New EU Rules Require ISPs, Telcos To Come Clean Within 24 Hours of Data Breaches 70
hypnosec writes "Under new EU regulations ISPs and Telcos serving European customers will have to come clean within 24 hours in case of a security or data breach that leads to theft, loss, or compromise of data. Companies will have to disclose the nature and size of the breach within the first 24 hours. Whenever it's not possible to submit such data, they must provide 'initial information' within the stipulated time and full details within three days. Under the new terms the affected organizations will be required to reveal information such as information that has been compromised and the steps that have been taken or will be taken to resolve the situation. If the breach 'is likely to adversely affect' personal information or privacy, affected businesses and consumers will be notified of the breach."
GCHQ spying was a data breach (Score:4, Insightful)
EU Privacy directive is still law, EU Right to Privacy is still written directly into UK law. RIPA does not trump the fundamental rights and it didn't give them permission :
http://www.legislation.gov.uk/ukpga/2000/23/section/1
"(4)Where the United Kingdom is a party to an international agreement which—
(a)relates to the provision of mutual assistance in connection with, or in the form of, the interception of communications,
(b)requires the issue of a warrant, order or equivalent instrument in cases in which assistance is given, and
(c)is designated for the purposes of this subsection by an order made by the Secretary of State,
it shall be the duty of the Secretary of State to secure that no request for assistance in accordance with the agreement is made on behalf of a person in the United Kingdom to the competent authorities of a country or territory outside the United Kingdom except with lawful authority."
You didn't have a UK court order, so you didn't have lawful authority to intercept UK comms. It was done illegally. You cannot transcribe a mass surveillance directive FISA warrant into UK law and pretend it gives you UK lawful authority. FISA law does not apply to UK, a FISA warrant does not count as lawful authority. If it did, then American law would count as lawful authority over any UK law.
Without even getting into whether a US law that violates the 4th Amendment is lawful authority or not. It is not lawful in the UK. It is not lawful under RIPA.
So the companies who assisted in this, need to come forward and report what they did as a data breach. Because that is what it is. Parliament rules UK, not GCHQ, not NSA.
In particular Vodafone is buying Deuschland Kabel and Vodafone network in Greece was spied on in 2004, so the Germans need to ensure their network is secure from extra-legal surveillance before allowing that to go ahead. Answers are needed.
Re:NSA too? (Score:4, Insightful)
I got it this one's easy.
Today's 'average person' may be tomorrow's protestor. Heck that person might actually start turning into someone that other proletariat start listening too. And if their message is in any way threatening to those that gain from the power of the national security apparatus then said apparatus can dig in to so-called 'average person's' past communications to dig up the dirt on them, discredit them, jail them if necessary, and to thereby to retain their power without threat.
See how easy that is?
You're welcome.