Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

Transcription

1 Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

2 On 1 January 2016, the Dutch Data Breach Notification Act will enter into force. The Dutch DPA issued Guidelines on September 21st to clarify certain aspects of the new data breach notification obligation. The following is a summary of those Guidelines. It is important to note that this version of the Guidelines is still subject to public consultation. Not only is it possible that certain things will change, but the CBP is actively requesting feedback from businesses who will have to comply with these Guidelines. If you d like to submit your comments to the DPA, we d be happy to assist in drafting a (Dutchlanguage) statement expressing your views on the Guidelines. The final date for submissions is 19 October Preparation The Guidelines make it clear that the controller should ensure that its data processors enables him to comply with the law, which means at the very least that the processor must provide timely and adequate information about any data breaches that he might discover. In order to do this, the data controller must execute a written agreement with its data processor, which includes the following: 1. The data processor will notify the data controller about relevant incidents. Parties should design a plan which describes how the data controller will be informed and kept up-to-date throughout the resolution of the data breach. 2. How swiftly should the data processor alert the data controller? 3. Who will submit the initial notification to the DPA? The data controller or data processor? The DPA apparently does not think that it should always be the data controller who does the notification. This notification may later be supplemented by the data controller, who probably has more information about the data subjects involved in the breach. 4. The data processor should implement measures to prevent incidents and detect data breaches, such as intrusion detection systems. 5. Is there any way to audit whether the data processor has met its obligations to inform and keep the data controller up-to-date?

3 We note that the DPA says two surprising things about controllers, which creates some confusion about that role. 1. The DPA says that although the controller is responsible and liable for compliance, the data processor is also responsible for compliance. He should not merely follow the instructions of the data controller, but should take independent responsibility for compliance with the requirements set out under data protection law. This is consistent with a recent DPA report that the DPA has published, but contrary to the established interpretation of the law. Moreover, it runs contrary to recent statements by the government that obligations in the Data Protection Act are imposed on the data controller (and not others). 2. The DPA also says that the data controller has to ensure that the data processor complies with its local law. The DPA refers to article 14(4) of the Data Protection Act (an implementation of article 17(3)(2nd point) of the Data Protection Directive. The Directive is very clear that this obligation doesn t apply to all local law, but only to local data security obligations. In our opinion, the DPA is using an unfortunate translation in the Dutch implementation of the Directive to extend the scope of this obligation beyond the intent of the legislature. 2. To notify or not to notify? Does the incident qualify as a data breach? This question should be answered in two parts: 1. Was personal data exposed to destruction or unlawful processing? The data controller must first answer the question whether its technical and organizational security measures were breached. It s irrelevant whether the data controller implemented adequate technical and organizational security measures to prevent destruction or unlawful processing. The only relevant issue is whether there was a breach. For example, the data controller should assume that personal data were exposed to destruction or unlawful processing in the case of a malware infection. 2. Can the data controller rule out that personal data was actually destroyed or processed unlawfully? The second question is whether the data controller can reasonably rule out that data was actually destroyed or processed unlawfully. For example, if the data was destroyed, but could be recovered using a backup, the incident does not qualify as a data breach. If the data controller finds out that an employee gave out his user name and password to a

4 third party, but can use server logs to establish that no one used these credentials to log in, the incident does not qualify as a data breach. 3. Notifying the DPA The data controller will have to notify the DPA in case the data breach will (likely) have serious detrimental consequences for the protection of personal data. If the data are of a sensitive nature, this will always be the case. Sensitive data are defined as including at least: Special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data regarding health and sex life). Data regarding the financial or economic situation of the data subject Data which may lead to stigmatization or exclusion User names, password and other log-in information Data which may be used for identity fraud If the data does not fall in those categories, the incident may still have serious detrimental consequences based on the nature and size of the data breach. The following considerations should be taken into account: As the volume of the compromised data increases, it will become a more attractive tool for abuse and more likely to cause harm for the data subject. This is especially true for government databases. As the compromised data is used to take more far-reaching decisions about data subject, the impact will increase. For example, if a hacker has access to and potentially is able to change data in a database used for assessing credit worthiness, that will have more impact than if that same database would be used for marketing purposes. If the compromised data is used throughout a chain of service providers as is often the case with government and health care providers it becomes harder to manage the consequences of that data being lost or altered, which increases the impact of the breach. If the data specifically relates to vulnerable groups, such as children, or less computer-literate individuals, it will be harder for the data subjects to manage the consequences of the incident and as such the impact of the breach will likely be larger. Certain incident involve a higher risk of abuse, e.g. a hack.

