The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

New European Union Regulation about Notification of Personal Data Breaches Enters into Force

A new European Union Regulation applicable to the notification of personal data breaches entered into force on Sunday, August 25.

The Regulation is part of the effort to address the issue identified in article 35 of the Digital Agenda for Europe, to give guidance for implementing a new Telecoms Framework to better protect individuals’ privacy and personal data.

To do so, Directive 2009/136/EC of November 25, 2009 had amended Directive 2002/22/EC, the ePrivacy Directive, and had directed the Member States to add to their laws and regulations, by May 25, 2011, a duty for publicly available electronic communications service providers (ECPs) to report personal data breaches.

A Duty to Report Personal Data Breaches Under Directive 2009/136/EC

Under the modified ePrivacy Directive, ECPs, such as telecoms operators and Internet service providers must, “without undue delay,” notify their national authorities of any personal data breach.

Article 2(i) of the modified ePrivacy Directive defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

Under article 4 of the modified ePrivacy Directive, ECPs must notify individuals of the breach “without undue delay” if it is “likely to adversely affect [their] personal data or privacy,” unless the ECP affected by the breach can demonstrate to its national authority that it has implemented ”appropriate technological protection measures.”

A Regulation to Ensure Consistency in Implementing the Modified ePrivacy Directive

A Directive is not directly enforceable in the 28 Member States, but, instead, sets the goals to be achieved and leaves Member States the choice on how to implement these goals in their national systems. Therefore, there is always a risk that the 28 different ways to implement a particular Directive lead to some inconsistencies.

In order to ensure consistency in the implementation of these new data breach notification measures, article 4(5) of the modified ePrivacy Directive gave the EU Commission the power to adopt technical implementing measures.

This is why the Commission published a Regulation on June 24, 2013. Unlike a Directive, a Regulation is directly applicable in all Member States, and thus ensures that the law is the same in all the Member States.

Notification of Personal Data Breaches to the National Authorities

Article 1 of the Regulation defines its scope as notification by ECPs of personal data breaches. Annex 1 of the Regulation details the content of what must be notified to the national authority, divided in two sections:

Section 1

Identification of the provider

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Whether it concerns a first or second notification

Initial information on the personal data breach (for completion in later notifications, where applicable)

4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident

5. Circumstances of the personal data breach (e.g. loss, theft, copying)

6. Nature and content of the personal data concerned

7. Technical and organizational measures applied (or to be applied) by the provider to the affected personal data

8. Relevant use of other providers (where applicable)

Section 2

Further information on the personal data breach

9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):

10. Number of subscribers or individuals concerned

11. Potential consequences and potential adverse effects on subscribers or individuals

12. Technical and organizational measures taken by the provider to mitigate potential adverse effects

Possible additional notification to subscribers or individuals

13. Content of notification

14. Means of communication used

15. Number of subscribers or individuals notified

Possible cross-border issues

16. Personal data breach involving subscribers or individuals in other Member States

17. Notification of other competent national authorities

Recital 11 of the Regulation suggests that national authorities should provide ECPs with a secure electronic means to notify them about personal data breaches, which should be in a common format, such as XML, an online format, across the EU.

However, if some of this information is not available, an ECP can make an initial notification to the competent national authority within 24 hours, including only the information described in section 1. The ECP must then make a second notification “as soon as possible, and in the latest within three days after the initial notification” providing then the information described in section 2.  

This precise time frame is welcome as the phrasing “undue delay in the modified ePrivacy Directive was vague. However, a 24-hour delay for an initial notification, followed by only three more days to gather the information necessary for a complete notification, may leave some companies scrambling to meet their legal obligations.

Notification of Personal Data Breaches to the Subscriber or the Individual

Notifications to subscribers or individuals must contain all the information contained in Annex II of the Regulation:

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects

According to article 3.3 of the Regulation, such notification must be made “without undue delay after the detection of the personal data breach.” As ECPs must provide a copy of this notification when notifying their national authorities of a breach, such notification has to be made, at the latest, 24 hours after the occurrence of the breach, again, a rather short delay.

A Safe Harbor: Implementation of Technological Security Measures  

Article 4 of the Regulation states that ECPs do not have to notify subscribers or individuals if they were able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach.

