Out-Law / Your Daily Need-To-Know

New data breach rules for EU telecoms companies can be viewed as test of data protection proposals, says expert

Out-Law News | 25 Jun 2013 | 2:25 pm | 3 min. read

Internet service providers (ISPs) and telecoms companies will generally have to make regulators aware of all personal data breaches they experience within 24 hours of becoming aware of the breach, under new EU rules.

The European Commission has announced that it has used "technical implementing measures" set out under the EU's Privacy and Electronic Communications (e-privacy) Directive to create a Regulation containing new data breach notification rules.  (10-page / 70KB PDF)

The Commission told Out-Law.com that the Regulation could come into effect as early as the end of August.

Under the Regulation all providers of publicly available electronic communications services in the EU will have to inform their competent national authority – which depending on where they are based may be the national data protection watchdog or communications regulator, for example – within 24 hours of detecting that they have experienced a personal data breach.

The companies would have to supply the regulator with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected.

If all the information that the Regulation states should be provided to regulators is unknown, the companies would be able to submit a partial initial notification within the 24 hour deadline and follow it up with a further notification that includes all the information required within three days of submitting that initial notification, unless it is not possible to meet this second deadline. In those circumstances companies would have to offer regulators a "reasoned justification" for its failure to meet the notification requirements on time.

The telecoms providers will also generally have to notify individuals affected by a personal data breach "without undue delay" in cases where the breach is "likely to adversely affect the personal data or privacy" of those individuals.

Factors such as the type of personal data that has been breached, the likely consequences of the breach for individuals, and the circumstances of the breach, such as whether the data has been stolen or where the provider knows the information is in the hands of an unauthorised third party, should be assessed to determine where a breach is likely to adversely affect individuals' privacy, according to the Regulation.

However, telecoms providers would be able to avoid having to notify individuals if they can show regulators to their satisfaction that the use of "technological protection measures" has rendered the breached data "unintelligible to any person who is not authorised to access it".

The Commission said that it will publish "an indicative list" of the technological protection measures it would consider will render personal data unintelligible.

A spokesperson for the Commission told Out-Law.com that the new rules "do not in any way set a precedent for a future Data Protection Regulation". However, technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that the rules could provide a useful test for how a new data breach notification regime could work under a reformed data protection law framework.

Under proposed new EU data protection laws tabled by the Commission, organisations would be generally required to report all personal data breaches to regulators "without undue delay" and, if possible, within 24 hours of becoming aware of them. Companies would also have to report data breaches that could adversely affect individuals without undue delay, under the Commission's plans.

Those plans have been met with criticism, with some business groups concerned about their ability to meaningfully report breaches within 24 hours. Proposed amendments tabled by EU Ministers would, if introduced, restrict the cases in which personal data breaches would have to be reported. 

"It may be that the Commission intends to evaluate the impact that a 24 hour notification period will have on these types of organisations in order to quell the discontent that has arisen as a result of its proposal under the data protection regulation that data controllers notify supervisory authorities within 24 hours of data breach or otherwise provide an explanation for a delay in reporting," Scanlon said.

"If the evidence suggests that the notification requirement may not be as burdensome as some have suggested in terms of cost and administration for organisations subject to these requirements, the Commission may feel that it has a solid basis upon which to push forward with its proposal. On the other hand, the experiences of these organisations, if shared with industry, may in fact provide tangible indications that what is being proposed by the European Commission is unfeasible and that an approach which focussed on reporting only in circumstances where individuals' rights have been substantially affected may be more appropriate," he added.

In addition to the new data breach notification regime it has proposed under a reformed data protection law framework, the Commission has also set out a separate data breach notification regime in its draft Network and Information Security Directive, which would apply to companies in the energy, financial services and technology sectors, among others, and account for data breaches where personal data is not involved.

The Commission said that the purpose of the new rules specific to electronic communications service providers is to "ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country".