Twitter fined – the 72h notification period for data protection violations under Art. 33 GDPR knows no holidays (Part 1 of 3)
Author
Corinna StankeCompany holidays or staff shortage – every company is familiar with these when holidays or school breaks are just around the corner. The final tasks are quickly completed, and temporary replacement plans are drawn up, to who must take over what in case of an emergency. However, data protection is often forgotten. This has now also become Twitter's undoing. In a three-part series of articles, our data protection officer and company lawyer, Corinna, examines the specifics of the notification deadlines for data protection violations.
Part 1 – Obligation to notify data protection breaches by the controller to the supervisory authority pursuant to Art. 33 (1)
The Irish data protection authority has imposed a fine of €450,000 on Twitter for violating the 72-hour notification period and the obligation to document data protection breaches under Article 33(1) and (5) of the GDPR.1 The data protection violation was based on a bug in Twitter, which made temporarily protected tweets readable by the public. Twitter itself had become aware of this during the 2018 Christmas holidays and New Year's Day; however, according to its own information, it had not been able to comply with the notification deadline of 72 hours to the data protection authority according to Article 33(1) of the GDPR due to understaffing in the company during the holidays.2
At this point, you should ask yourself: "Can this happen to our company?"
Of course, this depends on how well you are positioned internally in terms of data breach management. Because in principle, understaffing applies to most companies during holidays or school breaks. Twitter's reasoning for not meeting the notification deadline, therefore, does not seem absurd at first glance but rather plausible; whether it corresponds to the truth remains to be determined. Therefore, especially before the holidays or school breaks, make sure that appropriate replacement arrangements have also been made in your company with regard to the detection and notification of data protection breaches.
Three-part series of articles
To give you an idea of what is important regarding the notification obligation under Art. 33 of the GDPR, we have summarised this for you in 3 parts. In Part 1, we explain the obligation of the controller to notify data protection breaches to the supervisory authority in compliance with Article 33(1) of the GDPR. In Part 2, we address the question of whom the processor must notify of data protection breaches. Finally, in Part 3, we will address the obligation of the controller to notify data protection breaches to the data subjects pursuant to Article 34 of the GDPR.
Obligation of the controller to notify the supervisory authority, Art. 33 (1) GDPR
In this regard, the GDPR imposes certain obligations on the controller in Article 33 (1) of the GDPR. A look at the GDPR is therefore helpful at this point. According to Art. 33(1) of the GDPR, in the event of a data breach, the controller must notify the competent supervisory authority without undue delay and, if possible, within 72 hours of becoming aware of the breach, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
1. Breach of data protection
The starting point for the obligation to notify under Art. 33 (1) of the GDPR is, therefore, a data protection breach. This in turn is defined in Art. 4 No. 12 of the GDPR. According to this, a data breach is a breach of security that, whether unintentional or unlawful, leads to the destruction, loss, alteration, or unauthorised disclosure of or access to personal data. The notification obligation is therefore triggered by breaches of data security and not by other breaches of the GDPR, e.g. unlawful data processing pursuant to Art. 6 of the GDPR. As a rule, data security is breached if one of the following three protection goals of data security has been violated: Confidentiality, Accessibility or Integrity. Integrity is compromised if the personal data has been unlawfully altered either by authorised persons in an unauthorised manner or by other causes. Accessibility, if the data is not or temporarily not available to authorised persons when needed. Confidentiality, if unauthorised persons gain access to the data.
Data breaches can therefore occur, for example, due to hacker attacks or the loss/theft of electronic devices or due to the incorrect sending of emails/letters. It is important to note that data breaches can happen unintentionally (e.g. incorrectly addressed emails) or intentionally (hacker attack).
2. Risk
If there is a data breach, it is questionable as to when you must report it to your competent supervisory authority. The GDPR is based on a rule-exception principle. In principle, every data breach must be notified unless the data breach does not result in a risk to the rights and freedoms of the data subjects, Art. 33 (1) GDPR. It is not easy to assess when a risk exists in every case. Essentially, it is a matter of weighing up how likely it is that damage will occur and how high the damage will then be. Damage can be, for example, material (financial losses) or immaterial (discrimination, damage to reputation) or other significant economic or social disadvantages. Guidance on how to determine the risk is provided in the EDSA/ Article 29 Working Party overview, "WP250rev.01 - Guidelines on personal data breach notification under Regulation (EU) 2016/678".3
It is important to note that by "risk" it is not meant that there must be no risk at all. This is not possible when processing personal data. Rather, a low risk is intended. You must take note and read the word "low" in Art. 33 (1) of the GDPR. Whether you must notify a data breach to the supervisory authority according to Art. 33(1) GDPR depends on your risk assessment of the data breach. There is no obligation to notify if your risk analysis shows that there is a low risk for the data subject. In contrast, you must report data breaches if there is medium or high risk.
3. Responsible supervisory authority
You must report the data breach to your responsible supervisory authority, Art. 55, 56 GDPR. This is usually the one where your main office (especially in the case of cross-border data processing) or single branch is located.
4. 72h notification deadline
To ensure that you are not fined in the same way as Twitter, you must comply with the deadline for reporting data protection breaches. According to Art. 33 (1) of the GDPR, you must report data protection breaches to the competent supervisory authority without delay and, if possible, within 72 hours of becoming aware of them. As already mentioned, data protection breaches cannot be easily identified. It is then your task to clarify on the basis of further information whether a data protection breach has occurred. Of course, this takes time and may correlate with the 72-hour notification period.
a) "Becoming aware" of the data breach
The 72-hour period is initiated from the time at which you become aware of the data protection breach. This is the case if there is a high probability of a data protection breach based on sufficient indications. Thus, a mere suspicion is generally not sufficient to trigger the deadline. However, you must not spend so much time on clarification until the data protection breach has been positively established, as then, depending on the interpretation of your supervisory authority, the time limit has already begun to elapse.
