CrowdStrike failure: data breach under the AVG?

Data protection experts such as Peter Craddock and Tim Turner expressed reservations on LinkedIn about the broad interpretation of "data breach" by some authorities. Craddock, a technology law attorney at Keller and Heckman, emphasized that the AVG does not explicitly name "unavailability" in the definition of a data breach. Although authorities such as the European Data Protection Board (EDPB) and the Information Commissioner's Office (ICO) consider temporary data loss to be a data breach consider, Craddock believes the literal text of the legislation should be leading. He calls for a ruling from the European Court of Justice to provide clarity.

Turner, a leading voice on data protection law, agrees. He states in a LinkedIn post that even if the CrowdStrike outage is considered a data breach, it does not automatically mean there is a notification requirement. The AVG requires organizations to assess the likelihood of harm to affected individuals before reporting. In the case of CrowdStrike, where the impact was significant, this would have resulted in a notification requirement for many organizations. Turner criticizes this rigid approach, arguing that in practice it could lead to undesirable situations, such as organizations being forced to report an incident that is already known to authorities. In doing so, organizations would unnecessarily increase the workload on authorities.

This interpretation of Craddock and Turner is at odds with the guidelines of the EDPB. The EDPB states that even a temporary loss of availability of personal data can qualify as a data breach under the AVG. This is because the authority considers access to data a fundamental part of "availability." The EDPB emphasizes that organizations must take all appropriate technical and organizational measures to ensure the protection of personal data, including its continuous availability.