article 27 requirement and properly assessing whether a data breach is reportable under the GDPR.
The proposed change is likely to drive inconsistency between notification systems for EU establishments and non-EU establishments respectively, according to Seinen, and add to the complexity for international businesses to navigate the reporting duties and their compliance risks under the GDPR.
London-based David McIlwaine of Pinsent Masons said: “It is already very challenging for multinational businesses who suffer a data breach to manage their breach notification duties, as typically a variety of supervisory authorities need to be notified – both national and industry specific regulators. The proposed amendments will add a significant burden on the entity to notify all national data protection authorities where data subjects reside – no matter how few – and all within the stipulated timescales within article 33.”
“It begs the question, what is the benefit when instead one supervisory authority might take a coordination role,” he said.
The EDPB is currently conducting a public consultation on the specific update until 29 November 2022.