Commission consults on how to better notify the personal data breaches

New EU telecoms rules, requires operators and Internet service providers to inform, without undue delay, national authorities and their customers about breaches of personal data that they hold. Thus, the Commission wants to gather input based on existing practice and initial experience with the new telecoms rules and whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way across the EU.

The ePrivacy Directive requires telecoms operators and Internet service providers to keep this data confidential and secure. The range of data about their customers might be the name, address and bank account details, in addition to information about phone calls and websites visited. However, sometimes data is stolen or lost or accessed by unauthorised persons. These cases are known as 'personal data breaches'. Under the revised ePrivacy Directive (2009/136/EC), when a personal data breach occurs, the provider has to report this to a specific national authority, usually the national data protection authority or the communications regulator. Also, the provider has to inform the concerned individual directly. The ePrivacy Directive also allows the Commission to propose 'technical implementing measures' in order to ensure consistent implementation of the data breach rules across Member States.

This is the reason why the European Commission has opened a public consultation on this topic, in order to gather views of telecoms operators, Internet service providers, Member States, national data protection authorities consumer organisations and other interested on whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way across the EU. Moreover, this consultation is opened after knowing the opinion of the European Data Protection Supervisor (EDPS) on the European Commission's Evaluation Report on the Data Retention Directive in which the EDPS takes the view that the Directive does not meet the requirements imposed by the fundamental rights to privacy and data protection.

In particular, the consultation is seeking input on how organisations comply, or intend to comply, with the new obligation under the telecoms rules; the types of breaches that would trigger the requirement to notify the subscriber or individual and examples of protection measures that can render data unintelligible. Also on the procedures to follow, such as the notification deadline, the means of notification and the procedure for an individual case. The Commission also asks for the formats: the contents of the notification to the national authority and to the individual, existing standard formats and the feasibility of a standard EU format. In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches. Contributions to the consultation are welcome until 9th September 2011.