Big Data & Issues & Opportunities: Breach-related obligations

By Julien Debussche, Jasmien César, Isis De Moortel, Simon Mortier

02-2019

In this fifth article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we focus on some of the breach-related obligations in a big data context. Where relevant, illustrations from the transport sector will be provided.

In the present article, we will look into the breach-notification obligations under the General Data Protection Regulation ("GDPR")[1] and the Network and Information Security Directive ("NIS Directive")[2]. Subsequently, we will also look into breach notification obligations in the telecommunications sector.

Data breach notification obligation under the GDPR

The breach-related obligations under the GDPR apply whenever personal data is processed (see our second article on Privacy & Data Protection for the definitions of "processing" and "personal data"). Considering that big data analytics in particular may entail massive personal data processing operations, there is little doubt that these GDPR data breach notification obligations will apply to the processing of personal data in a big data context.

The GDPR requires the notification to the supervisory authority, without undue delay and in any case within 72 hours of “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”[3]

It follows from such definition that many types of security incidents will be considered as data breaches within the meaning of the GDPR. It moreover goes without saying that the occurrence of breaches in the context of new technologies, including big data, is not hypothetical. This will require abiding by the strict obligations related to the notifications of such incidents to the appropriate data protection authorities across the EU (as well as potentially to other competent authorities across the world in case of certain large breaches).

The table underneath provides an overview of the EU notification obligations imposed by the GDPR on the different actors involved:

Duty

Provision

Timing

Exemption

Data processor to notify data controller

Article 33(2) GDPR

Without undue delay after becoming aware of the data breach.

No exemptions mentioned in the GDPR, but the European Data Protection Board is tasked to issue guidelines on the particular circumstances in which a breach shall be notified.

Data controller to notify supervisory authority

Article 33(1) GDPR

Without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach.

Notification is not required if the breach is unlikely to result in a risk for the rights and freedoms of individuals.

Data controller to notify affected individuals

Article 34 GDPR

Without undue delay.

Notification is not required if:

  • the breach is unlikely to result in a high risk for the rights and freedoms of individuals; or
  • appropriate technical and organisational protection measures were in place at the time of the incident (e.g. data encryption); or
  • measures have been taken, subsequent to the incident, ensuring that the risk to the right and freedoms of individuals is unlikely to materialise; or
  • it would trigger disproportionate efforts. However, in this case, a public communication or similar measure to inform the public is required.

It is therefore reminded that anonymisation techniques, as discussed in our third article, can serve as mechanisms to release data controllers from certain specific obligations related to personal data breach, i.e.:

  • Notification of a personal data breach to the supervisory authority is not required when the data controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.[4] Although the GDPR is not explicit on this point, it could be reasonably advocated that a breach of anonymised or pseudonymised data is less likely, or even unlikely, to result in a risk to the rights and freedoms of natural persons.[5]
  • Communication of a personal data breach to the data subject shall not be required if the controller has implemented appropriate technical and organisational protection measures, which were applied to the personal data affected by the breach.[6] The GDPR indeed mentions in particular "those [measures] that render the personal data unintelligible to any person who is not authorised to access it, such as encryption."

Illustration in the transport sector: In 2016, two individuals accessed user data stored on a third-party cloud-based service used by Uber. Although the incident did not breach its corporate systems or infrastructure, the hackers obtained over 600.000 U.S. driver’s license numbers as well as data of approximately 57 million Uber users from around the world including names, email addresses and phone numbers.

As reported by the Financial Times: “Instead of disclosing the incident when it was discovered, senior executives decided to pay a ransom of $100,000 to delete the stolen data.” Hence, Uber had not notified the breach to any authority around the world. Its CEO only informed the world about the breach in November 2017. This has led Uber Technologies Inc. to pay in the U.S. $148 million to settle claims related to this large-scale data breach.

In the EU, the Article 29 Working Party established a taskforce on the Uber data breach case. This taskforce, led by the Dutch DPA, is composed of representatives from the French, Italian, Spanish, Belgian and German DPAs as well as from the ICO.

Dutch DPA imposed on 27 November a fine of 600,000 Euros on Uber B.V. and Uber Technologies, Inc (UTI) for breaching the data leakage reporting obligation.

The abovementioned incident is just one example illustrating the considerable risk data breaches can pose for organisations, including big data service providers, as well as their potential impact and the consequences in case a personal data breach is not adequately notified.

Incident notification obligation under the NIS Directive

Under the NIS Directive (see also our previous article here), operators of essential services ("OES") and digital services providers ("DSPs") must notify without undue delay to the National Competent Authority ("NCA") or the Computer Security Incident Response Team ("CSIRT") incidents having a significant impact on the continuity or provision of the services.[7]

On the basis of the NIS Directive, the factors to be considered when determining whether the impact of an incident is significant are the following:

Operators of essential services

Digital service providers

  • the number of users affected by the incident;
  • the duration of the incident; and
  • the geographical spread of the incident.[8]
  • the number of users affected by the incident;
  • the duration of the incident;
  • the geographical spread of the incident;
  • the extent of the disruption of the service; and
  • the extent of the impact on economic and societal activities.[9]

Given its nature as a directive, the NIS Directive is not directly applicable in the EU Member States but needs to be implemented in the legal order of each Member State. It can therefore be expected that there will be a difference in implementation of the security incident notification obligations between the different EU Member States, including on the concrete application of the above factors.


