Mistakenly sending an email is data processing, but not data breach?

On 29 January 2021, the Belgian Data Protection Authority (“GBA“) issued a decision interesting for its contrast between a simple set of facts, on the one hand, and inclusion of bold statements about some fundamental data protection concepts, such as data breach and lawfulness, on the other hand.

The parties to the proceedings before the GBA were:

  • the complainant, a client of an accounting company;
  • the first defendant, an accounting company which provided services to the complainant; and
  • the second defendant, the complainant’s former business partner.

The accounting company used to send for many years emails to both the complainant and her business partner at the time, in the context of the business relationship between the two. After the termination of the business relationship, the accounting company again sent an email with 32 attachments to the complainant, with her former business partner cc’d in the email. However, some of the attachments were only intended for the complainant. The email, including the attachments, revealed information about the complainant’s activities, finances, and her personal data, which the accounting company kept as the complainant’s service provider. Upon receiving the email, the complainant’s former business partner forwarded it to his attorney, so that the attorney could use the information in a pending court case.

Data processing is an objective fact – intention is not a factor

According to the decision, the accounting company sent the email to the complainant’s business partner by mistake. The accounting company argued that such unintentional act cannot result in an infringement of the GDPR. However, the GBA pointed out that even unintentional processing is still processing in the meaning of the GDPR and can result in an infringement of the GDPR.

By definition, data breach can only occur as a result of insufficient security measures

The complainant argued that, by forwarding the email, the accounting company committed a data breach, and that the company was obliged to notify the GBA of the breach.

The GBA took a stance that the incident did not amount to a data breach. The fact that the accounting company unintentionally enabled the former business partner to access the complainant’s personal data was not related to insufficient technical and organisational measures. According to the decision, Article 33 of the GDPR (Notification of a personal data breach to the supervisory authority) must be read in conjunction with Article 32 (Security of processing). A data breach from Article 33 presupposes a violation of Article 32. Here, there was no violation of the security-related obligations on the part of the accounting company. Since the unintentional sending of the email, due to human error, can never be ruled out, the GBA concluded that the accounting company did not violate Articles 32 and 33 of the GDPR.

Receiving an email is not processing; consulting it and forwarding it is considered data processing

The former business partner considered himself a recipient of personal data and argued that there could be no processing in the absence of any initiative on his part.

The GBA concluded that, by his subsequent actions, the business partner took the role of a data controller. Although the passive receipt of personal data did not constitute processing, consulting and forwarding the data was processing. By forwarding the email to his attorney, the former business partner determined the purpose and the means of data processing. With that, the former business partner became a data controller with respect to the processing which occurred after he received the data.

Unlawfully obtained data cannot further be lawfully processed

The former business partner of the complainant argued that forwarding of the email to his attorney was lawful, because the Attorney’s Code of Ethics allows a client to make confidential communications to his attorney.

According to the GBA, for a client to lawfully make confidential personal data available to his attorney, a legal basis for such processing of personal data must exist. The GBA pointed out that the accounting company acted unlawfully when it provided the complainant’s personal data to the complainant’s former business partner. Consequently, the former business partner cannot – this time in the capacity of controller – lawfully use the unlawfully obtained data by forwarding them to his attorney.

Comment

The decision of the Belgian supervisory authority offers at least two non-obvious takes on some basic concepts of the data protection law. The first, although not explicitly made, is that when the initial collection of personal data lacked legal basis each subsequent instance of processing of such data is irreparably vitiated by the initial defect, irrespective of the knowledge on the part of the subsequent data controller. The other is that there is no data breach in the absence of a violation of the security-related obligations on the part of the data controller. That interpretation seems to differ from the interpretation from Article 29 Working Party’s (“WP29“) Guidelines on Personal data breach notification and from European Data Protection Board’s (“EDPB“) Guidelines on Examples regarding Data Breach Notification. Both Guidelines cite examples where a data breach occurred precisely due to a mistakenly sent email. According to the WP29 Guidelines, it is a data breach when “personal data of a large number of students are mistakenly sent to the wrong mailing list with 1000+ recipients”. The EDPB Guidelines provide an example where “the employment department […] sent an e-mail message – about upcoming trainings – to the individuals registered in its system as jobseekers. By mistake, a document containing all these jobseekers’ personal data […] was attached to this email”. The WP29 and the EDPB did not exclude “human error” from the scope of the notion of data breach. Insufficient security measures were not a necessary element of a data breach.


[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]