Data breach notification – different opinions in EU bodies ?

By EDRi · November 19, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The amendments adopted on 24 September 2008 by the European Parliament (EP)
on the ePrivacy Directive includ the obligation of information society
services providers to notify personal date related security breaches to the
national authorities. However, a recent proposal of the European Commission
seems to put the amendment back on the discussion list, reffering only to
telecom operators for such an obligation.

Following the European Data Protection Supervisor’s opinion on the ePrivacy
directive in April 2008 that suggested a mandatory security breach
notification from “providers of public electronic communication services in
public networks” but also from other actors, such as “providers of
information society services which process sensitive personal data
( banks and insurers, on-line providers on health services,
etc.)”, the MEP Alexander Alvaro included amend ments on these aspects in
the report from the Standing Committee on Civil Liberties, Justice and Home
Affairs, backing up a procedure to inform users in case of security breaches
at service providers.

The amendments adopted by the European Parliament on 24 September 2008
include these additions to the text initially proposed by the Commission.

Amendements 187/rev and 184 now ask for an obligatory notification to the
national regulatory authority or the competent authority according to the
individual law of the respective Member State, of any personal data related
security breaches from any “provider of publicly available electronic
communications services, as well as any undertaking operating on the
internet and providing services to consumers, which is the data controller
and the provider of information society services.”

Other amendments adopted by the EP (124 and 125) explain the procedure
following such notifications. Thus the competent authority will consider
and determine the seriousness of the breach and, if the breach is serious,
the provider will be obliged to send a notification to all persons that were

Even though it appears that the next Council of Telecoms Ministers will
agree to the EP position, the European Commission has change the legislative
texts, as a compromise between the opinions of the European Parliament and
the European Council.

The new statements of the European Commission on data security are
intriguing, as they discuss about security breaches only in case of telecom

“The Commission reaffirms the need of telecoms operators to notify
regulators and the public about security breaches. The Commission reaffirms
that notifications must, as a matter of principle, be sent to the
individuals affected by them and that the notification procedure must remain
swift, simple and effective. In order to clarify, in an objective manner,
the cases where such notifications will be required, the Commission will,
under the new legislative text, give more detailed guidance as to the
circumstances of a breach that would trigger a notification.”

Since there are yet no official documents provided on the European Council
website regarding the next Council of Telecoms Ministers meeting on 27
November 2008, it is unclear whether the European Parliament’s opinion will
try to be disregarded in this respect or not. In any case, the EP will have
a second reading on the telecom package which is scheduled for April 2009.

Telecoms Reform: Commission presents new legislative texts to pave the way
for compromise between Parliament and Council (7.11.2008)

European Parliament legislative resolution on ePrivacy directive

Documents for the Council of Telecoms Minister on 27 November 2008

EDRi-gram: ePrivacy Directive debated in the EP’s Civil Liberties Committee

EDRi-gram: EDPS endorses data breach notification provision in ePrivacy
Directive (23.04.2008)