Many DPOs lack a law degree and those without may also lack basic legal training. It’s not a fault of the DPO as they may have been given the DPO role as a “side-of-the-desk” task alongside their primary role. But a DPO without some basic legal training could cause issues for a Controller or Processor, as they may not realise that interpreting the words in a legal statute, such as the EU or UK GDPR, can involve several legal principles that are crucial to arriving at the correct interpretation of a term. In observing and interacting with DPOs e.g. through contract negotiation and due diligence, I often see DPOs interpret GDPR using the plain English understanding of a word or phrase (this is written for those reading statutes in English) without consideration (or perhaps knowledge) of the legal interpretation. In doing so, DPOs may misinterpret what they are reading and then provide faulty advice or guidance to the Controller or Processor they support. This is not good!
So, by no means exhaustive and by no means legal advice, this article uses the definition of Personal Data Breach in EU GDPR as a case study to illustrate some of the principles of legal interpretation. I hope you find it useful!
What is the definition of a Personal Data Breach?
The English text of Article 4(12) of EU GDPR states:
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
The definition is then referenced in the following [other] Articles of GDPR:
- Article 33
- Article 34
- Article 58
- Article 40
- Article 70
The definition is further referenced in the following recitals:
- Recital 73
- Recital 85
- Recital 86
The EDPB also provides guidance in the form of:
- Guidelines 9/2022 on personal data breach notification under GDPR
On the EDPB website discussing reporting personal data breaches they state the following (correct at time of print):
Organisations should be aware that a personal data breach can cover a lot more than just ‘losing’ personal data. It includes incidents affecting the confidentiality, integrity or availability of personal data. Importantly, personal data breaches include security incidents that are the result of both accidents (such as sending an email to the wrong recipient, losing a USB key containing customer data, or accidentally deleting medical data for which no backup is available), as well as deliberate acts (such as phishing attacks to gain access to customer data).
In other words, this includes situations such as where someone accesses personal data or passes it on without proper authorisation, or where personal data is rendered unavailable through encryption by ransomware, or accidental loss or destruction. Whilst all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches (since there may not be any personal data involved in a given security incident).
All sounds good. We now have a legal definition and an independent European body with legal personality, the European Data Protection Board (EDPB) that ensures that the GDPR is applied consistently and also ensures cooperation, including on enforcement. This body determines how the definition should be interpreted and applied – the CJEU (or UKSC for UK GDPR) would then have the ultimate say if the EDPB (or ICO) interpretation where legally challenged. The EDPB also has the power to take binding decisions on cross-border cases on which no consensus is reached. The EDPB have spoken and we DPOs must listen. There should be no issue of what is and what isn’t a personal data breach and no issue with what should or shouldn’t be reported.
The thing is, even though the EDPB (the boss legal entity) has set out how the definition should be interpreted, that doesn’t mean that a DPO, or lawyer, or layperson may take their direction on board and, may instead choose to apply their own interpretation of the definition independently. During the recent Crowdstrike security incident (yes, I said it!), there were many commentators claiming that the temporary loss of availability/loss of access to personal data was not a personal data breach due to their specific interpretation of the plain English definition we saw above. Many of their followers agreed. Some were even so bold to say the EDPB (the ones who are tasked with telling us how to apply GDPR) are wrong. That the legal definition doesn’t cover availability. Personally I don’t think the EDPB are wrong, and when the relevant legal principles are applied, that becomes [more] clear. Let’s break things down…
Breaking down the Definition
One useful way to interpret a definition in a legal text is to first break the definition into chunks:. When I break down a definition, I look for nouns, verbs and adjectives. I look at the positioning of commas and full stops. I also look for lists and how they are constructed. I look for terms that are also defined in the same legal instrument Finally I look for where the definition is used within the wider statute.
I then tackle different parts of the definition in an order based on their relative grammatical importance. The order I prefer is
- Nouns: These tell me the critical subjects and objects
- Verbs: These clarify what is happening to the subjects and objects
- Adjectives & Adverbs: These provide detail to ensure precise understanding
- Prepositions & Conjunctions: These provide detail on the relationships between the elements
One useful way to identify these component parts is to colour code them. Once you have done this, you can then grammatically re-order the definition for deeper analysis. The way I reordered the definition is as you can see in the chunks below:
- personal data
- transmitted, stored or otherwise processed;
- a breach of security
- leading to
- the accidental or unlawful
- destruction, loss, alteration,
- unauthorised disclosure of, or access to,
Once you have them in such an order, you can then analyse the chunks and apply relevant legal interpretation principles as appropriate. In the next section, we do just that…
Personal Data
The most important term in the definition – Personal Data. We know its important because it’s also in the definition itself. We also know personal data is defined within the regulation. We know from Article 4 (1) that:
personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
We can therefore conclude, if the incident involves no personal data, it is not a personal data breach and we can stop there. No personal data = no personal data breach. Interpreting the definition in this way is to apply the Plain English rule. That is to say a law should be written simply, clearly and concisely, with the required degree of precision, and as much as possible in ordinary language.
Transmitted, Stored or Otherwise Processed
For the next chunk, we get to our first piece of Latin. The law loves a bit of Latin and so we shall see a few phrases during this article. The first of which is Ejusdem Generis. Ejusdem Generis means “of the same kind”. This legal principle states that when a general term follows a list of specific terms, the general term is interpreted to include only items of the same type as the specific terms. But where can we go to get a list of terms that would fall into the net of “otherwise processed”. Well, luckily GDPR has such a list in the Article 4(2) definition which defines processing to mean:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
We now have a pretty comprehensive definition of scope in terms of processing activities. If personal data is processed in any of the above ways, then it falls within the scope of a personal data breach…subject to the caveats we will now discuss below.
