The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

EU Commission Publishes Public Consultation on Personal Data Breach Notifications

The European Union (EU) Commission published on July 14, 2011 a public consultation, “ePrivacy Directive: circumstances, procedures and formats for personal data breach notifications.”  

The European Union Commission is seeking the opinion of telecom operators, Internet service providers, Member States, national data protection authorities, consumer organizations and other interested parties on whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way all across the EU.

Directive 2009/136/EC revised the Directive 2002/22/EC, the “Universal Service Directive,” and Directive 2002/58/EC, the “ePrivacy Directive.” Both of these directives are part of the Telecom Package, the five directives comprising the regulatory framework for electronic communications networks and services in the EU. Directive 2009/136/EC entered into force on 25 May 2011. The 2009 Directive introduced in the European Union legal framework an obligation for electronic communications providers to report, without undue delay, personal data breaches to the relevant national authority, and to individuals affected when there is a risk to their personal data or privacy. A personal data breach is a security incident by which personal data is compromised (unauthorized access, alteration or destruction).

The Commission is hoping to gather practical contributions about how the new rules have been implemented, and what issues may have been encountered. This information would then help the Commission find out whether additional technical measures are needed to ensure that all Member States’ personal data breach notification measures are harmonized, and if so, what form they should take.

From the press release:

The consultation is seeking input on the following specific issues:

Circumstances: how organizations comply, or intend to comply, with the new obligation under the telecoms rules; the types of breaches that would trigger the requirement to notify the subscriber or individual and examples of protection measures that can render data unintelligible

Procedures: the notification deadline, the means of notification and the procedure for an individual case

Formats: the contents of the notification to the national authority and to the individual, existing standard formats and the feasibility of a standard EU format.

In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches.”

One can contribute to the consultation until September 9, 2011.