EDPS endorses data breach notification provision in ePrivacy Directive

By EDRi · April 23, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The European Data Protection Supervisor (EDPS) has issued his opinion on the
new draft text of the Directive on Privacy and Electronic Communications
(ePrivacy Directive) as proposed by the European Commission.

One of the important changes supported by the EDPS with the new text is the
creation of a mandatory security breach notification system. The system
should require the Telecoms and ISPs to notify their customers when personal
information has been lost. But Peter Hustinx wants to go further and asked
for the system to apply not only to “providers of public electronic
communication services in public networks but also to other actors,
especially to providers of information society services which process
sensitive personal data (e.g. online banks and insurers, on-line providers
on health services, etc.).”

EDPS has explained in his opinion that such a notification has clear
benefits: “it reinforces the accountability of organisations, is a factor
that drives companies to implement stringent security measures and it
permits the identification of the most reliable technologies towards
protecting information.” and openly supported the concept, despite some
private sector opposition. “Indeed, the simple fact of having to publicly
notify security breaches causes organisations to implement stronger security
standards that protect personal information and prevent breaches.”

Another important change backed by EDPS in the ePrivacy Directive is the
possibility given to legal persons to take action against those who infringe
spam provisions. Thus the ISPs, as well as consumer associations and trade
unions representing the interest of spammed consumers, may take legal action
on their behalf before courts. EDPS wanted to go further by proposing “class
actions, empowering groups of citizens to jointly use litigation in matters
concerning protection of personal data. In the case of spam, where a large
number of individuals are receiving spam, the potential exists for classes
of individuals to join together and launch class actions against spammers.”

EDPS also asked to extend the possibility for the legal persons to ask for
damages for any infringement to any provision of the ePrivacy Directive.

Peter Hustinx considered that the Directive should therefore broaden its
scope of application to include providers of electronic communication
services also in mixed (private/public) and private networks and welcomed
the clarification regarding the inclusion of a number of RFID applications
in the scope of application of the Directive.

Opinion of the European Data Protection Supervisor on the Proposal for a
Directive amending, among others, Directive 2002/58/EC (Directive on
privacy and electronic communications) (10.04.2008)
http://edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2008/08-04-10_e-privacy_EN.pdf

EDPS Opinion on ePrivacy Directive review: overall positive, but further
improvements should be considered (14.04.2008)
http://edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2008/EDPS-2008-03-EN_ePrivacy.pdf

EU privacy chief wants data breach law for business (17.04.2008)
http://www.out-law.com//default.aspx?page=9053