You would have had to be living under a rock to have missed all the political turmoil in the U.K. over the past few weeks concerning the U.K. government’s “mini-budget.” In essence, even the staunchest government allies now accept it was a mistake to make changes to the U.K. tax system without fully thinking through the consequences of those changes, resulting in the need to make a series of embarrassing political U-turns.
The government’s ill-advised changes should be a cautionary tale for the European Data Protection Board and its recently-proposed “targeted update” to its “Guidelines on Personal Data Breach Notification,” open to public consultation until Nov. 29, 2022.
The proposed “targeted update” concerns only a single, solitary paragraph of the guidelines, and for that reason, privacy professionals could be forgiven for thinking that it is of a minor, surgically precise nature; perhaps one intended to cure a slight, but irritating, affliction that has long proven bothersome.
In fact, nothing could be further from the truth.
History of the current guidelines
But, before we get to that, let’s take a step back to gain some perspective.
The current guidelines were initially adopted by the EDPB’s predecessor, the Article 29 Working Party, in October 2017. When the EDPB was established under the EU General Data Protection Regulation on May 25, 2018, the EDPB endorsed its predecessor’s guidelines in its first plenary meeting — in effect, adopting the former Working Party’s guidelines as its own.
The guidelines attracted controversy straight away, due to a paragraph that said controllers would be deemed “aware” of personal data breaches suffered by their processors as soon as the processor itself had discovered the breach. Whether by design or oversight, the guidelines simply did not allow for the inevitable time delay between a processor discovering a breach and then notifying its controller. This mattered because controllers have to report a data breach within 72 hours, and the guidelines as adopted meant the controller’s clock would count down as soon as the processor became aware of the incident — regardless of how long the processor took to tell the controller, or if it even told the controller at all.
This was unrealistic to the point of being unfair, and so the EDPB changed course and updated the guidelines in February 2018. In its revised guidelines, which are also the current guidelines, the EPDB said only that a processor should inform its controller of a personal data breach “without undue delay.” The controller was no longer explicitly deemed aware of a breach upon the processor’s discovery.
Breach reporting by non-EU controllers under the guidelines
The revised guidelines also made another important and helpful change concerning breach reporting obligations for non-EU controllers.
EU GDPR’s one-stop-shop mechanism — the mechanism that allows an organization established within the EU to be supervised, primarily, by a single “lead authority” — does not apply to organizations established outside of the EU. Under the one-stop-shop mechanism, EU-based organizations need only report personal data breaches they suffer to their lead authority.
By contrast…
The History of Privacy
Phil Lee, Managing Director of Digiphile writes: “A bit of history today: what are t…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
