EP limits data breach notification

By EDRi · May 20, 2009

This article is also available in:
Deutsch: [Europäisches Parlament schränkt Meldungen von Datenverstößen ein | http://www.unwatched.org/node/1399]

The modification of the Privacy and Electronic Communication directive voted
by the European Parliament (EP) on 6 May 2009, as part of second reading of
the telecom package, limits the data breach notification only to the
electronic communications service providers.

Initially, in its first reading of the telecom package last year, the
European Parliament insisted to expand the data breach notification beyond
the initial provision, to online services or even public administration.
This idea was supported by privacy experts such as Peter Hustinx, the
European Data Protection Supervisor who insisted to apply the system not
only to “providers of public electronic communication services in
public networks but also to other actors, especially to providers of
information society services which process sensitive personal data (e.g.
online banks and insurers, on-line providers on health services etc.).”

But in the negotiations with the Council and the European Commission on this
point the EP diluted its initial claims. Thus, the adopted text
includes a mandatory obligation only for ISPs and telecoms. For the rest of
the categories the Commission just takes note of the EP will and says that
it will “initiate the appropriate preparatory work, including consultation
with stakeholders, with a view to presenting proposals in this area, as
appropriate, by the end of 2011. In addition, the Commission will consult
with the European Data Protection Supervisor on the potential for the
application, with immediate effect, in other sectors of the principles
embodied in the data breach notification rules in Directive 2002/58/EC,
regardless of the sector or type of data concerned.”

The adopted text includes a similar recital that notes the “general interest
for users to be notified is clearly not limited to the electronic
communications sector and therefore explicit, mandatory notification
requirements applicable to all sectors should be introduced at the Community
level as a matter of priority.”

According to the text of the Directive approved by the EP in the case of a
personal data breach, the telecom operator or ISP has the obligation to
notify the personal data breach right away to the competent national
authority. The text also says that if the data breach “is likely to
adversely affect the personal data and privacy of a subscriber or an
individual, the provider shall also notify the subscriber or individual of
the breach without undue delay.”

The EDPS considered the voted text as “a satisfactory approach”. He
also noted that it is good to see the mandatory notification for personal
data breaches in the final text, which is one of the core elements
of the Directive. However, he expressed his regrets that “its application is
limited to ISPs and network operators. One would hope that the Commission,
in consultation with the EDPS, will soon put forward proposals setting up
mandatory notification requirements applicable to all sectors, as the
Commission has undertaken to do in a declaration annexed to the text adopted
by the EP.”

The European Parliament rejected on 6 May the telecom package, due to the 3
strikes-related article, that was presented in extenso in the past EDRi-gram
issue. Now the package needs to be negotiated again with the other EU
institutions, but it is hard to believe that the data breach notification
provisions will be modified.

Modification of the E-privacy Directive – adopted text (6.05.2009)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P6-TA-2009-0360+0+DOC+XML+V0//EN&language=EN#title2

European Parliament abandons plan to extend data breach notification law (13.05.2009)
http://www.out-law.com//default.aspx?page=10010

EDRi-gram: Data breach notification – different opinions in EU bodies ?
(19.11.2008)
http://www.edri.org/edri-gram/number6.22/data-breach-ec

EDPS endorses data breach notification provision in ePrivacy Directive
(23.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification