Breach notification / Data protection / Privacy / Privacy impact assessment / Security

‘Nothing is agreed until everything is agreed’… but still a new version of Chapter IV of the proposed General Data Protection Regulation has been released!


The Council of the European Union has agreed on a “partial general approach” when reviewing specific aspects of the proposed General Data Protection Regulation (GDPR) in a note issued on the 3rd of October 2014 for publication in the Council Register. In particular, the note contains a revised version of the draft text of Chapter IV on the roles of data controllers and data processors. Its “partial general approach” is basically a three-pronged approach:

  • “nothing is agreed until everything is agreed”; [future changes to Chapter IV are thus still possible]
  • “it is without prejudice to any horizontal questions;” [future changes to Chapter IV are thus still possible… bis]
  • “it does not mandate the presidency to engage in informal trilogues with the European Parliament on the text” [but hopefully not that many changes will be made!]

The reason stated by the Council for the review of the proposed text in Chapter IV of the GDPR was to find a way to “further reduce the administrative burden/compliance costs flowing from this Regulation by sharpening the risk based approach” [i.e. the message is ‘data controllers – we are trying to be more easy going’!]

As regards the re-drafting of Chapter IV, it is thus interesting to note a few things:

  1. At the initiative of the UK, the threshold for conducting privacy impact assessments and notifying personal data breaches to data subjects has been reformulated, [arguably to clarify the text of the GDPR, as well as to increase the threshold and thereby to reduce the number of impact assessments and notifications]. The new version of Chapter IV speaks about “a high risk for the rights and freedoms of individuals” for both impact assessment and breach notification purposes [see draft Articles 31 to 33], whereas its previous version referred to breaches “adversely affect[ing] the protection of the personal data or privacy of the data subject” and “specific risks to the rights and freedoms of data subjects”. Interestingly though, new draft Recital 60b seems to reintroduce some confusion as it defines a high risk as, “a particular risk of prejudice to the rights and freedoms of individuals”. The 2013 Regulation on measures applicable to the notification of personal data breaches under the E-Privacy Directive (2002/58/EC), concerning mainly Internet service providers, are thus now slightly more demanding (See Articles 2 and 3).
  2. The requirement to consult the supervisory authority prior to the processing seems to echo that of conducting privacy impact assessment. Draft Article 34 provides that there should be consultation when “the processing would result in a high (…) risk in the absence of measures to be taken by the controller to mitigate the risk”.
  3. Notably, when it comes to determining the risk standard at which obligations are imposed upon a data controller established outside of the European Union, the reviewers are a bit more stringent and seem to be concerned by all types of risk. However, draft Article 25 states that there is no obligation to designate in writing a representative in the EU when the processing is “occasional and unlikely to result in a (…) risk for the rights and freedoms of individuals”.
  4. For personal data breaches “likely to result in a high risk for the rights and freedoms of individuals”, the notification to the supervisory authority shall happen within 72 hours (from the time the data controller has become aware of the breach). (See draft Article 31). [Remember that for Internet service providers the regime is slightly different: all personal data breaches must be notified, not later than 24 hours, after the detection of the personal data breach as per the 2013 Regulation].
  5. Under draft Article 33, “The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment …. The supervisory authority shall communicate those lists to the European Data Protection Board”. [What will be the precise effect of this list?] Interestingly, the supervisory authority could also make public a list of the kind of processing operations that do not require an impact assessment.
  6. Codes of conduct have been revived [well, sort of]. See draft Articles 38 and 38a. In particular, supervisory authorities are meant to play a key role as illustrated by the proposed text for Article 38, which states that: “The supervisory authority shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards”. Depending upon the scope of the codes of conduct, approvals can take place at the national level but also at the European level. Importantly, codes of conducts may be adhered to by controllers and processors who are not to be subject to the GDPR. The same thing is true for certificates, seals and/or marks.
  7. Under draft Article 35, the appointment of Data Protection Officers is voluntary, unless Member States decide otherwise.
  8. As regards security obligations, the new version of the proposed text (i.e. draft Article 3) still mentions the costs of implementation as a criterion for selecting the appropriate security measure to be implemented in relation to the nature of the data at stake [a very similar formulation is used for the draft text of Article 23 concerning privacy by design]. One should recall the words of the Court of Justice of the European Union in the Digital Rights Ireland case, though, where it stated that “Article 7 of Directive 2006/24, read in conjunction with Article 4(1) of Directive 2002/58 and the second subparagraph of Article 17(1) of Directive 95/46, does not ensure that a particularly high level of protection and security is applied by … providers [of publicly available electronic communications services or of public communications networks] by means of technical and organisational measures, but permits those providers in particular to have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures”. Therefore, depending upon the nature of the personal data at stake, it may well be that economic considerations should become irrelevant.

A ninth point could have been added to this list and relates to the mention of encryption in draft Article 32 as a means to render personal data unintelligible and thereby relieve the data controller from the obligation to notify personal data breaches to data subjects. At first glance, this mention does not add much as it seems simply to give an example of the techniques likely to be used to render personal data unintelligible. However, one important thing is missing in comparison with the 2013 Regulation: the new draft version of Chapter IV does not specify that the controller must demonstrate to the supervisory authority that it has implemented appropriate technological protection measures and, in particular, that its encryption practices are appropriate. Yet, not all encryption practices are similarly secure and the application of the exemption may have the result that even though the data are not secure, the breach is not disclosed [Peep Beep!]. This is exactly the reason why US breach notification laws have been criticised.

Sophie Stalla-Bourdillon

Leave a Reply