Since 25 May 2018, controllers experiencing a personal data breach must – as a general rule – notify it to the appropriate supervisory authority. Not all breaches will require notifications: those that do not pose a risk to the rights and freedoms of natural persons will generally fall under the radar. However, if such risk shall exist, the data controller will be required to notify a given breach to the relevant supervisory authority as well as to the natural persons concerned – if the likelihood of risk is high.
As defined under article 4 of the General Data Protection Regulation (GDPR), personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes accidental/unintentional and willful/intentional breaches. It also means that a breach is more than just about losing personal data, since a mere lack of access by the controller to the personal data processed will also constitute as a data breach. According to the GDPR Art. 33, a data controller, where feasible, shall make the notification without undue delay, in any case no later than 72 hours after becoming aware of it. Failure to meet the obligation to notify can lead to significant administrative fines being imposed on the controller (reaching up to 2% of the total worldwide annual turnover of the preceding financial year).
However, in addition to (and separate from) the duty to notify and communicate breaches under the GDPR, controllers should also be aware of other security incident notification requirements, under other associated legislation that may apply to them (e.g. by virtue of their nature, i.e. telecommunications providers, trust service providers, operators of essential services or digital service providers).
These, of course, may vary on a country-by-country basis, but, at an EU level, these incident-reporting obligations stem from the following interrelated instruments:
- Directive EU 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”)
If you are an operator of essential services (providers of services that are essential for maintenance of critical social or economic activities, such as services in the banking, energy, transport and health sectors) or a provider of digital services (providers of e-commerce, search engines and cloud services), you should be aware of your incident-reporting obligations under the NIS Directive. According to articles 14 and 16 of the latter, operators of essential services and digital service providers are obliged to notify their competent authority, without undue delay, of any security incidents having a significant or substantial impact on a service that they offer. Since security incidents may include compromise of personal data (see recital 63 of the NIS Directive), experiencing such incident will trigger the duty to report such incident to the relevant supervisory authority under the GDPR, in addition to (and separately from) the incident notification required under the NIS Directive.
- Directive 2009/140/EC of the European Parliament and of the Council amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services (the “Telcom Framework Directive”)
If you are an undertaking providing public communications networks or a provider of publicly available electronic communications services, you are subject to the reporting obligations as provided in the Telcom Framework Directive, which deals in particular with the prevention of outages or service disruptions (availability of the service). According to article 13a of the Telcom Framework Directive, undertakings providing public communications networks or publicly available electronic communications services are required to notify their competent national regulatory authority of a breach of security or loss of integrity that has had a significant impact on the operation of networks or services. The same reporting obligation remains in place under the new framework, i.e. the Directive establishing the European Electronic Communications Code, which will repeal the Telecom Framework Directive, and which will be formally adopted by the Council of the European Union on 3 December 2018, leaving the member states two years to transpose it into their national legislation. Moreover, providers of publicly available electronic communications services are obliged to notify to the competent national authorities (and, in certain cases, also to the subscribers and individuals concerned) any personal data breaches, as provided under Commission Regulation (EU) no 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (the “Breach Notification Regulation”). What is crucial is that, under the Breach Notification Regulation, the initial notifications (the Breach Notification Regulation provides for both the initial and full notification to follow, if all details cannot be provided in the initial notification) shall be made, where feasible, no later than 24 hours after the detection of the personal data breach, so within a shorter window of time than under the GDPR (i.e. 72 hours). Detailed contents of the notification to the competent national authorities are specified in the annexes to the Breach Notification Regulation and include in particular:
- Name of the service provider
- Name and contact details of the data protection officer or other contact point where more information can be obtained
- Whether it is an initial notification or a full notification
- Date and time of the breach (or an estimate) and the date and time of detection
- Circumstances of the breach (e.g. theft, loss, copying)
- Nature and content of the personal data concerned
- Technical and organisational measures applied (or to be applied) to the affected personal data
- Relevant use of other providers (where applicable)
Since regulations are binding automatically throughout the EU, the contents of the notification to be provided to the authorities will be the same in all member states. Some national regulators provide secure web forms to be used by providers to notify breaches (e.g. the ICO’s PECR security breach notification form or the Polish Personal Data Protection Office data breach form).
- Regulation EU 910/2014 on electronic identification and trust services for electronic transactions in the internal market (the “eIDAS Regulation”)
If you are a trust service provider, beware of the notification duties under the eIDAS Regulation. The latter requires that trust service providers notify security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein, without undue delay, but, in any event, within 24 hours after having become aware of it, to their supervisory body. Where such breach is also a personal data breach, as defined under the GDPR, the trust provider should also notify the relevant supervisory authority. Overlaps between the eIDAS Regulation and the NIS Directive in terms of incident notifications are not excluded either.
- Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (the “PSD2 Directive”)
If you are a payment service provider, you will fall under the incident reporting regime under the PSD2 Directive. Under the PSD2 Directive, which provides that in the case of a major operational or security incident (defined as unplanned event or series of linked events that has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services), payment service providers shall make an initial notification to their home competent authority within 4 hours from the moment the major operational or security incident was first detected (so a significantly shorter than the 24h or 72 h deadlines under eIDAS Regulation and GDPR). Where the incident has or may have an impact on the financial interests of payment service users, the payment service provider shall also inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.
Since the security incident-reporting obligations under the PSD2 Directive should be without prejudice to other incident-reporting obligations laid down in other legal acts, the same incident might trigger notification requirements to different authorities under different pieces of legislation. Especially considering that, in practice, data breaches accompany almost every major incident, particularly in industries where the provision of the service is strictly digital (e.g. finance, cloud, or online market place).
Irrespective of the above, controllers should also be aware of any recommendations issued under the relevant industry codes of conduct or other sector-specific notification obligations that they may be subject to under other applicable regimes.
Creating a single common notification platform at a national level, which would act as a clearinghouse where different authorities could share information about incidents, would certainly reduce burden both for the authorities and the operators themselves and thus, should be considered for the next European Commission Annual Work Programme.
 For example, in Poland, security incidents must be reported to the competent authorities without undue delay, no later than within 24 hours from detection, as provided in the Act of 5 July 2018 on the national cybersecurity system (which implements the NIS Directive in Poland).