The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


1 Comment

Privacy and Data Protection Impacting on International Trade Talks

European Commission

The European Union and the United States are currently negotiating a broad compact on trade called the Transatlantic Trade and Investment Partnership (“TTIP”). While the negotiations themselves are non-public, among the issues that are reported to be potential obstacles to agreement are privacy and data protection. Not only does the European Union mandate a much stronger set of data protection and privacy laws for its member states than exist in the United States, but recent revelations of U.S. surveillance practices (including of European leaders) have highlighted the legal and cultural divide.

In an October 29, 2013 speech in Washington, D.C., Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, emphasized that Europe would not put its more stringent privacy rules at risk of weakening as part of the TTIP negotiations. She said in part,

Friends and partners do not spy on each other. Friends and partners talk and negotiate. For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. That is why I am here in Washington: to help rebuild trust.

You are aware of the deep concerns that recent developments concerning intelligence issues have raised among European citizens. They have unfortunately shaken and damaged our relationship.

The close relationship between Europe and the USA is of utmost value. And like any partnership, it must be based on respect and trust. Spying certainly does not lead to trust. That is why it is urgent and essential that our partners take clear action to rebuild trust….

The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs.

But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data.

This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable….

Beyond the TTIP talks, the divergence between European and U.S. privacy practices is putting new pressure on an existing legal framework, the Safe Harbor that was adopted after the enactment of the EU Data Protection Directive. A number of EU committees and political groups are either criticizing or recommending revocation of the Safe Harbor, a development that could significantly change the risk management calculus for the numerous companies which move personal information between the United States and Europe.


Leave a comment

New European Union Regulation about Notification of Personal Data Breaches Enters into Force

A new European Union Regulation applicable to the notification of personal data breaches entered into force on Sunday, August 25.

The Regulation is part of the effort to address the issue identified in article 35 of the Digital Agenda for Europe, to give guidance for implementing a new Telecoms Framework to better protect individuals’ privacy and personal data.

To do so, Directive 2009/136/EC of November 25, 2009 had amended Directive 2002/22/EC, the ePrivacy Directive, and had directed the Member States to add to their laws and regulations, by May 25, 2011, a duty for publicly available electronic communications service providers (ECPs) to report personal data breaches.

A Duty to Report Personal Data Breaches Under Directive 2009/136/EC

Under the modified ePrivacy Directive, ECPs, such as telecoms operators and Internet service providers must, “without undue delay,” notify their national authorities of any personal data breach.

Article 2(i) of the modified ePrivacy Directive defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

Under article 4 of the modified ePrivacy Directive, ECPs must notify individuals of the breach “without undue delay” if it is “likely to adversely affect [their] personal data or privacy,” unless the ECP affected by the breach can demonstrate to its national authority that it has implemented ”appropriate technological protection measures.”

A Regulation to Ensure Consistency in Implementing the Modified ePrivacy Directive

A Directive is not directly enforceable in the 28 Member States, but, instead, sets the goals to be achieved and leaves Member States the choice on how to implement these goals in their national systems. Therefore, there is always a risk that the 28 different ways to implement a particular Directive lead to some inconsistencies.

In order to ensure consistency in the implementation of these new data breach notification measures, article 4(5) of the modified ePrivacy Directive gave the EU Commission the power to adopt technical implementing measures.

This is why the Commission published a Regulation on June 24, 2013. Unlike a Directive, a Regulation is directly applicable in all Member States, and thus ensures that the law is the same in all the Member States.

Notification of Personal Data Breaches to the National Authorities

Article 1 of the Regulation defines its scope as notification by ECPs of personal data breaches. Annex 1 of the Regulation details the content of what must be notified to the national authority, divided in two sections:

Section 1

Identification of the provider

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Whether it concerns a first or second notification

Initial information on the personal data breach (for completion in later notifications, where applicable)

4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident

5. Circumstances of the personal data breach (e.g. loss, theft, copying)

6. Nature and content of the personal data concerned

7. Technical and organizational measures applied (or to be applied) by the provider to the affected personal data

8. Relevant use of other providers (where applicable)

Section 2

Further information on the personal data breach

9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):

10. Number of subscribers or individuals concerned

11. Potential consequences and potential adverse effects on subscribers or individuals

12. Technical and organizational measures taken by the provider to mitigate potential adverse effects

Possible additional notification to subscribers or individuals

13. Content of notification

14. Means of communication used

15. Number of subscribers or individuals notified

Possible cross-border issues

16. Personal data breach involving subscribers or individuals in other Member States

17. Notification of other competent national authorities

Recital 11 of the Regulation suggests that national authorities should provide ECPs with a secure electronic means to notify them about personal data breaches, which should be in a common format, such as XML, an online format, across the EU.

However, if some of this information is not available, an ECP can make an initial notification to the competent national authority within 24 hours, including only the information described in section 1. The ECP must then make a second notification “as soon as possible, and in the latest within three days after the initial notification” providing then the information described in section 2.  

This precise time frame is welcome as the phrasing “undue delay in the modified ePrivacy Directive was vague. However, a 24-hour delay for an initial notification, followed by only three more days to gather the information necessary for a complete notification, may leave some companies scrambling to meet their legal obligations.

Notification of Personal Data Breaches to the Subscriber or the Individual

Notifications to subscribers or individuals must contain all the information contained in Annex II of the Regulation:

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects

According to article 3.3 of the Regulation, such notification must be made “without undue delay after the detection of the personal data breach.” As ECPs must provide a copy of this notification when notifying their national authorities of a breach, such notification has to be made, at the latest, 24 hours after the occurrence of the breach, again, a rather short delay.

A Safe Harbor: Implementation of Technological Security Measures  

Article 4 of the Regulation states that ECPs do not have to notify subscribers or individuals if they were able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach.

Such measures must render data unintelligible. Article 4.2(a) and 4.2(b) details when data will be considered unintelligible:

(a) it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b) it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

So far, only ECPs have a duty to report personal data breaches in the EU. However, the new data protection Regulation currently debated in the European Parliament would provide an obligation for all data controllers to report personal data breaches to their supervisory authority (article 31) and to the data subject affected by the breach (article 32).

The entering into force of the June 24, 2013 Regulation may provide an insight on how well ECPs are prepared to meet their obligations, and will also likely give clues on whether it will indeed be feasible for data controllers to meet their obligations under the new data protection Regulation, likely to enter into force next year.