The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

EU Commission Publishes Public Consultation on Personal Data Breach Notifications

Leave a comment

The European Union (EU) Commission published on July 14, 2011 a public consultation, “ePrivacy Directive: circumstances, procedures and formats for personal data breach notifications.”  

The European Union Commission is seeking the opinion of telecom operators, Internet service providers, Member States, national data protection authorities, consumer organizations and other interested parties on whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way all across the EU.

Directive 2009/136/EC revised the Directive 2002/22/EC, the “Universal Service Directive,” and Directive 2002/58/EC, the “ePrivacy Directive.” Both of these directives are part of the Telecom Package, the five directives comprising the regulatory framework for electronic communications networks and services in the EU. Directive 2009/136/EC entered into force on 25 May 2011. The 2009 Directive introduced in the European Union legal framework an obligation for electronic communications providers to report, without undue delay, personal data breaches to the relevant national authority, and to individuals affected when there is a risk to their personal data or privacy. A personal data breach is a security incident by which personal data is compromised (unauthorized access, alteration or destruction).

The Commission is hoping to gather practical contributions about how the new rules have been implemented, and what issues may have been encountered. This information would then help the Commission find out whether additional technical measures are needed to ensure that all Member States’ personal data breach notification measures are harmonized, and if so, what form they should take.

From the press release:

The consultation is seeking input on the following specific issues:

Circumstances: how organizations comply, or intend to comply, with the new obligation under the telecoms rules; the types of breaches that would trigger the requirement to notify the subscriber or individual and examples of protection measures that can render data unintelligible

Procedures: the notification deadline, the means of notification and the procedure for an individual case

Formats: the contents of the notification to the national authority and to the individual, existing standard formats and the feasibility of a standard EU format.

In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches.”

One can contribute to the consultation until September 9, 2011.


Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s