The NIS Directive introduced the reporting of security incidents for operators of essential services and some digital service providers. Likewise, the General Data Protection Regulation introduced the requirement for a personal data breach to be notified to the competent national supervisory authority and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach. Although national legislation or Codes of Practices may have required such specific breach notification prior to the GDPR, mandatory breach notification for personal data breaches constituted a new requirement for many controllers.
In its 2017 Guidelines on personal data breach notification under Regulation 2016/679 (WP250 rev.01) the WP29 provided some guidance on the mandatory breach notification and communication requirements of the GDPR and the steps controllers and processors can take to meet these new obligations. In that line, the WP29 Guidelines inter alia addressed the question of ‘when to notify’ and which information must be forwarded to the supervisory authority. The WP29 Guidelines also provided examples of various types of breaches and the necessary steps to be taken and have subsequently been endorsed by the European Data Protection Board (EDPB) at its first plenary meeting.
More than four years later, the EDPB adopted its own Guidelines 9/2022 on personal data breach notification under the GDPR on 10 October 2022 for a targeted public consultation. These EDPB Guidelines primarily contain editorial changes to the WP29 Guidelines. Sandra’s report addresses the single substantial change in the Guidelines that concerns the notification requirements regarding personal data breaches at non-EU establishments for which also the targeted consultation had been opened. She recalls the framework for personal data breach notifications under the GDPR and the guidance by the WP29 for controllers who are not established in the EU, but who are still subject to the extra-territorial provisions of the GDPR. It then assesses how far the EDPB Guidelines constitute a U-turn and might result in more burdensome obligations for these controllers.