Ch 10.3.3 - Article 34

Article 34 - communicating the breach to data subjects

Article 34 requires controllers to inform affected individuals without undue delay where a breach is likely to result in a high risk to their rights and freedoms - a higher threshold than Article 33. Three exceptions in Article 34(3): data rendered unintelligible (e.g. by encryption - the 'encryption safe harbor'); measures taken so the high risk is no longer likely; or disproportionate effort, requiring a public 'substitute notice' instead. Regulators can order communication under Article 34(4). Recital 86 lets law enforcement justify a delay.

Article 34 requires controllers to inform data subjects of a breach where it is likely to present a high risk to their rights and freedoms. This severity threshold is what distinguishes it from Article 33: a breach of names and business email addresses might be a 'risk' triggering Article 33 notification, but not a 'high risk' triggering Article 34, since many people share business emails openly. 'High' can be determined either via impact on a large number of data subjects or a large amount of damage to certain individuals (Recitals 75-76).

The three Article 34(3) exceptions to communicating with data subjects
Exception	Effect
Art 34(3)(a) - Data rendered unintelligible	Encryption safe harbor: if data is unintelligible to unauthorised persons (e.g. encrypted), no communication needed
Art 34(3)(b) - Subsequent measures	If the controller took steps so the high risk is no longer likely to materialise, no communication needed - rewards good incident response
Art 34(3)(c) - Disproportionate effort	Where individual communication is impractical (e.g. individuals unidentifiable), use a public 'substitute notice' (press release / website) instead

By Article 34(4), regulators can order a controller to communicate - often after receiving the Article 33 notification, or after reviewing the Article 33(5) records and finding a case wrongly kept secret. Illustrative high-risk breaches: cyberattacks causing data exfiltration; ransomware encrypting non-backed-up data; hospital records unavailable for thirty hours due to a cyberattack; a marketing email disclosing all recipients' addresses to each other. Recital 86 notes that law enforcement interests (e.g. tipping off offenders or destroying evidence) may justify delaying communication.

Article 33 vs 34 - the threshold

Article 33 (regulator) triggers on a mere risk. Article 34 (data subjects) triggers only on a high risk. Same breach, two different thresholds.

Key terms - quick answers

What is “Article 34”?

Requires controllers to communicate a personal data breach to affected data subjects without undue delay where it is likely to result in a high risk to their rights and freedoms.

What is “High risk”?

The elevated threshold for Article 34 - determined either by impact on a large number of people or a large amount of damage to certain individuals.

What is “Encryption safe harbor”?

Article 34(3)(a) exception: communication is not required if the data was rendered unintelligible (e.g. by encryption) to unauthorised persons.

What is “Disproportionate effort”?

Article 34(3)(c) exception where individual communication is impractical (e.g. individuals cannot be identified); a public 'substitute notice' is used instead.

← Article 33 - notifying the supervisory authority Article 33 vs Article 34 - side-by-side comparison →