This being said, in addition to the above general rules included under the NIS Directive, the following clarification documents have been published at EU level:

  • With respect to operators of essential services:

    • “Reference document on Incident Notification for Operators of Essential Services – Circumstances of notification”[10], published by the NIS Cooperation Group in February 2018.[11] Such document details the incident notification scheme for OES but also the parameters used to measure the impact of incidents. It also examines the intricacies of cross-border situations and the interplay of the NIS Directive with notification requirements in other legislations (including the GDPR).

    • “Reference document on Incident Notification for Operators of Essential Services – Formats and procedures”[12], published by the NIS Cooperation Group in May 2018.[13] Such document provides (non-binding) guidance to national competent authorities and CSIRTs with regard to formats and procedures for the notification of incidents by OES, to facilitate alignment in the implementation of the NIS Directive across the EU.

  • With respect to digital service providers:

    • Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of the [NIS Directive] as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.[14] Such document notably clarifies four situations in which digital service providers are required to notify the relevant national competent authority or CSIRT, notably: (i) if the digital service is unavailable for more than 5 million user-hours in the EU; (ii) if more than 100,000 users in the Union are impacted by a disruption; (iii) if the incident has created a risk to public safety, public security or of loss of life; (iv) if the incident has caused material damage of more than €1 million.

    • “Guidelines on notification of Digital Service Providers incidents Formats and procedures”, published by the NIS Cooperation Group in June 2018. Such document provides non-binding technical guidance to national competent authorities and CSIRTs, with regard to formats and procedures regarding the notifications of incidents by DSPs, to facilitate alignment in the implementation of the NIS Directive across the EU.

    • “Incident notification for DSPs in the context of the NIS Directive”[15] report published by ENISA on 27 February 2017. Such report includes a comprehensive guideline on how to implement incident notification for DSPs.

Furthermore, some complex situations involving DSPs and OES may arise and require putting in place adequate (contractual) mechanisms. For instance, in case an operator of essential services depends on a digital service provider for the provision of such essential services, any significant impact on the continuity of those services due to an incident affecting the digital service provider must be notified by that operator.[16] The NIS Directive remains however silent as to whether, in such circumstances, the digital service provider is obliged to notify such incident to the operator of essential services. It is therefore to be expected (and highly recommended) that the operator of essential services would require such notification by the digital service provider contractually.

Finally, it is worth noting that the notified NCA or CSIRT shall inform other Member States affected.[17] In such case, the NCA, the CSIRT and the single point of contact shall ensure that the service provider's security and commercial interests are safeguarded and that the information provided remains confidential. The NCA or CSIRT may also decide – after consultation of the notifying operator – to inform the public, where such public awareness would be necessary to prevent or manage an incident.[18]

Essential or digital service providers that do not comply with the security incident notifications laid down by the national provisions adopted pursuant to the NIS Directive may be subject to a penalty, which is to be determined by each EU Member State at national level. Pursuant to Article 21 of the NIS Directive, such penalty must be effective, proportionate and dissuasive.

Breach notification obligations in the telecommunications sector

The Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector[19] (the “e-Privacy Directive”) was the first EU-wide legislative instrument to impose data breach notification obligations. Pursuant to the Directive, publicly available electronic communication service providers (hereinafter “PECS providers”) must, if they suffer a breach of security that leads to personal data being lost or stolen, inform the national authority and, in certain cases, the subscriber or individual.[20]

Regulation 611/2013 on the measures applicable to the notification of personal data breaches (the “Data Breach Notification Regulation”) lays down the circumstances in which PECS providers must notify personal data breaches, the format of such notification and the procedure to follow.[21] Taking into account its nature as a Regulation, the Data Breach Notification Regulation has direct effect in all EU Member States, rendering any national implementation measures unnecessary.[22]

The e-Privacy Directive is currently being reviewed in the framework of the EU Digital Single Market strategy. In this respect, the EU Commission held a public consultation, the report of which was made available in August 2016.[23] In its 'Opinion 03/2016 on the evaluation and review of the ePrivacy Directive', the Article 29 Working Party notably recommended to remove the provisions relating to breach notification from the e-Privacy Directive given their “overlap” with the breach notification obligations under the GDPR (see below).[24] On 10 January 2017, the EU institutions adopted a draft e-Privacy Regulation, which would be directly applicable in all EU Member States.[25] The latest version of the draft does not contain a data breach notification obligation as such, which is justified by the fact that the GDPR will apply to PECS providers.[26]

Conclusion

In recent years the EU has made significant progress in terms of cybersecurity and related incident notification requirements. While it started with specific and scattered initiatives in certain sectors (e.g. telecommunications), the EU-related legal landscape has evolved, notably due to the Cyber Security Strategy and the NIS Directive.

