GDPR breach debate

A fight is opening up over a basic General Data Protection Regulation question: if exposed data was already public, does the 72-hour breach clock still start? (eur-lex.europa.eu) The law itself sets the trigger broadly. Article 33 says a controller must notify its regulator within 72 hours after becoming aware of a personal data breach, unless the breach is “unlikely to result in a risk” to people’s rights and freedoms. (eur-lex.europa.eu) European Data Protection Board guidance defines a breach as a security failure that leads to destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data. The board’s small-business guide says breaches can hit confidentiality, integrity, or availability, not just secrecy. (edpb.europa.eu) That framing is driving the current argument. Companies and public bodies sometimes say “no breach” when the information was already visible elsewhere, while regulators focus on whether a security control failed and whether the incident created a real risk for the people in the dataset. (edpb.europa.eu) The distinction matters because “public” does not erase every risk. A badly exposed database can still make records easier to scrape, combine, copy at scale, alter, or weaponize for fraud, stalking, or profiling, even if some fields were obtainable before. (edpb.europa.eu; ico.org.uk) European guidance also says organizations must document every personal data breach, even when they decide notification is not required. The United Kingdom’s Information Commissioner’s Office gives the same baseline advice: record all breaches, assess risk, and notify only when the threshold is met. (edpb.europa.eu; ico.org.uk) Cross-border cases raise the stakes. The European Data Protection Board says a breach affecting people in more than one European country should go to the lead data protection authority, and where a controller has no main establishment in the European Economic Area, notifications may have to go to every relevant national authority. (edpb.europa.eu; edpb.europa.eu) National regulators are pushing the same practical line. France’s CNIL says incidents that present a risk to individuals must be notified within 72 hours, and adds that when in doubt, organizations should notify the regulator and let it decide whether people also need to be informed. (cnil.fr; cnil.fr) That leaves the real question narrower than the online debate suggests. The issue is usually not whether data was “public” in the abstract, but whether the exposure was a security breach and whether it created enough risk to trigger Article 33. (eur-lex.europa.eu; edpb.europa.eu) The next flashpoints are likely to be enforcement decisions, not slogans. Regulators already have the tools to test “no breach” claims against the facts of access, scale, safeguards, and cross-border impact. (edpb.europa.eu; cnil.fr)