There's rarely a quiet week in data protection — and this one was no exception. Below is the most interesting development from the past seven days that caught my eye.
What is the likelihood that we will face regulatory enforcement as a result of a personal data breach?
This is one of the questions that I never get tired of thinking about. It’s both art and science, drawing on law, regulatory guidance and what you’ve seen and heard in the field. All of which makes for an endlessly fascinating mix.
Last week, the European Court of Justice held that that supervisory authorities are not obliged to exercise their corrective powers under the GDPR — including the imposition of fines — whenever an organisation suffers a personal data breach. In other words, regulators have the discretion to find that not all breaches should, and indeed will, result in enforcement action.
The CJEU provides the example of where such discretion could be appropriate: a data breach that has not continued because the controller implemented appropriate measures as soon as it became aware of the breach to ensure that it is brought to an end and does not recur.
Interestingly, the CJEU says that decisions not to issue a corrective power should be exercised "exceptionally" — but one only has to compare the number of personal data breaches that are notified each year to supervisory authorities with the number of breach-related enforcement actions to see that, in practice, this discretion is used much more liberally.
*****
Most organisations will, after suffering a data breach, take steps to mitigate its effects. Some will be more straightforward than others: informing third parties who received data accidentally and asking them to confirm that they’ve deleted the data, as opposed to rebuilding impacted servers or negotiating with bad actors.
The success of those actions are necessarily not always in your hands — and in some (particularly serious) cases, the steps you take may not be sufficient to remedy any adverse effects to affected individuals. Conversely, and for reasons that are not strictly legal (i.e., constraints on supervisory authorities’ budgets and manpower), there will be certain breaches that are unlikely to be the subject of regulatory enforcement, irrespective of the action taken by the controller to mitigate their effects.
Will the CJEU’s judgment change any of that? The answer is: in practice, perhaps not.
Nevertheless, it’s good to be reminded that one should never slip into complacency when it comes to personal data breaches, no matter how unserious they may appear. Seemingly low-level breaches can, if repeated, speak to a pattern of non-compliance that a regulator is unwilling to overlook. Similarly, taking robust steps to address each data breach, on a case-by-case and contextual basis, will usually provide some mitigation when dealing with supervisory authorities.
And whatever one thinks about one’s ability to predict the likelihood of regulatory enforcement, it’s usually better to be safe than sorry.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.