This post was written by Cynthia O’Donoghue.

At the end of March, the EU’s Article 29 Working Party adopted an opinion on Personal Data Breach Notification (the Opinion). The Opinion is designed to help data controllers decide whether they are obliged to notify data subjects when a ‘personal data breach’ has occurred.

A ‘personal data breach’ under Directive 2002/58/EC (the Directive) broadly covers the situation where personal data is compromised because of a security breach, and requires communications service providers (CSPs) to notify their competent national authority. Depending on the consequences of the personal data breach, CSPs may also be under a duty to notify the individual data subjects concerned.

The Opinion contains factual scenarios outlining the process that should be used by CSPs to determine whether, following a personal data breach, individuals affected should be notified. Each scenario is assessed using the following three “classical security criteria”:

  • Availability breach – the accidental or unlawful destruction of data
  • Integrity breach – the alteration of personal data
  • Confidentiality breach – the unauthorized access to or disclosure of personal data

The Opinion includes practical guidance for notifying individuals, including where a CSP does not have the contact details of the individuals concerned, or where the compromised data relates to children.  The Opinion also stresses the importance of taking measures to prevent personal data breaches.