Bad news about GDPR breach reporting?

I have good news and bad news.

The good news is that, following criticisms of its proposal to require non-EU based organisations to notify data breaches in every EU country where affected individuals reside, it was hoped that the European Data Protection Board (the body comprised of the EU’s national data GDPR regulators) would reconsider its position. 

The bad news is that, last week, the EDPB finalised its guidelines on personal data breach notification — and kept the controversial reporting requirement.

I’ve written on this topic when the draft guidelines were released, and my view hasn’t changed: this will likely result in under-reporting by non-EU businesses, which surely cuts against what the requirement seeks to achieve.  We’ll discuss that in more detail later, but first let’s look at the key paragraphs of the finalised guidelines (available here).

• Paragraph 72: “Where a controller not established in the EU is subject to Article 3(2) or Article 3(3) GDPR and experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34 GDPR.  Article 27 GDPR requires a controller (and a processor) to designate a representative in the EU where Article 3(2) GDPR applies.”
• Paragraph 73: “However, the mere presence of a representative in a Member State does not trigger the one-stop shop system.  For this reason the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State.  This (These) notification(s) shall be the responsibility of the controller.”

Notifying a single regulator within 72 hours of becoming aware of a breach is no easy task.  Indeed, in most cases it’s one of numerous and competing tasks facing the business in that initial post-breach period — patching security, communicating with clients, ransom negotiation, and so on.  That’s not to say that complying with laws should always be easy, particularly in the scenario where personal data have been compromised.  But this feels like the type of policy that doesn’t reflect the real world, at least in its current form.

Anyone who has reported a breach to multiple European regulators knows that each authority’s template is different.  Often the differences are small, but that’s not always the case.  Would it not be a better solution to introduce a single form that can be used for regulators across the bloc?  

Similarly, if 95% of affected data subjects are located in France, and 1% in each of Spain, Italy, Austria, Portugal and Poland, would it not make sense for the controller to report to the CNIL (and the authority where its representative is based), which can decide whether additional notifications are required?

The GDPR’s one-stop shop has become a source of tension among European regulators and legislators, who now increasingly air their grievances about the system in public.  While it’s true that the representative of a non-EU based organisation does not act in the same way as a lead supervisory authority, I’m not sure that multiple DPAs having claim to the same breach will result in a better or more efficient system for regulators and businesses alike.  In fact, I’m sure that it won’t.

What that might lead to is foreign organisations reporting only to the regulator in the country where most individuals are affected and hoping that the breach is closed down without further correspondence.  Or if they don’t have a representative in place they might not report at all, calculating that European regulators are generally unwilling to enforce the GDPR on an extra-territorial basis.  And for those organisations that do report (and to be clear, my advice is that the guidance should be followed), things will be a lot harder going forward.

I don’t want to end on a downer, so here’s a possible silver lining.  Footnote 37 of the guidelines acknowledges that a representative can “be involved in the notification process if this has been explicitly stated in the written mandate”.

Organisations that have engaged an EU representative in line with Art. 27 of the GDPR should now check what their contracts say, if anything, about the representative’s role in breach notification as they may be required — or willing — to make multiple notifications.  That won’t take all of the burden from the controller, but in cases like these every little helps.