Businesses should not need to publicise personal data breaches if data is encrypted, say EU ministers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2014/october/businesses-should-not-need-to-publicise-personal-data-breaches-if-data-is-encrypted-say-eu-ministers/

Ministers in the Justice and Home Affairs Committee of the EU's Council of
Ministers backed the plans as part of a wider partial agreement reached
last week on reforms to EU data protection laws (
http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2013772%202014%20INIT
44-page / 491KB PDF).

The Committee met in Luxembourg to discuss the draft General Data
Protection Regulation. The ministers agreed on wording for Chapter IV of
the draft Regulation, which includes new rules on personal data breach
notifications that organisations operating in the EU will have to adhere
to. Agreement on other parts of the draft Regulation has still to be
reached and agreement on the Chapter IV provisions was only agreed in line
with the principle that "nothing is agreed until everything is agreed", the
Council of Ministers said.

Under their proposals, organisations would generally have 72 hours to
notify regulators as soon as they become aware that they have suffered a
personal data breach that "may result in physical, material or moral
damage" to individuals. Damage of this kind could range from identity theft
or fraud, to damage to their reputation, loss of control over their
personal data or a loss of confidentiality to data protection by
professional secrecy, according to the ministers' plans.

"The agreement in principle of a materiality threshold for data breaches is
a good step forward," said data protection law specialist Marc Dautlich of
Pinsent Masons, the law firm behind Out-Law.com. "Data controllers should
be actively preparing for the significant shift in business practice
implied by a data breach notification regime; for example, they should be
rehearsing their incident response procedures."

Under the ministers' plans, organisations would also face a new obligation
to inform consumers "whose rights and freedoms could be severely affected"
by a personal data breach of such an incident "without undue delay".
However, the ministers backed plans which would absolve organisations of
this duty to notify individuals about a personal data breach where they
have put in place "appropriate technological protection measures" to
protect the data that has been lost or stolen from being accessed by people
not authorised to see it.

"Such technological protection measures should include those that render
the data unintelligible to any person who is not authorised to access it,
in particular by encrypting the personal data," the ministers' proposals
said.

The ministers also backed plans to require businesses developing new
products and services that involve personal data processing to ensure that
"technical and organisational measures" are used to ensure the data
processing activities are carried out in line with the new data protection
laws.

Businesses using new technologies or otherwise planning to engage in
personal data processing which is "likely to result in a high risk for the
rights and freedoms of individuals" would be required to carry out a data
protection impact assessment (DPIA) before progressing with its processing,
under the ministers' proposals.

According to the document containing the ministers' plans, the UK had said
that businesses should not face an obligation to carry out a DPIA unless
"there is an identified high risk to the rights of data subjects".

However, activities such as processing of health data or personal data that
could be used for profiling, as well as cases where there are plans to
process large volumes of personal data being processed are cited as
examples within the ministers' plans of where businesses could have to
carry out a DPIA. In some cases, businesses would be required to consult
with regulators on their plans for processing 'high risk' data.

Businesses based outside the EU but involved in the processing of EU
citizens' personal data would also be required to appoint an EU-based
representative to engage with regulators and citizens on data protection
matters on its behalf, under the plans. Only if the processing is
"occasional and unlikely to result in a risk for the rights and freedoms of
individuals" or is undertaken by a public body would non-EU based
organisations avoid this requirement.

The ministers' proposals would also lay restrictions on what data
processors businesses would be permitted to contract with and also outline
the oversight that data processors should give data controllers over
sub-contracting arrangements.

The plans, if introduced, would recognise pseudonymisation as a measure
which could be implemented by businesses to meet their obligations on
personal data security.

In June, the Council's Justice and Home Affairs Committee reached agreement
on rules governing data transfers and on the territorial scope of the
planned new Regulation. Again, agreement was based on the principle that
"nothing is agreed until everything is agreed". The Committee has yet to
reach consensus on a number of other aspects of the planned reforms,
including on the precise framework for regulating data protection under the
new legal framework.

Only once the Council of Ministers has reached a consensus on the whole of
the draft General Data Protection Regulation will it open negotiations on
finalising the new framework with the European Parliament and European
Commission.The initial draft Regulation was published by the Commission in
January 2012.The Parliament reached a consensus on an amended version of
the Commission's proposals earlier this year.

Political leaders last year committed to finalising the data protection
reforms "by 2015", with pressure from some EU officials to conclude
negotiations on the issue before the summer of next year.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!