Personal data breach reporting for service outages (such as when your CDN is down)
(CDN: content delivery network. Such as Akamai.)
Even though it is not obviously within the scope of the definition of "personal data breach", guidance from both the UK's regulator and the European Data Protection Board suggests that "loss of availability" can be a personal data breach, requiring you to go through the risk assessment exercise to decide if it needs to be either notified to the regulator, or communicated to data subjects.
Is "loss of availability" really a "personal data breach"?
The definition of "personal data breach", in Article 4(12) GDPR, is:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
This is a very poorly drafted sentence, and the ambiguity comes to a head when considering temporary system outages.
Let's say that the CDN used for a service hosting personal data is down, with the effect that data subjects cannot access their personal data. Does this amount to a "personal data breach".
It depends on how one interprets the phrase "or access to".
I read it as saying:
- accidental or unlawful destruction of personal data
- (possibly accidental or unlawful) loss of personal data
- (possibly accidental or unlawful) alteration of personal data
- (possibly accidental or unlawful) unauthorised disclosure of personal data
- (possibly accidental or unlawful) (possibly unauthorised) access to personal data
That, to me, is the plain English interpretation of the words, even with the healthy caveat that the qualifiers of "accidental or unlawful" and "unauthorised" are deployed so poorly in the sentence that it's unclear to which actions they apply.
And yet, somehow, both the European Data Protection Board and the Information Commissioner's Office have extracted from this definition a concept of "loss of availability of personal data".
What the regulator says
For example, the ICO says that there is a personal data breach:
if [personal] data is made unavailable and this unavailability has a significant negative effect on individuals
Is "loss of personal data" really the same as "temporary inability to access"?
If a system is inaccessible, I have not lost anything. I know precisely where my data are. I just cannot get at them.
The EDPB, in Guidance WP250, says:
“Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data
In a footnote, it says that:
It is well established that "access" is fundamentally part of "availability".
Whether it is or is not "well established", "availability" does not appear in the definition of "personal data breach". It does not matter if access is part of availability; the real question is whether availability is part of access, as access does appear in the definition. However, critically, the definition appears to relate to [unauthorised] access to personal data, not [unauthorised] loss of access to personal data.
It is unhelpful, in my view, that Article 32 GDPR - the bit of the GDPR imposing security obligations - says that the security measures a controller and processor must implement include:
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
It strikes me that the definition of 'personal data breach' is simply out of kilter with the obligation to ensure appropriate security. A messy inconsistency, perhaps, but one which should be fixed legislatively, not by questionable interpretation of the definition of "personal data breach".
Examples of "loss of availability" as personal data breaches (or not):
The EDPB says:
Examples of a loss of availability include where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability.
That seems reasonable to me, but under the heads of "destruction" or "loss", not "loss of access to".
Less reasonable is when it goes on to say:
A loss of availability may also occur where there has been significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable.
A power cut could be a personal data breach? Really?
The guidance goes on to say:
a security incident resulting in personal data being made unavailable for a period of time is ... a type of breach, as the lack of access to the data can have a significant impact on the rights and freedoms of natural persons.
It uses an example of a hospital:
if critical medical data about patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled and lives put at risk.
and a media company:
in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms
There is a small crumb of comfort for planned maintenance windows:
where personal data is unavailable due to planned system maintenance being carried out this is not a ‘breach of security’.
Do I have to report every outage?
Even if it was categorically the case that a service outage was a personal data breach, controllers do not need to notify the regulator, let alone communicate to data subjects, all personal data breaches.
Notification to the regulator has a relatively low threshold, but a threshold all the same.
Communicating with data subjects has a higher threshold but, in the context of a service outage, there's a good chance they've already noticed (if it is a popular service), so you might want to be proactive in your communications anyway.
And, as I've discussed ad nauseum here, it's questionable if there is an obligation to notify or communicate at all. The question, really, is whether you're willing to try this argument in court, or in an appeal against a monetary penalty notice.
What should I do?
It rather depends on whether you are reading this in a panic in the middle of an outage, or reading it leisurely ahead of time.
If you're in the middle of an outage and you need a hand identifying your legal obligations, get in touch.
If you've got the time, put together a breach reporting toolkit. It needn't (read: shouldn't) be complicated, but it should be useful, and it should reflect thinking you've done ahead of time, because the last thing you want to doing when key services are down is wondering about wording in the GDPR.
It is always a pleasure to receive reasoned feedback, and I am delighted that a kind anonymous person got in touch to say that, since the term "breach of security", which forms the opening words to the definition of "personal data breach", is undefined, there is scope for an argument that an availability breach is a "breach of security".
I confess I had not considered that, even though I am usually up for an argument about whether something is a "breach of security" or not.
Even if this is correct — even if a "loss of availability" is a "breach of security" — that breach must *lead to one of the list of things which follows. This would need a case by case assessment.*
I am still not convinced that a loss of availability in itself is a personal data breach, but a loss of availability which led to, say, a batch job failing, which somehow caused an unexpected alteration to personal data, could indeed be a personal data breach.