Therefore, find out before possible data protection violations how long an initial clarification may take without triggering the deadline of 72 hours (24 hours is sometimes assumed). Particularly in larger companies, it is questionable when the data controller becomes aware of the data breach. As a rule, this happens through the attribution of knowledge in the company. As the responsible party, you may have to assume that employees are aware of data protection violations. When knowledge is imputed depends on the individual case, especially the size of the company. However, it can be assumed if certain managers have knowledge of data protection violations in addition to the management or before the management.
b) Immediate notification within 72h
In principle, you must report a data protection breach that has become known to the responsible supervisory authority without delay and, if possible, within 72 hours. Immediately means as much as "without unreasonable delay", which plays a role in particular if there are serious data protection violations or if the data protection violations are easy for you to recognise. You should always comply with the 72h deadline in order to avoid sanctions such as those against Twitter. If you do not meet the deadline, you must justify to the supervisory authority why you could not, Art. 33(1) GDPR. “Being understaffed” will hardly be accepted after the fine against Twitter.
You may not calculate the 72h deadline according to the usual regulations of the German Civil Code (§§ 187 ff. BGB), as it is a European-ordered deadline. The time limit is calculated according to Art. 2 ff. Time Limits Regulation (Council Regulation [EEC, Euratom] No. 1182/71 of 3 June 1971 determining the rules applicable to periods, dates and time limits). The beginning and end of the time limit are regulated in Art. 3 of the Time Limit Regulation. According to this, the hour in which the data protection breach became known is not to be included in the 72-hour period.
Example: You become aware of a data protection breach on 18.12.2020 at 13:25. The time limit does not start to run at 13:25, but at 14:00 and ends on 21.12.2020 at 14:00. It is important to note that, in contrast to Section 193 of the German Civil Code (BGB), the 72h deadline does not extend if the end falls on a Saturday, Sunday or public holiday, as there is no corresponding provision in the Deadline Regulation with regard to an hourly deadline. You must pay particular attention to this in the case of upcoming holidays or school breaks.
5. Content and form of the notification
The information you must provide to the supervisory authority regarding the data breach is set out in Art. 33(3) of the GDPR. Article 33 (3) of the GDPR contains the minimum content in this regard.4 If you have more information, you should provide it to the supervisory authority. This is because the information is used by the supervisory authority to check whether the measures you have taken are sufficient. Often, cooperation with the supervisory authorities also has a positive effect on the amount of a possible sanction. With regard to the persons concerned, you do not have to name them, but it is sufficient to list the categories concerned, e.g. customer data, employees.
With regard to the form of the notification, Art. 33 (3) of the GDPR does not provide you with any specific requirements. However, for reasons of proof, at least the text form is recommended. As a rule, almost all supervisory authorities offer that the notification of a data protection breach can be made via an online form. It is therefore worthwhile to familiarise yourself with the notification form of the supervisory authority.
Please note that if you cannot provide all the information together to the supervisory authority, you can also provide it later, Art. 33(4) GDPR. This is to ensure that data controllers do not (intentionally) comply with the 72h deadline because they assume that they have to provide all information together. However, the aim of the notification obligation is to minimise the extent of the data breach for the data subjects. Therefore, it may also be sufficient if only part of the information is provided to the competent supervisory authority so that it can determine alone or together with the controller whether the data subjects should be notified according to Art. 34 GDPR, e.g. because they can limit the extent of the data breach by taking action themselves (e.g. changing the password).
6. Documentation requirements
Ultimately, you must document everything that is related to a (possible) data breach. This is expressly prescribed by Art. 33 (5) GDPR. The fine against Twitter was also imposed because it had neglected the documentation obligations under Art. 33(5) of the GDPR. You must therefore regulate internally how, for example, (possible) data protection violations are to be documented. Art. 33 (5) of the GDPR does not prescribe a specific form for the documentation. However, since the supervisory authorities must use the documentation to check whether you have complied with the requirements of Art. 33 of the GDPR, you should at least use electronic documentation. Not only data protection violations that have been positively established must be documented, but also those that have not yet been established. Only on the basis of this information can the supervisory authority assess whether you were justified in failing to notify them. It is therefore advisable that you use a form internally for the notification of data protection breaches. In terms of content, you can orientate yourself on the minimum requirements of Art. 33 (3) of the GDPR. At the same time, it is important that you determine how the information is to be forwarded within your company and which specialist departments must be informed.
Therefore, instruct your employees on how to deal with a data protection breach and that even supposedly insignificant data protection breaches must be documented. Of course, you should also involve your company data protection officer if you have one.
7. Sanctions
The supervisory authorities may impose a fine on you in accordance with Art. 83 (4a) of the GDPR if you fail to comply with the requirements of Art. 33 of the GDPR. They may also impose other measures (e.g. warnings) on you in addition to or instead of the fine pursuant to Art. 58 (2) of the GDPR.
Part 2 continues with the notification obligation of the processor according to Art. 33 (2) of the GDPR. This is also important for you as a controller if you use processors.
1 Decision Twitter Inquiry in: Data Protection [online] https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-twitter-inquiry [21.12.2020].
2 Twitter fined 550k in: Techcrunch [online] https://techcrunch.com/2020/12/15/twitter-fined-550k-over-a-data-breach-in-irelands-first-major-gdpr-decision/ [21.12.2020].
3 WP29 Guidelines in: Data Protection Conference Online [online] https://www.datenschutzkonferenz-online.de/wp29-leitlinien.html [21.12.2020].
4 Article 33 in: Dejure [online] https://dejure.org/gesetze/DSGVO/33.html [21.12.2020].