"42", the Answer to the Number of Authorities Notified in Cross-Border Breaches – Don't Panic!

7 minute read | October.21.2022

Last week, the European Data Protection Board ("EDPB") published a long-awaited update of its guidance on breach notification—which did not contain much news generally. However, it does bring a significant new burden for multinationals not established in the EU of which companies should be aware.

We will summarize in the following article the guidance from the EDPB and outline how companies need to adjust their breach notification procedures.

Summary

  • The EDPB noticed that there was a need to clarify the notification requirements concerning the personal data breaches for non-EU establishments and proposed on 18 October 2022, clarifications to the WP 250 guidelines issued by the Article 29 Data Protection Working Party ("WP 29").
  • The EDPB adopts the position that companies residing outside the EU dealing with a personal data breach are under the obligation to notify all supervisory authorities ("SAs") for which affected data subjects reside in their Member State. The "one-stop-shop" mechanism does not apply.
  • In practice, these changes will impose burdensome notification obligations on organizations without an establishment in the EU. Organizations with extensive geographical footprints should take these changes into account and may need to update their incident response plan.

What exactly happened?

On 18 October 2022, the EDPB proposed the adoption of its Guidelines on Personal data breach notification under GDPR (WP250 rev.01). The guidelines are currently in the public consultation process open until 29 November 2022. The proposed version is only a slightly updated version to align with the EDPB's desire to clarify its previous guidelines and correct a misalignment between guidelines WP 244 that outline the relationship between controllers and lead supervisory authorities and WP 250.

Previous guidelines WP 244 issued by the WP 29 stated that if the company does not have an establishment in the EU, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.[1]

While WP 244 seemed to be very clear, the relevant section in the previous guideline WP 250 dealing with the notification obligations of controllers not established within the EU but subject to GDPR stated as follows:

"[…], WP29 recommends that notification should be made to the supervisory authority in the Member State where the controller's representative in the EU is established […]."

It appears that the WP 250 had adopted intentionally the position of the WP 244 guidelines for specific circumstances of a personal data breach and therefore deviated from its previous statement in the WP244 guidelines. On longer-term privacy projects, there is less onus when dealing with multiple SAs, whereas in the circumstances of a personal data breach, this can place a significant burden on organizations when responding.

Under the old version of WP 250, one could have argued that controllers would only need to notify the SA in the Member State where the controller's Art. 27 GDRP representative is established. However, there is room for interpretation, as the guidelines did not state clearly that the controller is required to only notify that SA. The new proposal makes this now very clear and brings the position in both guidelines in line, as the previous section shall be replaced by the following very clear statement:

"However, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. […]."

Any doubts about the interpretation are thereby eliminated. It is worth noting that the proposed adoptions of the guidelines do not have any influence on the notification obligations and the one-stop-shop mechanism for companies established within the EU.

What does the latest adoption mean in practice?

Taking the example of a software as a service provider for consumer-facing services without an EU establishment but with customers around the globe, the adoption of the existing guidelines means that under Art. 33(1) GDPR, the provider is required to notify all competent SAs in the European Union where its customers reside. All means 42 SAs (26 SAs of the European Member States excluding Germany plus 16 SAs in Germany), most of which providing for different form and language requirements. Such an exercise requires extensive coordination efforts between various jurisdictions and team members. In addition, the provider will need to notify all SAs in general within the 72-hour deadline once it has become aware of the personal data breach and later will need to deal with 42 separate procedures. Effectively, a mammoth task in a very short window.

How to prepare?

The existing guidelines WP 250 already encourage controllers and processors to plan in advance for the event of a personal data breach. The recommended processes include the detection and prompt containment of a breach, the relevant assessment of risk to individuals and then the determination of whether a personal data breach should be notified to the relevant supervisory authorities.

The guidelines recommend the strategy on notification to the SAs should form part of the incident response plan. A sufficient incident response plan should at least address when a breach needs to be notified, to whom a breach may need to be notified and the information about the breach that would need to be provided.

To be able to decide whether GDPR is applicable and to identify all SAs, the controller should be aware of where its customers reside and whether it processes personal data of EU residents. The customer's location should thus be identified when a controller initiates the processing of personal data, e.g., when the customer subscribes to the service. However, it seems to be sufficient, if this is conducted by technical means, for example, through the IP address of the respective user, as principles for the processing of personal data such as data minimization still need to be taken into consideration.

Once the controller knows where its customers reside and if GDPR is applicable, it can identify the competent SAs and map a notification strategy. The incident response plan should list relevant SAs and provide further information about how to contact them and what form requirements they might have, e.g., whether the SA requires to be notified through an online form and whether it can be notified in English or only in its local language.

Companies should also include risk-based notification strategies with regards to the 72-hour deadline. Companies will, in practice, often not be able to notify all SAs at the same time. Companies may thus prioritize the notification of SAs in Member States with a high number of customers and affected data subjects. Even though missing a deadline in other Member States with a lessor priority is a breach of the notification obligation, the likely consequences of fines will be mitigated if it is ensured that the other SAs are informed and the process of informing the SAs is made transparent.

Depending on the specific requirements of the SAs, the controller should also identify competent personnel or representatives in the respective Member States, allowing the controller to reach out to them immediately once a data breach has occurred. As best practice, companies might already have prepared template notifications for each competent SA.

To report a breach in a timely manner is seen as an essential element of the appropriate technical and organizational measures in place required under to Art. 32 GDPR. Depending on the circumstances, missing the deadline can be considered a failure to notify and could be fined by the respective SAs.

Art. 33(1) GDPR requires that where a notification could not be provided within the 72-hour deadline, it shall be accompanied by the reasons for the delay. However, whilst GDPR allows for delayed notifications, this is not something that should take place on a regular basis and is permissible only in exceptional cases. Being required to notify all SAs is not an exceptional case for multinationals with a large customer base. It is therefore unlikely that a supervisory authority would support a delay where organisations are undertaking an extensive notification exercise.

What to do?

As an immediate action, non-EU based companies should verify whether the above-mentioned preparations are reflected in its current incident response plan. If that is not the case, the management and responsible departments of the company should revise the incident response plan accordingly.

In practice, it has proven to be very beneficial to run through the processes in advance as part of an exercise. Such exercises can be prepared by competent advisors and practiced with the responsible employees and other participants as part of supervised legal tabletop exercise. This should help to strengthen awareness internally and to be prepared in the event of an incident.



[1] See WP 29 Opinion 12/2016, last revised 5 April 2017 on Guidelines for identifying a controller or processor's lead supervisory authority, WP 244, https://ec.europa.eu/newsroom/document.cfm?doc_id=44102.