[EDITED TO ADD: since I wrote this piece, it appears that ICO has silently amended its guidance, so it no longers threatens regulatory action for over-reporting. For posterity’s sake, (and to show I wasn’t making it up) I provide this link to the archived page.]
Data protection practitioners (and many others) are well aware that a failure to comply with the general obligation on a controller to notify the Information Commissioner’s Office (ICO), in the event of a personal data breach, is an infringement of the General Data Protection Regulation (GDPR). What may be less known, however, is that making a notification, in circumstances where it wasn’t required, might also be an infringement, and might result in sanctions from the ICO. That, at least, appears to be the ICO’s own view of the law, when it says
Over reporting breaches which have not been appropriately risk assessed in terms of their impact on the data subject may be seen as evidence of failing to comply with the GDPR accountability principle. This can also result in regulatory action.
I don’t know about you, but I think that’s a pretty extraordinary statement.
Of course, controllers should assess whether, as an exception to the general obligation, they are not required to make a notification, on the grounds that the personal data breach (defined at Article 4(12) of GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) is unlikely to result in a risk to the rights and freedoms of natural persons. Such a risk assessment (because that’s what it is) will be, though, a nuanced challenge. What, after all, constitutes a likely “risk to the rights and freedoms of natural persons”? Although recital 85 to GDPR gives some clues, it still leaves much to be determined on the facts:
…physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Article 83 makes a failure to notify, in circumstances where one should notify, an infringement with a maximum administrative fine attached of €10m or 2% of global annual turnover (whichever is higher). Is it any surprise then, that some controllers might have taken what they thought to be a cautious, or precautionary, approach, and notified ICO of personal data breaches even when they weren’t sure it was necessary to do so?
Although the ICO has been suggesting for some time that controllers have been too keen to make personal data breach notifications, the web page in question appears to have only very recently been amended to say this (an archived version only from 31 May 2020 lacks the wording). And it seems to me a little bit mean-spirited (and potentially confusing to some controllers) to start threatening the use of sanctions against those who are making a regulatory notification in good faith.
In fact, I’m not at all sure that – as ICO suggests – it is potentially an infringement of the Article 5(2) obligation (by which a controller shall be responsible for, and be able to demonstrate compliance with, the Article 5(1) principles) to make a notification without properly assessing risk. And to say that it is such an infringement, is – I submit – stretching the accountability principle further than, in other circumstances, ICO would expect it to be stretched.
And don’t start thinking about whether an excessive notification of a personal data breach is a personal data breach which requires notification. That way madness (or is it Wilmslow?) lies.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.