It follows that organisations facing a security incident may need to notify such incident to one or more national competent authorities. The requirement to inform authorities will however depend on certain criteria laid down in the applicable legislations, as clarified by the guidance documents published at EU and national level. Accordingly, the various actors of the data value chain need to implement measures, procedures and policies in order to abide by the strict notification requirements and be prepared to provide the necessary information to the authorities, all within the imposed deadlines. Such requirements will also need to be adequately reflected in the various contracts between the stakeholders involved in the chain in order to adequately address any incident that may occur.

Our next article will address the supply of digital content and services in the context of big data, with illustrations drawn from the transport sector.


This series of articles has been made possible by the LeMO Project (www.lemo-h2020.eu), of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.

This article on (cyber-)security has also been made possible by the THREAT-ARREST Project (www.threat-arrest.eu), of which Bird & Bird LLP is a partner. The THREAT-ARREST Project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 786890.

The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.

The content of this article reflects only the authors’ views. The European Commission and Innovation and Networks Executive Agency (INEA) are not responsible for any use that may be made of the information it contains.


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119.

[2] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union [2016] OJ L 194.

[3] Articles 4(12) and 33 GDPR.

[4] GDPR, art 33(1) and Recital 85

[5] Such reasoning is also supported by the Article 29 Working Party's Opinion on Personal Data Breach Notification and Guidelines on Personal data breach notification under the GDPR, pursuant to which appropriate measures, such as encryption with confidentiality of the key, may reduce the residual privacy risks on the data subject to a negligible level.  In addition, the Working Party recognises the utility of appropriately implemented pseudonymisation to reduce the likelihood of identification of individuals in case of a data breach, but stresses that pseudonymisation techniques as such are not sufficient to render data unintelligible (Article 29 Data Protection Working Party, 'Guidelines on Personal data breach notification under Regulation 2016/679' (2018) WP250rev.01, 25).

[6] GDPR, art 34(3)(a)

[7] NIS Directive, art. 14(3) and 16(3) . Essential or digital service providers that do not comply with the security incident notifications laid down by the national provisions adopted pursuant to the NIS Directive may be subject to a penalty, which is to be determined by each EU Member State at national level. Pursuant to Article 21 of the NIS Directive, such penalty must be effective, proportionate and dissuasive.

[8] NIS Directive, art 14(4)

[9] NIS Directive, art 16(4)

[10] NIS Cooperation Group, 'Reference Document on Incident Notification for Operators of Essential Services. Circumstances of Notification' (European Commission 2018) <http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53644> accessed 17 October 2018

[11] The NIS Cooperation Group is established by the NIS Directive and started its work in February 2017. It gathers national competent authorities responsible for cybersecurity and is composed of representatives of Member States, the European Commission, and ENISA. The NIS Cooperation Group facilitates the dialogue between different bodies responsible for cybersecurity in the EU. It represents a shared space where common cybersecurity challenges are discussed and coordinated policy measures are agreed upon.

[12] NIS Cooperation Group, 'Guidelines on Notification of Operators of Essential Services Incidents. Formats and Procedures' (European Commission 2018) <http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53677> accessed 17 October 2018

[13] The NIS Cooperation Group is established by the NIS Directive and started its work in February 2017. It gathers national competent authorities responsible for cybersecurity and is composed of representatives of Member States, the European Commission, and ENISA. The NIS Cooperation Group facilitates the dialogue between different bodies responsible for cybersecurity in the EU. It represents a shared space where common cybersecurity challenges are discussed and coordinated policy measures are agreed upon.

[14] Commission Implementing Regulation (EU) 2018/151 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact [2018] OJ L 26/48

[15] European Union Agency for Network and Information Security, 'Incident Notification for DSPs in the Context of the NIS Directive. A Comprehensive Guideline on How to Implement Incident Notification for Digital Service Providers, in the Context of the NIS Directive' (ENISA 2017) <https://www.enisa.europa.eu/publications/incident-notification-for-dsps-in-the-context-of-the-nis-directive> accessed 17 October 2018

[16] NIS Directive, art 16(5)

[17] NIS Directive, arts 14(5) and 16(6)

[18] NIS Directive, arts 14(6) and 16(7)

[19] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] L201.

[20] Article 4(3) of the ePrivacy Directive.

[21] Commission Regulation (EU) 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications [2013] OJ L 173/2.

[22] Davinia Brennan, 'New Rules on Breach Notification by Telecoms and ISPs – Clarity at Last?' (2013) 14(1) P & DP 4.

[23] Summary report available online at https://ec.europa.eu/digital-single-market/en/news/summary-report-public-consultation-evaluation-and-review-eprivacy-directive accessed on 15 January 2019.

[24] Article 29 Data Protection Working Party, ‘Opinion 03/2016 on the evaluation and review of the ePrivacy Directive’ (2016) WP 240, 19.

[25] Commission, 'Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC' (Regulation on Privacy and Electronic Communications), COM (2017) 10 final.

[26] Whereas GDPR focuses on general uses of personal data, the upcoming e-Privacy Regulation will supplement the GDPR with additional rules targeted at electronic communications services, the use of cookies, online behavioural advertising, direct marketing and machine-to-machine communications.

 

Authors