Such measures must render data unintelligible. Article 4.2(a) and 4.2(b) details when data will be considered unintelligible:

(a) it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b) it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

So far, only ECPs have a duty to report personal data breaches in the EU. However, the new data protection Regulation currently debated in the European Parliament would provide an obligation for all data controllers to report personal data breaches to their supervisory authority (article 31) and to the data subject affected by the breach (article 32).

The entering into force of the June 24, 2013 Regulation may provide an insight on how well ECPs are prepared to meet their obligations, and will also likely give clues on whether it will indeed be feasible for data controllers to meet their obligations under the new data protection Regulation, likely to enter into force next year.


Leave a comment

The European Data Protection Supervisor on data breaches, data portability, and the right to be forgotten

 

The European Data Protection Supervisor (EDPS) published last month an opinion about the European Commission’s Communication reviewing the EU legal framework for data protection. It discusses, among other topics, the introduction of personal data breach notification in EU law.  The EDPS also declares it is in favor of introducing the right to data portability and the right to be forgotten in the EU legal framework.

 

The new legal framework must support an obligation to report security breaches

 

The EDPS supports the extension of the security breaches report obligation which is currently included in the revised ePrivacy Directive, as it is proposed in the Commission’s Communication.

 

As of now, the revised ePrivacy Directive only requires providers of electronic communication services to report security breaches. However, no other data controllers are covered by the obligation. The EPDS notes that “[t]he reasons that justify the obligation fully apply to data controllers other than providers of electronic communication services.” (§75)

 

Indeed, “[s]ecurity breach notification serves different purposes and aims. The most obvious one,

highlighted by the Communication, is to serve as an information tool to make individuals

aware of the risks they face when their personal data are compromised. This may help them to take the necessary measures to mitigate such risks,” such as changing passwords or canceling  their accounts. (§76) Also, these notifications “contribute (…) to the effective application of other principles and obligations in the Directive. For example, security breach notification requirements incentivize data controllers to implement stronger security measures to prevent breaches,” and thus enhance data controllers‘accountability. Such notifications also serve as a tool for the enforcement by Data Protection Authorities (DPAs), as such notification may lead a DPA to investigate the overall practices of a data controller. (§76)

 

The new legal framework must support data portability and the right to be forgotten

 

The Communication vowed that the Commission would examine ways of complementing the rights of data subjects “by ensuring ’data portability’, i.e., providing the explicit right for an individual to withdraw his/her own data (e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers.” (Communication, p.8)

According to the EDPS, “Data portability and the right to be forgotten are two connected concepts put forward by the Communication to strengthen data subjects’ rights.”(§83)  As “more and more data are automatically stored and kept for indefinite periods of time, “the data subject has very limited control over his personal data. The Internet has a “gigantic memory.” (§84) Also, “from an economic perspective, it is more costly for a data controller to delete data than to keep

them stored,” and thus [t]he exercise of the rights of the individual therefore goes against the natural economic trend.” §(84)

 

“Both data portability and the right to be forgotten could contribute to shift the balance in

favour of the data subject” by giving him more control of his information. The right to be forgotten “would ensure that the information automatically disappears after a certain period of time, even if the data subject does not take action or is not even aware that the data was ever stored.”(§85) This "right to be forgotten" would ensure that personal data are deleted and at the same time it would be prohibited to “further use them, without a necessary action of the data subject, but at the condition that this data has been already stored for a certain amount of time. The data would in other words be attributed some sort of expiration date.” (§88)

 

This new "right to be forgotten" should be connected to data portability. (§89) Data portability is “the users’ ability to change preference about the processing of their data, in connection in particular with new technology services.”(§86)  “Individuals must easily and freely be able to change the provider and transfer their personal data to another service provider.”(§87)

 

The EDPS considers that existing rights “could be reinforced by including a portability right in particular in the context of information society services, to assist individuals in ensuring that providers and other relevant controllers give them access to their personal information while at the same time ensuring that the old providers or other controllers delete that information even if they would like to keep it for their own legitimate purposes.” (§87)

 

Whether the right to be forgotten online will become part of the EU data protection framework remains to be seen. However, several EU countries recognize, or plan to recognize soon, such a right. Google argued last month in a Spanish court that deleting search results, in order to respect, the country’s right to be forgotten, "would be a form of censorship." France is considering recognizing such a right as the French Congress is in the process of implementing the reviewed ePrivacy Directive. As the deadline for implementing the directive, May 25, 2011, approaches, it will be interesting to see how many Member States actually add he right to be forgotten to their legal systems.