Businesses should not need to notify consumers that their personal data has been lost or stolen if the data has been encrypted, EU ministers have said.
Ministers in the Justice and Home Affairs Committee of the EU’s Council of Ministers backed the plans as part of a wider partial agreement reached last week on reforms to EU data protection laws (44-page / 491KB PDF).
The committee met in Luxembourg to discuss the draft General Data Protection Regulation. The ministers agreed on wording for Chapter IV of the draft regulation, which includes new rules on personal data breach notifications that organisations operating in the EU will have to adhere to.
Agreement on other parts of the draft regulation has still to be reached and agreement on the Chapter IV provisions was only agreed in line with the principle that “nothing is agreed until everything is agreed”, the Council of Ministers said.
Under their proposals, organisations would generally have 72 hours to notify regulators as soon as they become aware that they have suffered a personal data breach that “may result in physical, material or moral damage” to individuals. Damage of this kind could range from identity theft or fraud, to damage to their reputation, loss of control over their personal data or a loss of confidentiality to data protection by professional secrecy, according to the ministers’ plans.
“The agreement in principle of a materiality threshold for data breaches is a good step forward,” said data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com. “Data controllers should be actively preparing for the significant shift in business practice implied by a data breach notification regime; for example, they should be rehearsing their incident response procedures.”