ICO raises concerns about data breach notification overload

Out-Law News | 28 Aug 2015 | 2:55 pm | 3 min. read

The UK's data protection watchdog has raised its concerns that it will be swamped with notifications from organisations about minor data breaches as a result of proposed reforms to EU data protection laws.

The Information Commissioner's Office (ICO) said it welcomed proposals outlined by the national governments that make up the EU which would restrict the cases where organisations would be required to notify data protection authorities and consumers of data breaches under the General Data Protection Regulation that EU law makers are currently negotiating.

Under the Council of Ministers' proposals, organisations would be required to notify data protection authorities of personal data breaches they experience where the breach is "likely to result in a high risk for the rights and freedoms of individuals", such as where there is a risk of identify theft or financial loss. Notification would have to be made "without undue delay and, where feasible, not later than 72 hours" after organisations become aware of the breach.

"We are concerned about the possibility of receiving a large number of notifications of trivial or inconsequential data breaches," the ICO said in its paper (9-page /196KB PDF). "Therefore the reference to ‘high-risk’ breaches, and the illustrations of this, is welcome."

The same 'high risk' threshold for data breach notifications would apply to the rules on informing consumers about data breaches involving their data, according to the Council's proposals.

The ICO warned of the unintended consequences that could arise as a result of other proposals made by the Council of Ministers for the draft Regulation.

Under the Council's proposals businesses would have to carry out data protection impact assessments "where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals".

If that assessment confirms that the processing would "result in a high risk" then businesses will face a duty to prior consult with data protection authorities on their plans unless they implement their own measures to "mitigate the risk".

Where consultation occurs and the authorities believe that the proposed processing would not comply with the new Regulation then they would generally have six weeks to give their written advice to the companies and use investigative powers at their disposal, such as to obtain further details of the plans of the company.

The ICO said it welcomed the Council's proposals to restrict the circumstances in which businesses would need to prior consult with it. However, it warned that businesses could nevertheless seek to consult with it because of the potential penalties they could face for not consulting when required to do so.

"It is welcome that organisations will not have to consult the supervisory authority where they have taken risk mitigation measures," the ICO said. "Consultation with the supervisory authority should only be obligatory in exceptional circumstances if at all. We are therefore concerned that a failure to consult the supervisory authority falls within the highest tier of administrative fines. This could have a perverse effect, meaning that data controllers err on the side of caution, consulting the supervisory authority too readily and diverting the supervisory authority’s attention from genuinely risky processing."

The Council has proposed a three-tiered system of financial penalties under the Regulation where the maximum fine that could be levied on businesses for breaching the new EU data protection laws would vary depending on the nature of non-compliance.

Fines would be capped at up to 0.5%, 1% or 2% of a businesses' global annual turnover depending on what type of breach has occurred.

The ICO said, though, that it has concerns over the proposed new sanctions regime.

"The basic three-tier system linked to levels of fine lacks flexibility and space for the exercise of supervisory authority discretion," the ICO said. "We are concerned that within this structure some administrative breaches that could be relatively minor – for example a failure to designate a ‘representative’ – fall within the highest sanction tier. On the other hand some breaches relating to basic individual rights fall within the lowest sanction tier. This does not reflect the adverse impact of the various types of breach on the privacy of individuals – this should be the determining factor. Our preferred approach would be to remove the three tiers and have a single list of breaches that can attract a fine."

Germany's data protection authorities recently outlined their own recommendations on how to reform the EU's data protection law framework.