EU Considers Strict Data Breach Notification Rules 33
JohnBert writes "The European Commission is examining whether additional rules are needed on personal data breach notification in the European Union. Telecoms operators and Internet service providers hold a huge amount of data about their customers, including names, addresses and bank account details. The current ePrivacy Directive requires them to keep this data secure and notify individuals if such sensitive information is lost or stolen. Data breaches must also be reported to the relevant national authority. 'The duty to notify data breaches is an important part of the new E.U. telecoms rules,' said Commissioner Neelie Kroes. 'But we need consistency across the E.U. so businesses don't have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.'"
Re:breach (Score:4, Informative)
Certainly in the UK, the government has had to notify data breaches in the past. The Department of Work and Pensions is one recent example.
People doing business in the EU have to either store data in the EU, or store it under "safe harbour" provisions which guarantee the same standards as in the EU.
So boxes 1 and 2 are already ticked.
Horizontal v. vertical (Score:4, Informative)
The approach outlined here seems very reasonable to me. Personal data breach legislation was rushed into the reform package for telecommunications services in Europe, because it was better than waiting for the review of the data protection directive, where it properly sits. However, it means that regulation is vertical - affecting only telecoms service provision - rather than horizontal, which would affect all providers. Since directive 95/46/EC [europa.eu] - on data protection - is horizontal, it would make sense to insert the provisions into that directive, and remove them from directive 2002/58/EC [europa.eu] - the directive of privacy and electronic communications..
For those who care, the measures are contained within directive 2009/136/EC [europa.eu] (the relevant measures here are in Art. 2), but are amendments to Art. 4 of ePrivacy directive (above). However, as befits a directive forming part of the telecommunications package, the subject of the regulation are "provider[s] of a publicly available electronic communications service".
"Electronic communications service" is defined in Art. 2 of directive 2002/18/EC [europa.eu], as:
"a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks"
I highlighted the reference to information society services, since this represents a substantial carve-out - this means that websites on online services which gather personal data, and which might suffer from data breaches, are not within the scope of the breach notification. When play.com suffered a breach, for example, it was not obliged under the breach notification to make any statement. It strikes me as odd - although understandable, given the context - that website operators, which are likely to generate huge swathes of personal data, should not be within scope. Something which a change from vertical regulation to horizontal regulation would hopefully remedy.