New EDPB Guidance on Personal Data Breach Notifications: Twenty-seven stop shop?
The European Data Protection Board (“EDPB”) has recently published a “targeted update” to its guidelines on personal data breach notifications (the “Guidelines”). This update is likely to significantly increase the workload of non-EU controllers and their representatives who operate in multiple Member States and suffer a notifiable personal data breach.
The Guidelines were initially adopted by the Article 29 Working Party, the predecessor to the EDPB, in October 2017 and updated and revised in February 2018. Upon its establishment, the EDPB endorsed the Guidelines. In October 2022 the EDPB published a small but very significant revision to its guidelines.
Article 33 of the GDPR
Article 3(2) provides that the General Data Protection Regulation 2016/679 (the “GDPR”) applies to data controllers that are based outside of the EU in specific circumstances. Such a controller is obliged under Article 27 to appoint a person based in a Member State to act as its representative for the purpose of the GDPR.
Article 33 of the GDPR requires that when a personal data breach occurs, then except where that breach is unlikely to result in a risk to the rights and freedoms of natural persons, the controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Articles 55 and 56 deal with the circumstances in which a supervisory authority will be competent under the GDPR. They do not, however, deal expressly with the scenario of where a controller is not established in the EU but is subject to the GDPR pursuant to the extra-territorial effect of the GDPR under Article 3(2). In these circumstances, the wording in Article 33 gives rise to ambiguity as to which supervisory authority(ies) a non-EU controller must notify when a notifiable personal data breach occurs.
In the previous version of the Guidelines, the Article 29 Working Party recommended that in the case of a controller established outside the EU which had appointed a representative in the EU in accordance with Article 27, a notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established. The EDPB now intends to change this approach, and has provided in the targeted update to the Guidelines that “the mere presence of a representative in a Member State does not trigger the one-stop shop system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller” (emphasis added).
This change of policy will, if adopted, significantly increase the burden on controllers operating outside of the EU who are processing the personal data of data subjects across multiple Member States when a notifiable personal data breach occurs. In such a scenario, notifications to many and potentially all national supervisory authorities across the EU will be required.
Needless to say, compliance with this revised personal data breach notification regime will be particularly challenging and time consuming for affected organisations, considering there is no standardised reporting form in use by the EU’s data protection authorities and that notifications would need to be prepared in multiple languages.
The target update was open for public consultation until 29 November 2022. Many multi-national organisations will now be nervously awaiting the outcome of the EDPB’s consideration of submissions received in response to its public consultation.
Also contributed to by Róisín Finn and Kevin Barrett.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.