Data Breach: Single Market Rules

June 23, 2013

The European Commission is putting into place new rules as to what telecoms operators and ISPs should do if their customers’ personal data is lost, stolen or otherwise compromised. The purpose of these ‘technical implementing measures’ is to ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country. Plus it is no secret that the Commission is keen to see a true single market in telecoms.

Telecoms operators and ISPs have been operating since 2011 under a general obligation to inform national authorities and subscribers about breaches of personal data (IP/11/622).

Under the new Regulation, companies will have the way in which they meet those obligations, and customers will have extra assurance about how their problem will be dealt with. For example companies must:

·                     Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.

·                     Outline which pieces of information are affected and what measures have been or will be applied by the company.

·                     In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.

·                     Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.

The Commission also wishes to incentivise companies to encrypt personal data. As such, and in conjunction with ENISA, the Commission will also publish an indicative list of technological protection measures, such as encryption techniques, which would render the data unintelligible to any person not authorised to see it. If a company applies such techniques but suffers a data breach, they would be exempt from the burden of having to notify the subscriber because such a breach would not actually reveal the subscriber’s personal data.

European Commission Vice-President Neelie Kroes said: “Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field.”

The Commission is implementing these rules following its 2011 public consultation, showing widespread stakeholder support for a harmonised approach in this area. The rules were agreed by a committee of Member States and scrutinised by the European Parliament and Council. They are adopted in the form of a Commission Regulation, which has direct effect and requires no further transposition at national level, and will come into force two months after publication in the EU Official Journal.


Commission Regulation on the measures applicable to the notification of personal data breaches under the ePrivacy Directive