Data Breach Notification Law approved by EU

As reported previously on Datonomy, agreement has been reached between EU institutions on the introduction of rules on reporting data security breaches under the telecoms package. The new requirements only apply to providers of electronic communications services, and Member states will be required to introduce the new rules by 2011.

However, the Commission has committed to extending the breach notification regime to all organisations which process personal data, such as online retailers and banks, as a matter of priority by presenting draft legislation as soon as 2011.

The key elements of the new provisions are:

  • a duty to notify the relevant national regulator “without undue delay”;
  • a duty to also notify the affected subscriber or individual if the breach is “likely to adversely affect” that individual’s privacy” except where the provider can demonstrate it has applied “appropriate technological protection measures” which render the data unintelligible to unauthorised users;
  • minimum content for any notifications to individuals or regulators;
    a discretion for national regulators to issue guidelines on the circumstances for and format and content of breach notifications;
  • a power for national regulators to audit providers’ compliance and to impose appropriate sanctions for non-compliance;
  • the possibility for harmonised arrangements for the circumstances, format and procedures for breach notifications to be developed (by the EU’s Article 29 Working Party and the European network and Information Security Agency).

The new legislation also boosts existing provisions in the PEC Directive, which already mandate “appropriate” technical and organisational security measures, with the following minimum standards:

  • ensuring that personal data can only be accessed by authorised personnel;
  • protecting personal data against unlawful or accidental destruction, loss, alteration, storage, processing, access or disclosure;
  • ensuring the implementation of a security policy; and
  • the power for national authorities to audit communications providers’ implementation, and to issue recommendations.

Next steps

The telecoms package, including the new provisions on breach notification and cookies, should now proceed smoothly into law, being largely agreed in principle. While still subject to formal European Parliament and Council approval, this should be a formality save for any tidying changes. The legislation is expected to be formally adopted in early 2010, from which point Member States will have an 18 month period during which to transpose it into domestic law. As is often the case, the devil may be in the detail of the UK’s legislation and guidance data breach provisions.

Leave a Reply

Your email address will not be published. Required fields are marked *