Fresh Data Blog
Fresh Data Archive
EU Data Privacy Series #3: New Proposed Rules on Data Breaches
Date: August, 2013 --
continue our series on the European Data Protection Regulation currently under
debate in the European Parliament and expected to be adopted in 2014. Today, we
focus on two very critical subjects treated by the Regulation. These subjects
are unfortunately familiar to our U.S. readers as they relate to security
breaches, the scope of data covered, and your obligations when they occur.
let’s recall that even American businesses with no physical presence in Europe,
but who handle Europeans’ personal information, are required to comply with this
proposed law. It reads in part:
“The processing of personal data of
data subjects residing in the Union by a controller [such as your company] not established in the Union should be
subject to this Regulation where the processing activities are related to
the offering of goods or services to such data subjects, or to the monitoring
of the behaviour of such data subjects.”
In short, if
your company in the course of its business acquires personal information of
Europeans which relates to making commercial offers to them, or where your
activities involve monitoring their behavior, such as by tracking online
activities or other data acquisition for profiling, you are subject to the
regulation. For example, if you are a U.S. hotel chain or car rental company
with no physical businesses in Europe, but you collect data on Europeans
through their doing business with you in the U.S., or their browsing behavior
online, or through data trades with other companies, and your data capture “relates
to offering goods and services”, you are
subject to the law.
complexities and complications of this requirement will be difficult to work
out. For example, would a domestic-only U.S. airline which does no marketing or
business in Europe be subject to this statute simply because it carries
Europeans from New York to Albany and Boston? Or would it be subject only if
the data was used to make offers to these passengers? What if it only made
offers to them when they were in the U.S.?
It would seem unlikely that Parliament would intend this result in the
latter case, especially given the possibility of having a U.S. law being
interpreted against a European company doing the same thing in Europe to an
law, the Regulation requires you to take certain steps when you detect that
your security has been breached and personal data may have been compromised or
stolen; however, the Regulation imposes much more demanding burdens on you than
does U.S. law.
As with U.S.
law, there is a notification requirement in the case of a data breach, but what
constitutes a “personal data breach” is defined much more broadly in the
Regulation, making the likelihood of a notification event occurring much
defines personal data breach as “any breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorized disclosure
of, or access to personal data”. This definition is very broad. The grandfather
of the U.S. laws on this subject, drafted in California, defines a breach as
only the unauthorized disclosure of personal information, not its loss,
destruction, or alternation.
the definition of “personal data” in the Regulation is much broader than in
most U.S. legislation, being “any information relating to a data subject.” Most
U.S. legislation focuses on disclosure of specified information, such as name,
social security number and financial or health information. The Regulation does indeed intend to cover “any
data of or pertaining to an identifiable person”, not just credit card
information or banking and medical records. Personal purchase history with a
company, or what football games a season pass holder attended, and even the
names of a football club’s fans would
all be data whose loss would trigger a notification obligation, as would the
disclosure of an email address or phone number.
the rules regarding your responsibilities of disclosure and notice are much more
rigorous than in the U.S. For example, the controller (your company) must
notify the occurrence of the breach to the appropriate supervisory authority in
the country you have selected to “be domiciled in” within 24 hours, if
This is an
extremely short time period for an organization to notify management and the
appropriate executives, to seek legal and technical advice, and to draw up and
present the response plan called for by the law. One wonders what purpose is
served by such a short deadline, given that the supervisory authorities themselves
have no time-sensitive statutory functions in these circumstances.
In addition, if the breach is “likely to
adversely affect the protection of the personal data or the privacy of the data
subject,” the company must notify the data subjects themselves “without undue
delay” after having notified the Supervisory Authority. The form of that notice
may apparently also be dictated by the Supervisory Authority.
Finally, if your data
is maintained by Data Services, Inc., then as Controller under the Regulation,
you will have certain responsibilities regarding agreements with Data Services
with respect to security and processing. Fortunately, Data Services, Inc. is
registered under the Direct Marketing Association Safe Harbor Program and
thus fully qualified to act under the Regulation as currently formulated.