Out-Law News 2 min. read
31 May 2013, 10:00 am
The Working Party on Information Exchange and Data Protection (DAPIX), set up within the structure's of the EU's Council of Ministers, said, though, that there are circumstances in which data breaches likely to 'severely affect' individuals should not have to be reported.
Under the European Commission's original proposals for a new EU General Data Protection Regulation, businesses would have been generally required to report all personal data breaches to regulators "without undue delay" and, if possible, within 24 hours of becoming aware of them. Companies would also have to report data breaches that could adversely affect individuals without undue delay, under the Commission's plans.
However, the Commission's data breach notification proposals have faced criticism and now a leaked DAPIX paper, published by the Amberhawk data protection blog, has indicated that the notification requirements could be watered down.
Under DAPIX's proposals only personal data breaches "likely to severely affect the rights and freedoms of data subjects" would need to be reported to either regulators or individuals. Notifications to regulators would have to be made " without undue delay and, where
feasible, not later than 72 hours after having become aware of it", whilst notifications to individuals would have to be made simply "without undue delay".
However, DAPIX said that companies should not be required to notify individuals about breaches at all if they have "implemented appropriate technological protection measures" that were "applied to the data affected" by a breach so that the information is rendered "unintelligible to any person who is not authorised to access it". An example would be where data has been encrypted or had been pseudonymised, it said.
Alternatively, if companies take measures following a data breach to "ensure that the data
subjects' rights and freedoms are no longer likely to be severely affected" then they would not have to notify individuals about the breach, under DAPIX's proposals. Data breach notifications would also not need to be issued to individuals if doing so "adversely affect a substantial public interest", it has suggested.
DAPIX said that a data breach should be considered to be one that severely affects individuals "where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation".
Under DAPIX's plans no business would be forced to employ a dedicated data protection officer unless required to do so under separate EU or national laws. The Commission had proposed that public authorities, large businesses and those with personal data-heavy processing operations should be required to appoint dedicated data protection officers under the new Regulation.
DAPIX has also proposed that businesses should be able to process personal data without individuals' consent in order to anonymise or pseudonymise the information in some cases.
"A legitimate interest of a controller could include the processing of personal data for the purposes of anonymising or pseudonymising personal data," it said in its paper.
In addition, the working party has said that businesses should be allowed to take into account "available technology" when determining what "reasonable steps" they have to take to inform other firms that are processing personal data they have made public "that a data subject requests them to erase any links to, or copy or replication of that personal data". The plans are centred on the application of the Commission's proposed 'right to be forgotten', which would give individuals a general right to request that organisations delete the information they hold about them and make those firms responsible for taking steps to require third parties to do likewise.
DAPIX has proposed that individuals' right to be forgotten, right to data portability, right to data accuracy and their general right to obtain access to their personal data upon request should not apply in circumstances where businesses' processing of personal data does not require individuals to be identified. Only if a data subject provided more information about themselves to businesses processing their personal data in this manner that could lead to their data being identifiable as theirs would those rights apply, it said.