Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Businesses should not need to publicise personal data breaches if data is encrypted, say EU ministers

Businesses should not need to notify consumers that their personal data has been lost or stolen if the data has been encrypted, EU ministers have said.

Ministers in the Justice and Home Affairs Committee of the EU's Council of Ministers backed the plans as part of a wider partial agreement reached last week on reforms to EU data protection laws (44-page / 491KB PDF).

The Committee met in Luxembourg to discuss the draft General Data Protection Regulation. The ministers agreed on wording for Chapter IV of the draft Regulation, which includes new rules on personal data breach notifications that organisations operating in the EU will have to adhere to. Agreement on other parts of the draft Regulation has still to be reached and agreement on the Chapter IV provisions was only agreed in line with the principle that "nothing is agreed until everything is agreed", the Council of Ministers said.

Under their proposals, organisations would generally have 72 hours to notify regulators as soon as they become aware that they have suffered a personal data breach that "may result in physical, material or moral damage" to individuals. Damage of this kind could range from identity theft or fraud, to damage to their reputation, loss of control over their personal data or a loss of confidentiality to data protection by professional secrecy, according to the ministers' plans.

"The agreement in principle of a materiality threshold for data breaches is a good step forward," said data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com. "Data controllers should be actively preparing for the significant shift in business practice implied by a data breach notification regime; for example, they should be rehearsing their incident response procedures."

Under the ministers' plans, organisations would also face a new obligation to inform consumers "whose rights and freedoms could be severely affected" by a personal data breach of such an incident "without undue delay". However, the ministers backed plans which would absolve organisations of this duty to notify individuals about a personal data breach where they have put in place "appropriate technological protection measures" to protect the data that has been lost or stolen from being accessed by people not authorised to see it.

"Such technological protection measures should include those that render the data unintelligible to any person who is not authorised to access it, in particular by encrypting the personal data," the ministers' proposals said.

The ministers also backed plans to require businesses developing new products and services that involve personal data processing to ensure that "technical and organisational measures" are used to ensure the data processing activities are carried out in line with the new data protection laws.

Businesses using new technologies or otherwise planning to engage in personal data processing which is "likely to result in a high risk for the rights and freedoms of individuals" would be required to carry out a data protection impact assessment (DPIA) before progressing with its processing, under the ministers' proposals.

According to the document containing the ministers' plans, the UK had said that businesses should not face an obligation to carry out a DPIA unless "there is an identified high risk to the rights of data subjects". 

However, activities such as processing of health data or personal data that could be used for profiling, as well as cases where there are plans to process large volumes of personal data being processed are cited as examples within the ministers' plans of where businesses could have to carry out a DPIA. In some cases, businesses would be required to consult with regulators on their plans for processing 'high risk' data.

Businesses based outside the EU but involved in the processing of EU citizens' personal data would also be required to appoint an EU-based representative to engage with regulators and citizens on data protection matters on its behalf, under the plans. Only if the processing is "occasional and unlikely to result in a risk for the rights and freedoms of individuals" or is undertaken by a public body would non-EU based organisations avoid this requirement.

The ministers' proposals would also lay restrictions on what data processors businesses would be permitted to contract with and also outline the oversight that data processors should give data controllers over sub-contracting arrangements.

The plans, if introduced, would recognise pseudonymisation as a measure which could be implemented by businesses to meet their obligations on personal data security.

In June, the Council's Justice and Home Affairs Committee reached agreement on rules governing data transfers and on the territorial scope of the planned new Regulation. Again, agreement was based on the principle that "nothing is agreed until everything is agreed". The Committee has yet to reach consensus on a number of other aspects of the planned reforms, including on the precise framework for regulating data protection under the new legal framework.

Only once the Council of Ministers has reached a consensus on the whole of the draft General Data Protection Regulation will it open negotiations on finalising the new framework with the European Parliament and European Commission. The initial draft Regulation was published by the Commission in January 2012. The Parliament reached a consensus on an amended version of the Commission's proposals earlier this year.

Political leaders last year committed to finalising the data protection reforms "by 2015", with pressure from some EU officials to conclude negotiations on the issue before the summer of next year.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.