I’m seeing regular discussions on social media about notification of personal data breaches under Article 33 and liability for administrative fines under Article 83 of the General Data Protection Regulation (GDPR). For instance
because Carphone Warehouse had their breach start before GDPR the ICO fines will be tiny…
…Is it breach start or reported date that makes a difference?…
…So all we need to do if you have a breach is say it started in the 24th may…
These sort of discussions overlook two points.
Firstly, the Information Commissioner’s Office has repeatedly given indications that big penalty notices (to adopt the wording of the Data Protection Act 2018, which notably avoids using the word “fine”*) will not be regularly imposed under the new regime, and nor will there be a “scaling up” of penalties.
Secondly, and crucially, penalties cannot be imposed on controllers merely because they have had, and become aware of, a personal data breach. Under Article 83, penalties can be imposed by a supervisory authority for infringements of the GDPR. The fact that a personal data breach has occurred is not proof that an infringement has also occurred. Article 4 explains that a personal data breach is
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Such personal data breaches might occur even where the controller has complied with its obligations under Article 5(1)(f) to ensure that personal data are
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
“Protection” does not impose a counsel of perfection. A personal data breach might occur but a supervisory authority might determine that the controller had done all it reasonably could, and not impose a penalty. In fact, I predict that in the vast majority of cases where controllers notify the ICO of personal data breaches, this is exactly what will happen.
So, returning to those social media discussions – what will actually determine whether GDPR applies, when it comes to the imposition of a penalty, is when the infringement took place, not when the personal data breach did.
This is not new. Some of us have been (largely vainly) arguing for years that a data security incident is not equivalent to a statutory breach, but the elision still happens.
* the word “fine” in domestic law is nearly always reserved for penalties as a sentence under criminal law.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.