This fifth article of our cloud computing and privacy series (links to our previous articles below) addresses the topic of data breach notification requirements. Although these requirements may not necessarily apply directly to Cloud Service Providers ("CSPs"), they ought to be taken into account and assessed by all actors involved in the provision or the use of cloud services in light of existing (but also upcoming) EU and national obligations.
Considering that serious breaches of confidentiality and security often constitute the quickest route through which a company can damage its image and reputation due to adverse press and media publicity, the question of data breach handling is of utmost importance.
More specifically, the notification of breaches follows various purposes, such as:
- Increasing transparency over operational failures;
- Allowing to mitigate damages and further risks;
- Helping stakeholders (including authorities and other companies) to identify the risks and the causes of failure;
- Developing adequate and appropriate responses to minimise future risks.
The present article therefore examines the legal requirements or guidance related to the notification of competent authorities and individuals impacted by serious incidents affecting the confidentiality and security of personal data at EU level and in certain key Member States(1). This article does however not examine in depth any sector-specific requirements, such as may exist in the financial sector or the Payment Card Industry (PCI).
Current strict EU rules applicable to PECS providers
In spite of the importance of breach notification, the Data Protection Directive (95/46/EC) does not provide for an explicit obligation in this respect.
Directive 2002/58/EC, amended by Directive 2009/136/EC (the "ePrivacy Directive"), does however currently provide breach notification obligations for the so-called providers of an electronic communications service ("PECS providers"), e.g. telecommunications companies, internet service providers and email providers. Article 4 provides a defined protocol for the electronic communications sector, as completed by Commission Regulation (EC) 611/2013 of 24 June 2013 (2) (read our latest report on this Regulation here). Since the publication of the Commission Regulation, a common regime applies to PECS providers within the 28 Member States.
More specifically, the ePrivacy Directive defines ‘personal data breach’ as being ”a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community” (article 2(i)).
Such incidents can trigger the following implications:
- In case of a particular risk of a breach of the security of the network, the PECS provider must inform the subscribers concerning such risk, and in certain cases of the possible remedies.
- In the case of a personal data breach the PECS provider shall notify the personal data breach:
- within 24 hours after detection (where feasible), to the competent national authority; and possibly
- without undue delay, to the subscriber or individual, when the personal data breach is likely to adversely affect the privacy of such person. This is not required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures to render the data unintelligible to any person who is not authorised to access it (see also our fourth article on data anonymisation).
Such requirements would only apply in limited circumstances when considering a cloud environment, notably when the CSPs or the client qualifies as a PECS provider pursuant to the applicable Member State legislation transposing the EU PECS provider definition.
It should be noted that ENISA has provided (i) guidelines to National Regulatory Authorities in the framework of Article 13a of Directive 2009/140/EC of 25 November 2009(3); (ii) a general report entitled “Data Breach Notification in the EU”(4) of 13 January 2011; and (iii) a specific report entitled “Cloud Security Incident Reporting - Framework for reporting about major cloud security incidents”(5).
Current and future EU requirements and guidance
In spite of the absence of a general EU rule applicable to all organisations, breach notification is gradually becoming the norm in the EU. Indeed, all kinds of operators are increasingly urged to disclose breaches to the competent authority. The Draft General Data Protection Regulation will in all likelihood introduce a general data breach notification obligation. Furthermore, the draft Cybersecurity Directive also provides for breach notification in the framework of network and information security (NIS) applicable to certain 'market operators' who remain to be defined (see more details in our third article on the security requirements and guidance).
EU guidance by the Working Party
It should also be noted that the Article 29 Working Party (the "Working Party") has adopted on 25 March 2014 Opinion 03/2014 on Personal Data Breach Notification (link). Said Opinion provides guidance to organisations acting as data controllers in order for them to determine, on a case-by-case basis, whether they should notify affected individuals in case of a personal data breach.
In the introductory chapter of the Opinion, the Working Party highlights on the basis of the ePrivacy Directive the notification requirement to (i) the competent national authority, and (ii) the data subject in case the breach is likely to adversely affect his privacy or personal data. The Working Party further recommends controllers to take appropriate technological and organisational measures and to proceed with notification in case they have doubts about the likelihood of the adverse effects on the privacy or personal data of the data subject.
In the second and substantial chapter, the Working Party proposes a list of scenarios where data subjects should be notified. Each scenario is assessed on the basis of the following "classical security criteria":
- Availability breach – accidental or unlawful destruction of data;
- Integrity breach – alteration of personal data;
- Confidentiality breach – unauthorized access to or disclosure of personal data.
In the contemplated practical examples, the Working Party provides the appropriate safeguards that might have been able to reduce the risks and thus to avoid the need to notify the data subject if they had been implemented.
Current national breach notification regimes
In addition to the Working Party's Opinion 03/2014, which anticipates the adoption of a broader obligation of breach notification at EU level, several Member States have adopted measures in order to expand the notification requirement to actors other than PECS providers.
One of the most topical illustrations of the advancement of some Member States over others is the case of Germany, which has introduced since 2009 amendments to the German Federal Data Protection Act, including on data breach notification. Some countries, such as Belgium or the United Kingdom, have adopted non-mandatory general guidance. Others have adopted some limited opinions or requirements applicable to specific sectors.
In Germany, under Section 42a of the German Data Protection Act, the data controller is obliged to notify the Data Protection Authorities (“DPA”) and the individuals affected (alternatively if individual information is not reasonably possible, through a press release/ad in mass media) in specific cases of data breach where the following two cumulative conditions are met(6):
- Particular data are concerned: either (i) sensitive data, or (ii) data effected by professional secrecy, such as health data controlled by doctors, or (iii) data concerning criminal or administrative offenses, or (iv) bank and credit card related data; and
- Material negative consequences for the individual are possible due to the breach.
