Digital Agenda: Breach Notification Consultation

July 17, 2011

The views of a range of interested are being sought by the European Commission on the issue of whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way across the EU.

The revised ePrivacy Directive (2009/136/EC), which came into force on 25 May 2011, requires operators and ISPs to inform, without undue delay, national authorities and their customers about breaches of personal data that they hold. The Commission wants to gather input based on existing practice and initial experience with the new telecoms rules and may then propose additional practical rules to make clear when breaches should be reported, the procedures for doing so, and the formats that should be used.

The consultation closes on 9 September 2011.

Commission Vice-President for the Digital Agenda Neelie Kroes said: ‘The duty to notify data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.’

The consultation is seeking input on the following specific issues:

·                  Circumstances: how organisations comply, or intend to comply, with the new obligation under the telecoms rules; the types of breaches that would trigger the requirement to notify the subscriber or individual and examples of protection measures that can render data unintelligible

·                  Procedures: the notification deadline, the means of notification and the procedure for an individual case

·                  Formats: the contents of the notification to the national authority and to the individual, existing standard formats and the feasibility of a standard EU format.

In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches.

If the Commission decided to propose technical implementing measures, it would have to consult the European Network and Information Security Agency (ENISA), the Article 29 Data Protection Working Party and the European Data Protection Supervisor (EDPS). Communications regulators would also be consulted, as they are the competent authorities for data breaches in some Member States.

The technical implementing measures would take the form of a Commission Decision adopted in the ‘regulatory comitology procedure’. Under this procedure, Member States would first need to give their approval to the Commission’s proposals, within the Communications Committee (COCOM). The European Parliament would then have three months to scrutinise the measures before they entered into force.

The consultation document is available here.