EU rules on breach notification

United KingdomSpainSingaporeGermanyFrance

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

What is the current state of play on breach notification proposals in Europe - and what impact will the recent European Parliament elections, and changes to the Commission later this year, have on the outlook for their adoption?

Overview of current and future EU rules

There are three sets of current and future rules to be aware of:

  • Data breach notification rules for the electronic communications sector, which have been in force since 2003 and 2013.
  • Proposed data breach notification rules for all data controllers under the draft General Data Protection Regulation ("GDPR").
  • Proposed cyber breach notification rules for critical infrastructure providers under the draft Network and Information Security Directive ("NISD").

The timetable and eventual shape of the two latter proposals remains difficult to predict in the wake of the recent "European Earthquake". We recap on the status and scope of each proposal in more detail below.

In force - obligations for communications service providers

Communications service providers ("CSPs") are already subject to a twofold obligation which derives from the 2002 PEC Directive and which was recently expanded upon in Regulation 611/2013. This regime obliges CSPs to:

  • report all data breaches to the regulator within 24 hours; and
  • notify the data subject "without undue delay" when the breach is "likely to adversely affect the personal data or privacy" of that individual.

EU regulators recently published detailed guidance on when the obligation to notify individuals will be triggered - see our coverage here and our overview of the regime for CSPs here. This regime provides the model for universal notification obligations under the GDPR - see below.

On the horizon - universal notification under the GDPR

The introduction of similar obligations on all data controllers, regardless of sector, to notify regulators and individuals of breaches involving personal data is proposed under the EU's draft GDPR. The latest text of the GDPR proposes that notification of breaches to regulators take place "without undue delay" - in contrast to the draconian 24 hour deadline originally proposed in the Commission's first draft.

Universal notification is one of the less controversial aspects of this wide-ranging reform - however, the introduction of notification rules will depend on the speed of adoption of the reform package as a whole. At the time of writing, the draft Regulation has passed a significant milestone, namely approval by an overwhelming majority of the European Parliament at first reading in March 2014, but (despite the Commission's claims to the contrary), its progress is far from irreversible. The Regulation still needs to jump a number of significant hurdles before it is adopted. These are:

  • agreement by the Council of a common position - there is division within the Council (i.e. between Member States) on a number of major points of principle, including the red tape burden on businesses in general, the extent of delegated and implementing acts (powers reserved to the Commission to flesh out the detail of the rules) and the impact on the public sector.
  • agreement between the Council, the European Parliament and the Commission on the final text - and again there is division between the institutions on a number of principles.

All of the above is further complicated by the newly elected (and noticeably more Eurosceptic) Parliament, which could take a different stance on the draft approved by the previous Parliament, and changes to the make-up of the new Commission, which will take office in November. The very earliest the GDPR could be adopted would be the first quarter of 2015, and then take effect in Member States in 2017 - assuming it remains a Regulation and not a Directive, as some Member States would prefer. Another change on the horizon which could impact the political momentum of the proposal is the handover on 30 June of the Council Presidency from Greece to Italy.

You can find the EU's official procedure file for the proposal here.

In terms of immediate next steps, the Commissioner for the proposal Vice President Vivien Reding tweeted that "data protection will be high on the agenda of the Justice Council on 6 June and at the EU-U.S. Justice and Home Affairs Ministerial on 25 June." See this article.

Also on the horizon - notification for critical infrastructure providers under the NISD

In parallel to the data breach notification proposals under the GDPR are proposals on the mandatory reporting of a wider category of cyber attacks, under the draft Network and Information Security Directive ("NISD", also referred to as the Cybersecurity Directive). The NISD has been scaled back to apply only to providers of critical infrastructure, and not to ecommerce platforms and social networks (as was originally proposed). See our coverage of the Commission's original 2013 proposal here.

Like the GDPR, the draft Directive was adopted by the European Parliament at first reading in March 2014. The next step is for the Council to adopt its common position, and again, consensus will need to be reached between all three institutions. As with the draft GDPR, it is possible that the newly elected Parliament may want to re-visit the draft, despite the vote by its predecessors. Once adopted at EU level, as it is a Directive, not a Regulation, its measures will need to be transposed by each Member State.

The official procedural file is available here.

Again, the timetable and prognosis for the NISD are unclear. The next important step is a discussion of the Transport Telecommunication and Energy Council on 5/6 June which is a step towards a full Council common position.

Comment

The dust is still settling from the Parliamentary "Eurosceptic earthquake", and further changes will follow in the form of a newly constituted Commission in the Autumn. It was widely expected that the political extremes would make gains in the new Parliament - what is not yet clear is just how much this will impede agreement between the three institutions on these particular proposals. So, the game of legislative "wait and see" on these formal notification regimes continues - but in the meantime, businesses still need to prepare a plan of action for alerting regulators and individuals for damage limitation in the event of a serious breach.