The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Toward a Mandatory Requirement for EU Business Organizations to Notify of Data Security Breaches

Leave a comment

Viviane Reding, Vice-President of the European Commission, spoke on Monday at the Data Protection and Privacy Conference of the British Bankers’ Association in London.

Ms. Reding acknowledged that the current EU legal frame work protecting personal data may no longer be appropriate to a world which has much changed since 1995 (when Directive 95/46/EC, the data protection Directive, was first published) as individuals “leave digital traces with every move [they] make.” The European Union now “needs a more comprehensive and more coherent approach in its policy for the fundamental right to personal data protection.”

Businesses must also play their part. The way they collect, process, store, and use personal data must be done in a more transparent way than it is right now. Ms. Reding alluded to the recent Sony PlayStation Network data breach, which affected some 70 million users worldwide, whose personal information, name, address, email, and birth date have been compromised. According to Ms. Reding, “this incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers’ trust in the online economy. “

Companies must better protect personal data against security breaches and identity theft. Ms. Reding stated that “they should immediately notify breaches of data security and confidentiality” and that she does intend to introduce a mandatory requirement for business organizations to notify data security breaches.

 As of today, Directive 2009/136/EC, which introduced mandatory data breach notification in the EU legal framework, makes it a requirement only to providers of publicly available electronic communications services to report data breaches. Business organizations do not however, have to report them.

This is likely to change soon, as Ms Reding wants to introduce this requirement for all sectors, including banking and financial services. She expressed hope that “[i]t would … create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data.”

Changes are ahead, as new EU data protection legislation proposals should be finalized in the upcoming months.


Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s