The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

New European Union Regulation about Notification of Personal Data Breaches Enters into Force

Leave a comment

A new European Union Regulation applicable to the notification of personal data breaches entered into force on Sunday, August 25.

The Regulation is part of the effort to address the issue identified in article 35 of the Digital Agenda for Europe, to give guidance for implementing a new Telecoms Framework to better protect individuals’ privacy and personal data.

To do so, Directive 2009/136/EC of November 25, 2009 had amended Directive 2002/22/EC, the ePrivacy Directive, and had directed the Member States to add to their laws and regulations, by May 25, 2011, a duty for publicly available electronic communications service providers (ECPs) to report personal data breaches.

A Duty to Report Personal Data Breaches Under Directive 2009/136/EC

Under the modified ePrivacy Directive, ECPs, such as telecoms operators and Internet service providers must, “without undue delay,” notify their national authorities of any personal data breach.

Article 2(i) of the modified ePrivacy Directive defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

Under article 4 of the modified ePrivacy Directive, ECPs must notify individuals of the breach “without undue delay” if it is “likely to adversely affect [their] personal data or privacy,” unless the ECP affected by the breach can demonstrate to its national authority that it has implemented ”appropriate technological protection measures.”

A Regulation to Ensure Consistency in Implementing the Modified ePrivacy Directive

A Directive is not directly enforceable in the 28 Member States, but, instead, sets the goals to be achieved and leaves Member States the choice on how to implement these goals in their national systems. Therefore, there is always a risk that the 28 different ways to implement a particular Directive lead to some inconsistencies.

In order to ensure consistency in the implementation of these new data breach notification measures, article 4(5) of the modified ePrivacy Directive gave the EU Commission the power to adopt technical implementing measures.

This is why the Commission published a Regulation on June 24, 2013. Unlike a Directive, a Regulation is directly applicable in all Member States, and thus ensures that the law is the same in all the Member States.

Notification of Personal Data Breaches to the National Authorities

Article 1 of the Regulation defines its scope as notification by ECPs of personal data breaches. Annex 1 of the Regulation details the content of what must be notified to the national authority, divided in two sections:

Section 1

Identification of the provider

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Whether it concerns a first or second notification

Initial information on the personal data breach (for completion in later notifications, where applicable)

4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident

5. Circumstances of the personal data breach (e.g. loss, theft, copying)

6. Nature and content of the personal data concerned

7. Technical and organizational measures applied (or to be applied) by the provider to the affected personal data

8. Relevant use of other providers (where applicable)

Section 2

Further information on the personal data breach

9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):

10. Number of subscribers or individuals concerned

11. Potential consequences and potential adverse effects on subscribers or individuals

12. Technical and organizational measures taken by the provider to mitigate potential adverse effects

Possible additional notification to subscribers or individuals

13. Content of notification

14. Means of communication used

15. Number of subscribers or individuals notified

Possible cross-border issues

16. Personal data breach involving subscribers or individuals in other Member States

17. Notification of other competent national authorities

Recital 11 of the Regulation suggests that national authorities should provide ECPs with a secure electronic means to notify them about personal data breaches, which should be in a common format, such as XML, an online format, across the EU.

However, if some of this information is not available, an ECP can make an initial notification to the competent national authority within 24 hours, including only the information described in section 1. The ECP must then make a second notification “as soon as possible, and in the latest within three days after the initial notification” providing then the information described in section 2.  

This precise time frame is welcome as the phrasing “undue delay in the modified ePrivacy Directive was vague. However, a 24-hour delay for an initial notification, followed by only three more days to gather the information necessary for a complete notification, may leave some companies scrambling to meet their legal obligations.

Notification of Personal Data Breaches to the Subscriber or the Individual

Notifications to subscribers or individuals must contain all the information contained in Annex II of the Regulation:

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects

According to article 3.3 of the Regulation, such notification must be made “without undue delay after the detection of the personal data breach.” As ECPs must provide a copy of this notification when notifying their national authorities of a breach, such notification has to be made, at the latest, 24 hours after the occurrence of the breach, again, a rather short delay.

A Safe Harbor: Implementation of Technological Security Measures  

Article 4 of the Regulation states that ECPs do not have to notify subscribers or individuals if they were able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach.

Such measures must render data unintelligible. Article 4.2(a) and 4.2(b) details when data will be considered unintelligible:

(a) it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b) it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

So far, only ECPs have a duty to report personal data breaches in the EU. However, the new data protection Regulation currently debated in the European Parliament would provide an obligation for all data controllers to report personal data breaches to their supervisory authority (article 31) and to the data subject affected by the breach (article 32).

The entering into force of the June 24, 2013 Regulation may provide an insight on how well ECPs are prepared to meet their obligations, and will also likely give clues on whether it will indeed be feasible for data controllers to meet their obligations under the new data protection Regulation, likely to enter into force next year.

Advertisements

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s