European Commission - Press release
Digital Agenda: Commission consults on practical rules for notifying personal data breaches
Brussels, 14 July 2011 - The views of telecoms operators, Internet service providers, Member States, national data protection authorities consumer organisations and other interested parties are being sought by the European Commission on whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way across the EU. The revised ePrivacy Directive (2009/136/EC), which entered into force on 25 May 2011 as part of a package of new EU telecoms rules, requires operators and Internet service providers to inform, without undue delay, national authorities and their customers about breaches of personal data that they hold (see IP/11/622 and MEMO/11/320). The Commission wants to gather input based on existing practice and initial experience with the new telecoms rules and may then propose additional practical rules to make clear when breaches should be reported, the procedures for doing so, and the formats that should be used. Contributions to the consultation are welcome until 9th September 2011.
Commission Vice-President for the Digital Agenda Neelie Kroes said: "The duty to notify data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don't have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses."
The consultation is seeking input on the following specific issues:
In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches.
Telecoms operators and Internet service providers hold a range of data about their customers, such as name, address and bank account details, in addition to information about phone calls and websites visited. The ePrivacy Directive requires telecoms operators and Internet service providers to keep this data confidential and secure. However, sometimes data is stolen or lost or accessed by unauthorised persons. These cases are known as 'personal data breaches'. Under the revised ePrivacy Directive (2009/136/EC), when a personal data breach occurs, the provider has to report this to a specific national authority, usually the national data protection authority or the communications regulator. Also, the provider has to inform the concerned individual directly.
To ensure consistent implementation of the data breach rules across Member States, the ePrivacy Directive allows the Commission to propose 'technical implementing measures' – practical rules to complement the existing legislation – on the circumstances, formats and procedures for the notification requirements.
If, on the basis of the input received, the Commission decided to propose technical implementing measures, it would have to consult the European Network and Information Security Agency (ENISA), the Article 29 Data Protection Working Party and the European Data Protection Supervisor (EDPS). Communications regulators would also be consulted, as they are the competent authorities for data breaches in some Member States.
The technical implementing measures would take the form of a Commission Decision adopted in the 'regulatory comitology procedure'. Under this procedure, Member States would first need to give their approval to the Commission's proposals, within the Communications Committee (COCOM). The European Parliament would then have three months to scrutinise the measures before they entered into force.
The consultation document is available at:
Digital Agenda website: http://ec.europa.eu/digital-agenda
Neelie Kroes' website: http://ec.europa.eu/commission_2010-2014/kroes/
Follow Neelie Kroes on Twitter: http://twitter.com/neeliekroeseu