Every company that deals with a cyber-attack has to cope with notification requirements to the competent regulators. In the case of large scale global incidents, this sometimes means that various regulators across the globe must be notified – often within very short timeframes.
In the European Economic Area (EEA) data breaches must be reported to competent data protection authorities without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless the incident is unlikely to result in a risk to the rights and freedoms of natural persons.
One-stop-shop in Europe – or not?
If the incident affects individuals in several EEA countries, global companies can often benefit from the so-called one-stop-shop mechanism (OSS). The OSS is a mechanism for companies that are engaged in cross-border data processing in the EEA, allowing them to deal with a single lead supervisory authority, for example for the purposes of reporting a global data breach.
However, companies cannot automatically rely on the OSS if they are dealing with a global incident. There may, for example, be instances where several local entities within a group are affected by a cyber incident and each entity may be subject to reporting obligations in various EEA countries.
Furthermore, the OSS has certain requirements under the GDPR. In particular, companies that do not have a main establishment in the EEA can generally not rely on the OSS and may have to notify in every EEA country where affected individuals reside. What amounts to a main establishment has been subject to some debate. Recently, the European Data Protection Board (EDPB), a body comprised of representatives from data protection authorities in the EEA Member States, has issued an opinion to clarify the notion of the main establishment under the GDPR:
- The EDPB stipulates that a legal entity which is the place of central administration of a group in the EEA can be considered as a main establishment only if (i) it takes the decisions on the purposes and means of the processing of personal data in the EEA and (ii) it has the power to implement these decisions. The OSS can therefore only apply if there is evidence that a local entity in the EEA takes the decisions on the purposes and means of the relevant processing operations and has the power to implement these decisions. If the decisions on the purposes and means and the power are exercised outside the EEA, then the EDPB assumes that there is no main establishment, and the OSS shall not apply.
- The EDPB holds that, in case of doubt, the burden of proof lies with the company to demonstrate the OSS criteria to a data protection authority in the EEA. In this context, the EDPB mentions, for example, records of processing activities and privacy policies as potential evidence. The ability to demonstrate that the local entity in the EEA has the actual power to control the implementation of the decisions taken can also play a role.
Bureaucratic challenges
The EDPB has recently published an overview with links and information on the reporting requirements of the EEA regulators on its website. Even though the GDPR stipulates uniform requirements for the notification of data protection authorities across Europe, the expectations of local regulators do in fact vary, in particular because various online or offline reporting forms include different questions that must be answered before filing the report. Local language requirements can differ as well, depending on the jurisdictions where notifications must be filed. These additional formalities can make the filing in various jurisdictions more complicated, in particular if tight reporting deadlines have to be met.
Ways to manage the complexity
Companies with a presence in Europe are well-advised to make use of the OSS to the extent possible. As pointed out by the EDPB, it is not just about having a central place of administration in Europe, but also about being able to demonstrate that the criteria set out by the EDPB are met and that convincing evidence can be produced in case a local regulator challenges the OSS argument (which sometimes happens if there is a high amount of affected individuals in an EEA country where the main establishment is not located).
Furthermore, even if there is a robust OSS set-up, companies should be prepared for scenarios where multiple regulators must be notified within Europe and the rest of the world. Even sophisticated incident response plans often do not take the global dimension of reporting obligations and the challenges that come with it into account, in particular in cases where the OSS might not apply and various countries within Europe are affected.
At Freshfields we have developed the Data Breach Notification Platform (DBNP), which is a unique digital collaboration tool to project manage multiple reporting obligations on the basis of regularly updated know-how. This ensures that the global strategy can be aligned within the first 24 hours of an incident and keep reports made in various countries across the globe consistent. You find more information about the DBNP here.