Draft rules coming into effect next month for communications service providers on when and how to notify data security breaches are the clearest indication yet of the obligations proposed for all data controllers under the draft General Data Protection Regulation. The new telco-specific regime includes some welcome concessions on when deadline for notifying regulators starts, and the circumstances when individuals need to be notified. Datonomy analyses the new rules. Who is the new regulation aimed at?
Last week, the European Commission presented a new draft Commission Regulation on the measures applicable to the notification of personal data breaches under the E-Privacy Directive 2002/58/EC. This Regulation (like the notification requirements under the 2002 Directive) applies only to “providers of publicly available telecommunications services” and will come into force in August 2013.
According to the E-Privacy Directive, telecom companies, internet service providers and other providers of publicly available electronic communications services (“CSPs”) are already obliged to notify competent national authorities and, in certain cases, also affected individuals if there is a personal data breach. The Directive however stays silent on the details of how and when such notifications must be made.
The draft Commission Regulation aims to clarify this issue and ensure consistency by setting out EU wide technical implementing measures concerning the circumstances, format and procedures applicable to the notification requirements, thereby allowing companies that operate in more than one European country to take a pan-EU approach in case of a data breach.
Main Obligations of CSPs under the draft Commission Regulation
The main obligations of CSPs under the draft Commission Regulation are as follows:
- Notification to the competent national authority within 24 hours after detection of the personal data breach
- Notification to affected individuals without undue delay if the data breach is likely to adversely affect the individuals’ personal data or privacy
Notification to the competent national authority: 24 hour deadline
On the face of it, the notification deadline is unfeasibly strict: the draft Commission Regulation requires CSPs must notify all personal data breaches to the competent national authority “no later than 24 hours after the detection of the personal data breach, where feasible”.
However, there are a number of concessions to the 24 hour deadline to make the obligation more workable.
If not all necessary information are available within 24 hours, the CSP must follow a 2-step approach. In this case, an initial notification with a limited set of information must be made to the competent national authority within 24 hours, and a second notification with the remaining information must follow within three days after the initial notification.
Content of and process for notification
The notification must include a specific list of information as set out in annex 1 of the draft Commission Regulation including the name of the provider, the date and time of the incident, the circumstances of the data breach and the nature and content of the personal data concerned.
Regulators must establish secure electronic means for notification.
Feasibility of notification and “sufficient awareness” of the breach
Despite its strict timeframe requirements, the notification requirement vis-à-vis national authorities does not necessarily require CSPs to act immediately upon becoming aware of a data breach.
Firstly, notification to the competent national authority must only be made “where feasible”. Secondly, the notification obligation only applies after a personal data breach has been detected. Under the draft Commission Regulation this requires that the provider “has acquired sufficient awareness that a security incident has occurred which led to personal data being compromised in order to make a meaningful notification”. The fact that a provider should have acquired sufficient awareness if it had made diligent enquires does not fall under the definition of a “detection of a personal data breach”.
Accordingly, neither a simple suspicion that a personal data breach has occurred, nor a simple detection of an incident without sufficient information on its scope will be sufficient to constitute an obligation for the provider to notify the competent national authority – which in practice will give providers a welcome breathing space to investigate the incident fully.
Notification to individuals: factors to consider
The second main obligation under the draft Commission Regulation relates to individuals that are affected by the data breach and who must be notified by the CSP if the breach is “likely to adversely affect the individuals’ personal data or privacy”.
If this is the case, the individuals must be notified without undue delay after the personal data breach has been detected and provided with a specific set of information as laid out in annex 2 of the Regulation including a summary of the incident that caused the data breach, an estimated date of the incident and information about the measures taken by the provider to address the data breach.
When determining whether a personal data breach is “likely to adversely affect the personal data or privacy” of an individual, specific circumstances shall be taken into account. These include:
- the nature and content of the personal data concerned (particularly financial information, sensitive personal data, location data, internet log files, browsing history, email data and itemised call lists);
- the likely consequences of the data breach for the individual – particularly where the breach puts individuals at risk of ID theft, fraud, physical harm, psychological distress, humiliation or reputational damage, and
- the circumstances of the breach – particularly where the data has been stolen or when the provider knows the data are in the possession of an unauthorised third party.
However, even if it is determined that the personal data breach is likely to adversely affect the personal data or privacy of an individual, a notification to the affected individual will not be necessary if the CSP has implemented “appropriate technological protection measures” to render the data unintelligible to any person who is not authorized to access it.
The Regulation defines what constitutes “unintelligible”, by reference to encryption and hashing. It does not set out specific standards but it authorises the Commission to publish a separate indicative list of technological protection measures that are sufficient for that purpose. Accordingly, once this list has been published, CSPs will be able to avoid notification obligations vis-à-vis individuals by implementing the technological measures as suggested by the Commission.
Wider perspective: proposed notification requirements under the General Data Protection Regulation – how do they compare?
As Datonomy readers will be aware, the future General Data Protection Regulation (“GDPR”) will also include notification requirements, applicable to all data controllers. The Commission’s original draft of the GDPR proposed a 24 hour notification deadline which has prompted much controversy, and which has been extended to 72 hours in more recent drafts, data controllers must notify a personal data breach to the supervisory authority without undue delay and, where feasible, not later than 24 hours after having become aware of it.
The draft Commission Regulation specifically points out in its recitals that it “is fully consistent” with the proposed notification measures under the draft GDPR. It is likely that the important concessions in the telco obligations over “feasibility”, “meaningful notification” and “awareness” will influence the wider new obligation under the GDPR. What is unclear at this stage is whether the 24/72 hour notification windows would be aligned. Certainly, many telcos argue that there is little justification for imposing stricter requirements on the sector.
The draft Commission Regulation will enter into force two months after its publication in the EU Official Journal, meaning that the notification obligations will be fully binding and directly applicable to providers in all EU member states from 25 August 2013 without the need for any additional implementation measures by the member states.