[BreachExchange] GDPR: potential fines for data security breaches more severe for data controllers than processors, says expert

[Audrey McNeil]

http://www.out-law.com/en/articles/2016/may/gdpr-potential-fines-for-data-security-breaches-more-severe-for-data-controllers-than-processors-says-expert/

One of the many changes that the new Regulation will deliver when it comes
into force on 25 May 2018 is a new statutory obligation on data security
that data processors must observe above and beyond contractual duties
agreed with data controller customers.

Under current EU data protection rules service providers that process
personal data on behalf of other businesses cannot be held directly liable
to individuals for a breach of data security. If data processors are at
fault for data breaches then it is the data controller who contracted with
them who is on the hook for any non-compliance with data protection laws,
although the data processor could be liable to the data controller under
their contract.

The Regulation addresses this anomaly but makes a distinction between the
maximum fine data protection authorities will be able to levy against data
controllers compared to data processors for failings on data security.

A two-tiered sanctions regime will apply. Breaches of some provisions by
businesses, which law makers have deemed to be most important for data
protection, could lead to fines of up to €20 million or 4% of global annual
turnover for the preceding financial year, whichever is the greater, being
levied by data watchdogs. For other breaches, the authorities could impose
fines on companies of up to €10m or 2% of global annual turnover, whichever
is greater.

The relevant provisions on data security are contained under Articles 5 and
32 of the Regulation.

Article 5 sets out basic rules on personal data processing which only apply
to data controllers, considered to be fundamental to data protection. One
of those rules requires data controllers to ensure that personal data is
"processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical
or organisational measures".

According to the Article 83 provisions of the Regulation on administrative
fines, where data controllers breach that Article 5 requirement they can be
served with the highest possible fine that data protection authorities will
be able to issue under the reformed framework.

In contrast if data processors breach their statutory data security
obligations, set out under Article 32, which requires them to "implement
appropriate technical and organisational measures to ensure a level of
security appropriate to the risk" of their personal data processing, then
the most they could be fined is up to €10m or 2% of global annual turnover.

Data controllers are also subject to the Article 32 obligations. It
therefore appears open to national data protection authorities to fine data
controllers for any data security failings under Article 5 or Article 32.
Their choice in those circumstances would impact on the severity of the
fines they could issue.

Whether security measures are appropriate in each instance will depend on
"the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons",
according to the Regulation.

Beyond the imposition of administrative fines for data security breaches,
the Regulation will also introduce an updated right for data subjects to
claim compensation for damages they suffer from such incidents. A data
controller or data processor could be sued for compensation as well as
being exposed to the administrative fines – being fined will not shield it
from compensation claims, and vice versa.

The revised right will allow data subjects to pursue either data
controllers or data processors for all of the compensation owed to them for
the damage they have suffered from a data breach, although a processor will
only be liable for damage caused by processing where it has not complied
with any part of the Regulation that applies to them or if it has "acted
outside or contrary to lawful instructions of the controller".

Data controllers pursued for damages will be able to claim back all or some
of the money they pay out from their data processor if the data processor
was  in fact responsible, wholly or in part, for the breach. Equally, data
processors will have the same right to claim back money from data
controllers, or indeed other data processors involved, whose fault caused
or contributed to the damage, if the data subject pursues the data
processor for the full compensation pay-out.

As a result of the changes, data processors and controllers will both want
to negotiate the scope of their obligations, liabilities and indemnities
accordingly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160511/646e20cf/attachment.html>