5 How and when should the DPA be notified? The DPA can be notified through a web form, or by fax. The notification should be made on the second working day after discovery of the incident by the data controller or its data processor. (E.g. the incident should be reported no later than Tuesday, if it was discovered on Friday.) It s possible to amend, supplement the notification or even withdraw it later. 4. Notifying the data subject If, based on the above, the data controller has to notify the DPA, the next question is whether to notify the data subject. The relevant consideration is whether the incident is likely to have negative consequences for the private life of the data subject(s). Has the data controller taken adequate data security measures to avert having to notify the data subject? The data controller does not need to notify the data subject if it has taken security measures which render the personal data incomprehensible or inaccessible for unauthorized third parties. The DPA lists the following measures as examples: Encryption. Remote wipe. The data controller will have to ascertain whether the remote wipe has been activated in time, whether the device was still capable of receiving and executing a remote wipe command and whether the remote wipe successfully prevented any attempt at reconstruction of the data. Pseudonymization. This measure must effectively prevent reidentifying the data subject. On the point of encryption: If the personal data has been destroyed, encryption will not prevent harm to the data subject. In such a case, the data controller may still be required to notify the data subject. The encryption must have been active at the time of the incident. The encryption should be based on a standard algorithm (e.g. as published by the EU Agency for Network and Information Security, ENISA). The algorithm can be considered sufficiently future-proof if they are rated as suitable for future use (meaning: safe for the next years) by ENISA. The data controller must take into account any published weaknesses in the algorithm. The implementation of the encryption algorithm needs to have been sufficiently secure. This may have to be ascertained by an (external) expert.

6 The encryption must remain secret and e.g. not have leaked as part of the incident. Finally, the data controller must ascertain whether in light of all applicable security measures there is any remaining risk of unauthorized processing of the personal data, now or in the future. Will the incident likely have negative consequences for the private life of the data subject? Assuming the security measures were inadequate, the data controller will have to determine whether there are likely to be negative consequences for the private life of the data subject. If the data breach involves sensitive data (as defined above) the data controller should notify the data subject. In other cases, the data controller will have to assess what the likely negative consequences for the data subject will be and whether they need information about the data breach to protect themselves against those negative consequences. Are there pressing circumstances that advise against notifying the data subject (for now)? The data controller may decide to postpone notifying the data subject or decide not to notify at all, in situations where this constitutes a necessary measure to safeguard: the prevention, investigation and prosecution of criminal offenses; an important economic or financial interest of the state and other public bodies; the enforcement of compliance with legal requirements aimed at safeguarding the above two interests; national security; the protection of the data subject or the protection of the rights and freedoms of others (including the data controller). Examples of interests in the last category: If data of a child who has confidentially asked for help with domestic abuse has been involved in a data breach, the data controller may decide not to notify the data subject for fear of their parents finding out. The data controller s interests will be so disproportionally affected that its rights and freedom are breached. For example, if the data controller is about to finalize a merger with another business and a data breach incident occurs, he is allowed to postpone notification to the data subject (but not to the DPA).

7 How and when should the data subject be notified? The data subject should be notified without delay, which means that the data controller: may take some time to investigate the incident to prepare a proper and thorough notification. must be aware that the data subject might have to take measures to protect themselves from harm. may do an initial notification to allow data subjects to e.g. change their passwords, without providing full details (yet). The data controller will have to inform the DPA when it intends to notify the data subject. This commitment is binding on the data controller, unless it later amends the notification. 5. After notification Maintaining a record of the incident The data controller will have to keep a record of all data breaches that were serious enough to warrant a notification to the DPA. This record need not be made public. Each record should be kept for at least one year following the final notification to the data subject. In case the data controller decided not to inform the data subject (e.g. because of encryption or because of an overriding pressing interest prevented this) the record must be kept for at least three years. In this case, the notification should be reviewed at least annually to determine whether there are reasons to notify after some time has passed (e.g. it turns out the encryption contains a vulnerability). How will the DPA respond upon receipt of a notification? If the notification is cause for further action, the DPA will contact the data controller. The primary purpose will be to verify if the notification indeed originates with the data controller and to ask questions about the event. The DPA can force the data controller to notify data subjects, if the data controller wrongfully decided to not inform data subjects. The DPA will keep a non-public record of every notification. Only if the data controller has afforded itself a plainly unreasonable margin of appreciation in deciding not to file a notification about the incident, will the DPA impose a fine.

8 Contact Maarten Goudsmit Maarten Goudsmit is an associate in the Privacy and Technology teams and has been with Kennedy Van der Laan since In 2004 Maarten began his law studies at the University of Amsterdam and graduated with a specialization in Information Law. After earning his master s degree in Amsterdam, Maarten studied IP & IT Law at Fordham University in New York City, and earned his LL.M magna cum laude. Before moving to Kennedy Van der Laan, Maarten worked as an attorney at another major law firm in Amsterdam for a year and a half.