Telcos' data breach notification amendment is passed

Out-Law News | 03 Nov 2009 | 2:14 pm | 5 min. read

The European Council has approved a data breach notification rule for Europe's telecoms firms. The amendment to an EU Directive will force telcos to tell customers if they lose their data.

The European Parliament and Commission have already approved the amendments, which will become law after it has been published in the EU's Official Journal and signed by the President of the Council and President of the European Parliament.

The amendments, though, do not extend data breach notification duties to non-telecoms firms, despite the Parliament's earlier demands that it include providers of 'information society services' such as online banks or health services providers.

"The Council adopted a directive amending legislation in force on universal service, ePrivacy and consumer protection," said a Council statement on its meeting last week. "The directive adapts the regulatory framework by strengthening and improving consumer protection and user rights in the electronic communications sector, facilitating access to and use of ecommunications for disabled users and enhancing the protection of individuals’ privacy and personal data."

The Parliament had lobbied hard to have the notification requirement extended to the companies that provide services on the internet and not just the ones that connect users to it, but the Commission and Council rejected those attempts.

It was backed in its call by the Article 29 Working Party, which is a committee formed by all of Europe's national data protection watchdogs.

"An extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services," the Working Party said earlier this year.

"Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens," it said. "Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm."

The European Commission last week signaled its willingness to negotiate separately on the introduction of a more general data breach notification law.

"The Commission will … extend the debate to generally applicable breach notification requirements and work on possible legislative solutions," Information Society Commissioner Viviane Reding said at a meeting organised by the European Data Protection Supervisor last month. "This will be done in close consultation with the European Data Protection Supervisor and other stakeholders."

Reding also committed the Commission to a general review of the laws designed to protect internet users' privacy.

"In 2010, the Commission intends to launch … a major initiative to modernise and strengthen network and information security policy in the EU," she said at that meeting. "At the same time, I believe we should look at the emerging challenges for privacy and trust in the broad information society, with a particular emphasis on some of the outstanding issues which were raised during the discussions on the revision of the ePrivacy Directive, such as targeted advertising, convergence, the use of IP addresses and on-line identifiers."

The key provisions

The original law addressed security at Article 4. It said:

1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.

2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.

The amended law states in part:

…the measures referred to in paragraph 1 shall at least:

– ensure that personal data can be accessed only by authorised personnel for legally authorised purposes,

– protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and

– ensure the implementation of a security policy with respect to the processing of personal data.

Relevant national authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security which those measures should achieve.

The following paragraphs are added by the new law:

"3. In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority.

When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without undue delay.

Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

Without prejudice to the provider's obligation to notify subscribers and individuals concerned, if the provider has not already notified the subscriber or individual of the personal data breach, the competent national authority, having considered the likely adverse effects of the breach, may require it to do so.

The notification to the subscriber or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach. The notification to the competent national authority shall, in addition, describe the consequences of, and the measures proposed or taken by the provider to address, the personal data breach.

4. Subject to any technical implementing measures adopted under paragraph 5, the competent national authorities may adopt guidelines and, where necessary, issue instructions concerning the circumstances in which providers are required to notify personal data breaches, the format of such notification and the manner in which the notification is to be made. They shall also be able to audit whether providers have complied with their notification obligations under this paragraph, and shall impose appropriate sanctions in the event of a failure to do so.

Providers shall maintain an inventory of personal data breaches comprising the facts surrounding the breach, its effects and the remedial action taken which shall be sufficient to enable the competent national authorities to verify compliance with the provisions of paragraph 3. The inventory shall only include the information necessary for this purpose.