Data breaches: Does the GDPR help?

Authors: Frederik Zuiderveen Borgesius & Hadi Asghari

Imagine waking up one morning to find that your favourite online service has been subject to an attack by hackers. The hackers have exposed confidential data from the company, including your name, address, and credit card details. Such a scenario illustrates what a data breach can mean: an unauthorised access to or release of sensitive information by malicious actors. But what steps need to be taken when such a security violation occurs? According to the General Data Protection Regulation (GDPR), an organisation (e.g., the online service) must notify the responsible data protection supervisory authority; and in a second step, notify the data subjects (e.g., you) if the data breach threatens their rights and freedoms. But does this notification requirement help protect personal data and mitigate the potential consequences of data breaches? In a new paper – written together with our colleagues Noël Bangma and Jaap-Henk Hoepman – we combine insights from different disciplines (law, information security and economics) to address the following question: What are the strengths and weaknesses of the data breach notification obligation in the GDPR given its objectives? In this blog post, we summarise the main points of the paper.

The GDPR and data breaches

The GDPR’s obligation to notify data breaches can be summarised as follows. Under article 33, the data controller must report a breach to the data protection supervisory authority, unless the breach is unlikely to result in risks for people. Under article 34, a controller must notify a data breach to the data subject, when the breach is likely to result in a high risk to the rights and freedoms of the data subject. The controller is, in short, the organisation that determines the purposes and means of the processing of personal data; The data subject is the person whose personal data are processed.  A data breach can have far-reaching effects for people, and can lead, for instance, to financial loss, identity fraud, damage to reputation, and other privacy harms when sensitive data is involved.

Six goals of the GDPR`s data breach notification obligation

Through our analysis we identified six rationales for the GDPR`s data breach notification obligation, and explored for each rationale whether the obligation is likely to be useful.

1. People can protect themselves

One rationale for a breach notification obligation is that people can protect themselves after a notification. Such an obligation can, for instance, inform people to change their passwords if a controller has leaked their passwords, or block their credit card after a breach involving the leak of credit cards. 

However, some personal data is difficult to change. One’s medical record can contain sensitive and high-risk data, but there is not much that people can do, if their medical data has been leaked. Additionally, many people might lack the technical knowledge to protect themselves properly against identity fraud and other risks. In sum, while breach notifications can in some cases help people protect themselves, we shouldn’t have overly optimistic exceptions. 

2. People can choose, or switch to, competing services

A publicly known data breach could in theory encourage customers to switch to a competitor. However, in practice, this switching argument does not hold up in many situations. For instance, if your employer or university suffers a breach, you cannot easily switch to another job or university. For many online services, switching is also difficult, especially if the usefulness of the service depends on the number of other users. And in many cases, people find it difficult or burdensome to switch. 

Another challenge for most people is that it is difficult to assess whether another controller offers better security, since there is  information asymmetry regarding the security practices of controllers. 

Regardless of our criticism, notification obligations can be useful for those consumers who are willing and able to switch to another company after a data breach.

3. Incentivising organisations to improve security

A notification obligation could stimulate controllers to focus on better data security, as reported data breaches cause negative publicity. Murcian-Goroff found such better security practices in California, after that state adopted the world’s first data breach notification law. In Europe too, it appears that controllers started to take data security more seriously after the GDPR was adopted. However, it is difficult to distinguish the effects of the GDPR in general, and the effects of its data breach notification requirements. 

4. The data breach notification obligation enables regulators to perform their functions

A fourth rationale for the notification obligation is that it enables data protection supervisory authority to do their job. (Each EU member state has its own data protection supervisory authority, and in Germany, every state has its own authority). First, the supervisory authority can provide a second opinion if a controller decided not to notify the data subject. (If the authority considers the personal data breach to be of high risk, then they may require the controller to communicate the breach to the data subject, regardless of the opinion of the controller.) Second, the notifications give supervisory authorities information about security risks in the society. For instance, that many data breaches occur in a certain sector.

5. Improving transparency and accountability

A data breach notification obligation can help improve transparency towards the data subjects and the data protection supervisory authorities. However, as discussed next, the GDPR could have contributed more to transparency.  

6. Generating statistics

A data breach notification obligation enables authorities to compile and publish statistics about data breaches. The European Data Protection Board (EDPB) already publishes some data: it sometimes reports on the number of data breaches that have been notified to the supervisory authorities. But more transparency would be welcome and we recommend that European supervisory authorities and the Board make more statistics and information available for researchers and others. Building on the data published by the EDPB, we calculated the number of breach notifications per hundred thousand firms, for all EU member states (except Greece) between May 2018 and November 2019. The results span quite a wide range  from under 200 (Italy, Spain, Romania),  to over 7,000 (Denmark, Ireland, Netherlands) breach notifications per 100,000 firms in the specified time period. The figure for Germany is around 3,000 breach notifications per 100,000 firms. Such a large difference is somewhat puzzling. A higher ratio does not necessarily reflect a worse security situation; it can also indicate better breach detection capabilities, and a more cautious business culture that prefers to over-report. 

Conclusion on the data breach notification

Our main conclusion is that the GDPR’s data breach rules are likely to contribute to the six goals. For instance, the data breach notification obligation can nudge organisations towards better security; such an obligation enables regulators to perform their duties; and such an obligation improves transparency and accountability. 

However, we also warn that we should not have unrealistic expectations of the possibilities for people to protect their interests after a data breach notice. Likewise, we should not have high expectations of people switching to other service providers after receiving a data breach notification. 

Lastly, we call upon data protection supervisory authorities to publish more information about data breaches that have been reported to them. Such information enables research and better policy making regarding data security. 

For more details, please check out our paper which is available without a paywall.