European Data Protection Reform – 24 hour disclosure or undue delay?

If your company touches any Europeans’ data you’d better prepare for what’s coming.

The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

24 hour disclosure or undue delay?

The new regulation establishes the consumer right to know when their data has been “hacked”. Companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible, if feasible within 24 hours, so that users can take appropriate measures. The initial 24 hour disclosure mandate was then extended by the Parliament to 72 hours. Now the last draft of the regulation doesn’t require the controller to report personal data breaches within 24 hours but rather without undue delay (Art. 31 para. 1.). Likewise, the processor no longer has the obligation to immediately inform the controller of a personal data breach but only to do so without undue delay (Art. 31 para. 2.). This change was absolutely necessary as the prior obligation was not only lacking the flexibility needed but also disproportionate. The new wording seems to sufficiently protect the interest of the data subject concerned.

“It is extremely unlikely that a company is able to analyze the full extent of a data breach and disclose it in 72 hours” adds Balboni, “we need to consider two situations: one is the notification to the data protection authority, and I think that should be done as soon as possible after you know about it. Then, the data controller should have more time to do all the necessary investigations before being obliged to notify the breach to their customers.”

Leupold is confident that the 24 hour disclosure is gone for good: “the people who drafted it finally realized that it’s unrealistic. I don’t think the 24 hours deadline will be reintroduced in the final version. The without undue delay provision is here to stay, really.” Without undue delay is a legal concept that stems from the German term “unverzüglich.” “It means that you’re not hesitating to fulfill your duty to notify a breach, that’s all. Hesitating can mean anything but two to three days at the longest seem fair to me.”

But how do you define a data breach? And how do you know you’ve been breached? According to Leupold, “Most European companies do not have any incident reporting system. They don’t know when a breach occurred. They just don’t get to know it. As long as they don’t know they can’t be subject to a fine of course because they didn’t fulfill their reporting duties.” Also, what if you have a suspicion that a data breach occurred but you can’t be sure? Is that enough to trigger the mandatory disclosure or are you only obliged to report once you know for sure? “This can’t be inferred from the light wording of the regulation Article 31. I’d say whenever you have a suspicion which is not entirely unfounded but it’s reasonable, you should report it”, explains Leupold. “In Europe most companies fall victim of Trojans, malware and similar attacks. And don’t even know. The number of companies not knowing is huge. This is an extremely difficult issue”.

According to Snead “the term “breach” needs to be defined in the contract, meaning that as long as the parties know what a breach means to them, then they can discuss timing and when they need to know. From an enterprise standpoint, negotiating about what a breach is, and then creating a strategy around it, is probably a healthier way to handle this issue than it is to say, “Every single breach has to be notified in X number of hours, or days, or whatever.” That’s the way I tend to approach it in negotiations.”

Next: The enforced Data Privacy Officer – revenue generation for lawyers?

Previous: The 100 million euro fine: outrageous sanctions set a disturbing precedent.

CREDITS

Dr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

David Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

Paolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy