The General Data Protection Regulation introduces in Article 33 and 34 new provisions on notifications and communications regarding data breaches. In October 2017 Europe’s data protection authorities organized in the Article 29 Working Party (WP29), published draft guidelines on the interpretation these provisions and asked stakeholders to submit comments on this draft guidelines.
Bitkom welcomes the opportunity to comment on the Art. 29 Working Group’s (WP29) draft opinion on personal data breach notifications (WP 251). We believe that more cooperation and exchange between data protection authorities and practitioners is needed to translate the legal text of the GDPR into practice. In addition to many other provisions of the GDPR, Art. 33 and 34 must be implemented until May 2018 not only by the digital economy, but also by all other sectors.
The aim of this position paper is to draw attention to difficulties in interpreting and implementing the law. From Bitkom's point of view, a proportionate interpretation of situations that constitute a “data breach” would be desirable in order to reduce legal uncertainty of companies and to further advance the implementation of the GDPR. A risk-based approach, which runs systematically throughout the GDPR, should be applied with regard to breach notifications. In this context, it should be evaluated in a case-by-case analysis which risk is tolerable and when the threshold is exceeded. A notification of each and every breach would lead to a flood of information which would undermine the purpose of the provisions, namely to raise security in data protection. Last but not least, the principle of proportionality needs to be taken into account.