GDPR trilogues are underway…where do the three institutions stand on data security and data breach?

Claire Walker

The second trilogue negotiation is, according to this previously released (unofficial) timetable for completion, scheduled for today, 14 July.  This second meeting will focus on the issues of territorial scope (Article 3) and international transfers (Chapter V).  For Datonomy readers with the stamina to read it, this 682 page document dated 8 July, but not yet uploaded to the Council’s website, has been leaked by Statewatch.  It is a line-by-line table comparing the Commission, EP and Council’s respective negotiating positions on the whole Regulation.

The issues of data security, data breach notification and processor obligations contained in Chapter IV of the draft, according to the above unofficial timetable, are not due to be negotiated until September.  Although there are some differences of detail between the institutions’ positions, this is one of the less contentious aspects of the Regulation, and the leaked document does not contain any surprises as regards security and breach, as the relative positions have been known for some time.

 The differences between the three institutions’ texts are highly detailed, however, on the issues of security and breach notification, some broad generalisations can be made. For example:

  • Article 30 (security of processing): the Commission proposed a high level principle of “appropriate technical and organisational measures”, with the detail left to Commission “delegated acts” to fill in. The EP’s take on the appropriate measures is for the controller and the processor to take into account the results of an impact assessment, and for five minimum issues to be covered in such a policy. The EP also adds a list of nine specific issues to be covered in a risk analysis. The Council takes yet another approach – less prescriptive than that of the EP, but more risk-based, reflecting the nature and context of the processing and the risk to individuals of a breach. Both the EP and Council reject the concept of Commission delegated acts to flesh out the detail of appropriate standards, but the EP would instead delegate responsibility for detailed security guidelines to the EDPS.
  • Article 31 (breach notification to the regulator): Both the EP and Council adopt a more realistic stance on notification than the Commission’s original 24 hour notification target. The EP’s stance is the most flexible (without undue delay, with the explicit mention of phased notification) while the Council proposes a 72 hour target time (again with phased notification possible), but imposes a higher threshold for breaches which need to be notified (to those likely to result in a high risk to individuals, for example, discrimination, ID theft or fraud, financial loss, reputation damage and certain other types of loss). The EP proposes that a public register of types of breaches should be published.
  • Article 32 (communication to the data subject): Of the three institutions, the Council’s text sets the highest threshold for breach notification to individuals. The Commission would require notification where the breach is “likely to adversely affect” data protection or privacy; the EP adopts a similar test (adding impact to the individual’s rights or legitimate interests); while the Council would require the much higher threshold of high risk of the types of loss which would trigger notification to a regulator under Article 31. Again, the Commission proposes the use of Commission delegated acts to set out detailed criteria for the threshold for individual notifications; the EP would instead delegate such guidance to the EDPS, and the Council would avoid the need for delegated acts or guidance by setting out the higher threshold in the Regulation itself.

It will be interesting to see where the negotiations on Chapter IV end up.  This is one of the least controversial parts of a highly controversial proposal, and there is much common ground between the three institutions, despite the nuances in the three texts.  Datonomy hopes that the EU will help businesses by adopting a risk-based approach which avoids any disproportionate notification burdens which do not help to serve consumers’ interests.

One thought on “GDPR trilogues are underway…where do the three institutions stand on data security and data breach?”

Leave a Reply

Your email address will not be published. Required fields are marked *