On October 18, 2022, the European Data Protection Board (“EDPB”) published a proposed updated version of its regulatory guidance on personal data breaches under the EU GDPR (the “Proposed Updated Guidance”). The Proposed Updated Guidance seeks to place heavier personal data breach notification obligations on controllers established in the U.S. (and other non-EU countries) but which are subject to the EU GDPR’s extra-territorial application provisions.
The Proposed Updated Guidance underscores that such controllers do not benefit from the EU GDPR’s “one-stop-shop” system, and that therefore any (notifiable) personal data breach must be “notified to every single [EU Supervisory Authority] for which affected data subjects reside in their [EU] Member State”.
This contrasts with the currently-available regulatory guidance from the EDPB, which instead places emphasis on the fact that such controllers are subject to the EU GDPR’s requirement to appoint a GDPR “representative” located in the EU. The existing guidance recommends that the breach notification should only be made “to the [EU Supervisory Authority] in the [EU] Member State where the controller’s representative in the EU is established.”
The proposed updates are likely to prove controversial amongst U.S. and other non-EU controllers, which face the prospect of notifying and dealing with multiple EU Supervisory Authorities in parallel – rather than just one. The EDPB clearly considers the proposed changes significant enough to warrant a public consultation – companies are able to submit feedback to the EDPB on the Proposed Updated Guidance until November 29, 2022.