Is the Crowdstrike outage a personal data breach?

A fascinating article and LinkedIn post from data protection specialist Jon Baines asks whether the recent Crowdstrike/Microsoft outage that resulted in a temporary inability to access personal data constitutes a personal data breach (PDB) under Article 4(12) of the General Data Protection Regulation (GDPR). 

A LinkedIn poll resulted in a split vote. However, Baines argues that not every incident meets the definition of a PDB and that both the Information Commissioner's Office (ICO) and the European Data Protection Board (EDPB) are wrong to categorise this as a breach. 

"This is about the law, and in law, words are important. To refer to a PDB as the single word "breach" is a potential cause of confusion, and both the ICO and the EDPB guidance are infected by and diminished by sloppy conflation of the terms "personal data breach" and "breach". In English, at least, and in English law, the word "breach" will often be used to refer to a contravention of a legal obligation: a "breach of the law". (And in information security terminology, a "breach" is generally used to refer to any sort of security breach.) But a "breach" is not coterminous with a "personal data breach", wrote Baines.

While not wanting to criticise any controllers for making an Article 33 notification, Baines highlights the 50/50 split on his online poll, suggesting a level of uncertainty that may require future clarification. 

Anyone interested in this article should also take note of the comments on the LinkedIn post, as they add to an interesting debate.

In related news, the Italian data protection authority (Garante) has announced that it has opened an investigation into the effects of the recent global IT outage caused by a malfunction of the CrowdStrike security software. The investigation aims to determine the implications such outages have on the processing of personal data.

(Translate to English: Google Chrome, Mozilla Firefox, Microsoft Edge, or Apple Safari)