Data processors are not directly addressed by Section 42a, but are obliged to notify breaches to the controller under the data processing agreements.
In Belgium, the local DPA has published on 21 January 2013 a recommendation addressed to any controller processing personal data, requiring that public incidents (i.e. where a personal data breach results in a public leakage of private data) are notified to the DPA within 48 hours(7). In addition, a public information campaign should be rolled out within 24-48 hours after notifying the DPA.
In the United Kingdom, the Information Commissioner’s Office (“ICO”) published in 2012 guidance on the “Notification of data security breaches to the ICO” (link) and on “Data Security Breach Management” (link).
The ICO acknowledges that there is no legal obligation for data controllers to report breaches of security which result in loss, release or corruption of personal data. The ICO however believes serious breaches should be brought to the attention of the ICO. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under data protection law. Although "serious breaches" are not defined, the guidance identifies three areas to be considered by data controllers when determining whether a breach should be reported:
- The potential detriment to data subjects;
- The volume of personal data lost/released/corrupted; and
- The sensitivity of the data lost/released/corrupted.
The guidance states that all serious breaches should be notified to the ICO using the DPA security breach notification form (link).
In addition to the foregoing, breach notification in the healthcare sector is also addressed in the United Kingdom. The process for reporting Information Governance related Serious Incidents Requiring Investigation (“IG SIRIs”) which occur in health, public health and adult social care services has recently changed. All health service organisations must now use the IG Toolkit Incident Reporting Tool(8). This will report IG SIRIs to the Health and Social Care Information Centre ("HSCIC"), the Department of Health, the ICO and other regulators.
HSCIC published a checklist dated 1 June 2013 for reporting, managing and investigating IG SIRIs. This guidance is supported by the ICO.
Finally, in Italy, provisions have been adopted by the Italian DPA with reference to banks. In particular, at point 5 of resolution 192/2011, in force as from October 2014, the DPA strongly recommends that, without undue delay, banks inform:
- data subjects "of any unlawful processing operations performed by persons in charge of data processing on the personal data relating to them"; and
- the Italian DPA "of appropriate details of any cases where accidental and/or breach of personal data protection have been established - providing such violations are material on account of either the type or amount of the data concerned and/or the number of customers affected – and such violations give rise to the destruction, loss, modification and/or unauthorized disclosure of customers' data"(10).
Moreover, the data controllers in Italy will need to seek compliance with mandatory data breach obligations in force, or coming into force, in other sectors. In particular, a general provision of the Italian DPA dated November 2014 imposed an obligation on the data controllers that process biometric data to notify to the DPA within 24 hours any breach related to the biometric data according to a specific procedure and based on a data breach form made available by the DPA(11).
A draft decree aimed to identify the technical rules for setting up national Electronic Health Records ("HER")(drafted based also on the opinions released by the Italian DPA) also contains an express provision about the obligation for the data controllers to promptly notify the Italian DPA in case of violations related to the data processed under the EHR(12).
The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.
This series of articles has been made possible thanks to the CoCo Cloud project (www.coco-cloud.eu) funded under the European Union’s Seventh Framework Programme, and of which Bird & Bird LLP is a partner. Said project aims to establish a platform allowing cloud users to securely and privately share their data in the cloud.
Our last article will address the topic of "legal implications of health data storage".
Read our first article entitled "Cloud computing and privacy series: the general legal framework (part 1 of 6)".
Read our second article entitled "Cloud computing and privacy series: the data protection legal framework (part 2 of 6)".
Read our third article entitled "Cloud computing and privacy series: security requirements and guidance (part 3 of 6)".
Read our fourth article entitled "Cloud computing and privacy series: a legal perspective on data anonymisation (part 4 of 6)".
(1) Our study examined the particularities of national laws on key specific issues in ten selected EU Member States, i.e., Belgium, Czech Republic, Denmark, Finland, France, Germany, Italy, Poland, Spain and the United Kingdom ("Key Member States").
(2) Commission Regulation (EC) 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications  OJ L173/2 (entered into force in all Member States on 25 August 2013).
(3) See in particular the Marnix Dekker and Christoffer Karsberg ‘Technical guidance on the incident reporting in Article 13a’ (ENISA, November 2013); and Marnix Dekker, Christoffer Karsberg ‘Technical guidance on the security measures in Article 13a’ (ENISA, November 2013).
(4) Andreas Rockelmann, Joshua Budd, Michael Vorisek, ‘Data Breach Notification in the EU’ (ENISA, 13 January 2011) (link).
(5) Marnix Dekker, Dimitra Liveri, Matina Lakka, ‘Cloud Security Incident Reporting - Framework for reporting about major cloud security incidents’ (ENISA, 9 December 2013) (link).
(6) Available in English at <www.gesetze-im-internet.de> (link).
(7) Available at <www.privacycommission.be> (link), available in French and Dutch.
(8) Excluding health service organisations in Scotland, Northern Ireland and Wales.
(9) Published on the Official Gazette on April 4, 2013, which implemented the provisions of the EC Directive 2009/136, available at <www.garanteprivacy.it> (link), available in Italian and English.
(10) Available at <www.garanteprivacy.it> (link), available in Italian and English.
(11) Available at <www.garanteprivacy.it> (link), available only in Italian.
(12) Available at <www.garanteprivacy.it> (link), available only in Italian.