The 24 hour breach notification section of the proposed data protection directive is likely to be pushed back to 72 hours.
According to first reading document on the “Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, 72 hours is the time that a breach should be reported.
The document states: “As soon as the controller becomes aware that a personal data breach which may result in physical, material or moral damage has occurred the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 72 hours.”
Warning of the danger a data breach could cause a person, where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification, it stated.
“The individuals whose rights and freedoms could be severely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions,” it said. “The notification should describe the nature of the personal data breach as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities).”
Speaking to IT Security Guru, Eduardo Ustaran, partner at Hogan Lovells International confirmed that the proposed change from 24 hours to 72 hours is coming from the Council of the EU, which represents the EU Member States.
He said: “The member states’ Governments seem to have been receptive to the calls from both industry and data protection authorities to extend the deadline for data breach notification. A three-day timeframe is obviously more realistic and in line with what may happen in practice, but in some cases, it may even be too short.
André Bywater, principal adviser for European Regulatory at Cordery, said that his understanding was that the current EU Council (the 28 EU Member States sitting together) thinking about this was that where there has been a personal data breach which is likely to result in a high risk for the rights and freedoms of individuals, in particular: discrimination, identity theft, fraud, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the data controller must notify the personal data breach to the data protection regulator not later than 72 hours after having become aware of it.
“This notification has to be accompanied by a reasoned justification in cases where it is not made within 72 hours,” he said.
“The language being used here suggests that that there will be some discretion on the part of the data controller making the notification as regards determining whether there is a high risk of the nature indicated, but I wonder if in reality there will be much room for manoeuvre. There is apparently also debate within the EU Council about whether the word ‘high’ should appear the word ‘risk’ or not – this is not a question of semantics but a question of alignment with the EU Privacy Directive
regime.”
He understood it to be in the overall final proposal by the Council concerning its proposed amendments to the EU Data Protection Regulation, but he believed that some EU Member States have reservations about this, so it might not end up in the final Council proposal, or it may end up in a modified form.
Jonathan Armstrong, partner at Cordery, said that in the USA, some states have an even longer timescale for reporting and the clock is not running until law enforcement have given the OK.
“Some US states for example have 45 days after law enforcement have left the scene,” he said. “My worry is that short notice periods give criminals the upper hand, in other words they know within days whether the exploit has been successful and sometimes the report will be more detailed on what they have than they may know.”
Ustaran said that the EU Council is also trying to narrow down the situations where the reporting obligation applies by excluding cases where encrypted data is compromised, or where the risk for the individuals of suffering some kind of loss is not high.
“I think these changes are quite likely to be accepted so compliance with this obligation will become a constant balancing exercise about whether to notify or not. To be honest, that is what happens today already,” he said.