EU ministers have put another spanner in the works of the draft data laws by insisting firms should only have to report a personal data breach in cases where it is likely that individuals’ rights and freedoms have been “severely affected”.
According to a leaked document from the working party on Information Exchange & Data Protection (Dapix), part of the EU’s Council of Ministers, a breach of encrypted or pseudonymised data would require no action.
Under the European Commission’s original proposals for a new EU General Data Protection Regulation, businesses would be required to report all personal data breaches to regulators “without undue delay” and, if possible, within 24 hours of becoming aware of them.
Under Dapix’s proposals, only personal data breaches “likely to severely affect the rights and freedoms of data subjects” would need to be reported to either regulators or individuals. Notifications to regulators would have to be made ” without undue delay and, where feasible, not later than 72 hours after having become aware of it”, whilst notifications to individuals would have to be made simply “without undue delay”.
But Dapix said companies should not be required to notify individuals about breaches at all if they have “implemented appropriate technological protection measures” that were “applied to the data affected” by a breach so that the information is rendered “unintelligible to any person who is not authorised to access it”.
Alternatively, if companies take measures following a data breach to “ensure that the data subjects’ rights and freedoms are no longer likely to be severely affected” then they would not have to notify individuals about the breach.
Under Dapix’s plans no business would be forced to employ a dedicated data protection officer unless required to do so under separate EU or national laws. The Commission had proposed that large businesses and those with personal data-heavy processing operations should be required to appoint dedicated data protection officers, at a cost of tens of thousands of pounds a year.
Last week, EU chiefs admitted that the draft EU Data Protection Regulation was “on the verge of collapse” due to excessive time delays triggered by “excessive lobbying, foot-dragging by MEPs, and entanglement in trade negotiations with the US” forcing the changes off track. Meanwhile others claimed they could end up being weaker than the current legislation, passed in 1995.
New EU laws ‘on verge of collapse’
87% clueless on cost of EU laws
EU data: Don’t get mad, get ready
Clock ticks on EU after new delay
EU: ‘Don’t panic, don’t panic’ – ICO
EU data laws ‘may never be passed’
Sceptics blast EU consent claims
Industry hails EU ‘extra time’
EU data laws enter the ‘hot phase’
EU data law: ‘It’s the DMA wot won it’
Does anyone give a toss about DM?
MEPs pass 900 amendments to data laws
DM chiefs urged join war on EU laws
First victory in war on EU data laws
EU: Full steam ahead on new laws
Bosses ‘clueless on new EU laws’
EU data laws ‘just got a lot worse’
Germans seek tougher EU data laws
DMA rallies team for £47bn fight
New EU data laws ‘to cost millions’