Breach of Security
The next chunk we can turn our eyes to is the “breach of security”. Now there is no specific definition of a security breach in EU GDPR so is there a legal principle that we can turn to in order to help us find out what the legislators meant? There is! What we can do is apply the harmonious construction principle. Harmonious construction requires that a statute is read as a whole, and one provision of the Act should be construed with reference to other provisions in the same Act to make a consistent enactment of the whole statute. So, what clues can we get from other parts of the EU GDPR to understand what a breach of security might entail? For me, this has got to be Article 32 “Security of Processing”. In this article we see that it talks, amongst other things, about the Controller/Processor’s
ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
It follows, that where a Controller/Processor is not able to ensure the ongoing availability of processing, systems and services a breach of security has occurred. By applying the legal principle of harmonious construction, we do not need to leave the GDPR for another definition of a security breach. But if the above is not enough, we can go a little further and look at the recitals. The recitals provide clues about intent. For those of you who are interested, the purpose of recitals is to:
set out concise reasons for the chief provisions of the enacting terms, without reproducing or paraphrasing them.
What is useful for our purposes is the following text from recital 83 which states:
Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
We see security includes confidentiality but importantly not just confidentiality. That is to say it also includes integrity and availability, too. We can therefore be pretty certain that a breach of security will include a scenario where the Controller or Processor has failed to ensure the ongoing, availability of a processing system or service – that processes personal data.
Leading to…
Ok, now we move on to the next chunk “leading to”. The key question we need to ask when seeing the words “leading to” is did the former i.e. a breach of security lead to one or more of the items that follows. This wording is all about causality. We can pretty much take the plain English meaning of this verb. If the breach of security caused one of the stated impacts (of which we shall discuss shortly) to some personal data, then a personal data breach occurred.
The Accidental or Unlawful
Again, this chunk we can take using the plain English meanings of these words. That is to say the impacts don’t have to be malicious. For example, both accidentally losing your keys or someone stealing your keys and hiding them would both be covered within the meaning of this phrase. It’s also important to remember that this chunk relates to what is ahead of it, not what preceded it. The reader should not read the words to mean an accidental or unlawful security breach.
Destruction, Loss, Alteration
In this chunk we now have three terms in a list. The challenge here is two terms may be interpreted as being synonymous – destruction and loss. When interpreting a legal text, the text must be read with a presumption of intent. That is to say, we must assume the legislators meant to write something in a specific way to give a specific effect in law. But how do we decipher this intent?
Where there is potential ambiguity, as in this case, we can look to the legal principle of “noscitur a sociis“. The Latin translates as “it [a term] is known by its associates” What this means is that when looking at terms in a list, the reader must consider the other terms present in the list to determine the legislator’s intent. In the case of the personal data breach definition we can see that the legislator’s intent was to signal to the reader that destruction should be interpreted as a state distinct to loss. That is to say, where personal data is destroyed, it is rendered irreversibly destroyed. Where personal data is lost, the data is in a state where it is rendered temporarily inaccessible or unavailable to the Controller or Data Subject – but not permanently unavailable.
Now, when percolating the content of this article I did have a discussion about whether something could be permanently lost in addition to temporarily lost. For example, A Controller or Processor knows the personal data hasn’t been destroyed but simply can’t find it. In short they don’t know whether it may or may never turn up – a Schrodinger’s Cat-esque scenario so to speak. It’s important to consider this point in this article as this may be the logic a person might apply when interpreting the word loss. The question that a DPO should ask is can anyone, realistically, in the moment, be assured something is permanently lost. My view is that they can’t. All they can do is say that it’s temporarily lost but they don’t know how long it might be until it’s found. The use of loss can’t be permanent because of the inclusion of the term destruction. And plus, there is always the possibility that something might eventually turn up – like the Endurance for example.
The final term, alteration, relates to the integrity element of the CIA triad. Where data is accidentally or unlawfully altered, it’s (and the systems and processes relying upon it) integrity is compromised.
We can therefore be confident to interpret destruction and loss as terms that connote the difference between a permanent (destruction) and temporary (loss) state of unavailability and alteration relates to a state where data integrity is compromised.
Unauthorised Disclosure of, or Access to,
In the previous chunk we focussed on availability. In this chunk we complete the CIA triad. The unauthorised disclosure of, or access to data, whether accidentally or unlawfully creates a breach of confidentiality. A scenario where a person or persons, who should not be able to view personal data, can do so for a period of time. When looking at the construction of this part of the definition, the word unauthorised applies to both disclosure and access. That is to say, even if a person can access personal data they should not have access to, but has yet to do so AND this access to data was as a result of a security breach, e.g. someone provisioning access to a user without the appropriate approvals, this would fall into the scope of a personal data breach.
Summing up
So there we have it. A step by step guide on how to interpret a definition in a legal text. A word of caution though, the case study above is by no means exhaustive. There are several other things you might wish to consider such as the Mischief Rule or Teleological Interpretation. There is more Latin too, such as Expressio Unius Est Exclusio Alterius. The important takeaway is that there is more to interpretation of a legal text than simply having a good grasp of grammar. I hope you have found this useful and if I have made any mistakes, do let me know in the comments…and if you need support with your data protection programme, get in touch.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.