European Commission data security breaches legal obligation

18 October 2006

David Clark

Summary

The European Commission has proposed that the directive on privacy and electronic communications (2002/58/EC)("E-Privacy Directive") be amended so that network operators and ISPs would be required to notify national regulatory authorities and their customers of any security breaches.

The proposed change

Article 4(2) of the E-Privacy Directive currently requires service providers merely to notify subscribers (i.e. their customers) if there is a "particular risk of a breach of the security to the network". The European Commission proposal is for network providers and ISPs to notify:

  • national regulatory authorities of any breach of security that would lead to the loss of personal data or to interruptions in the service. The regulator could then inform the public if he considered this to be in the public interest; and

  • their customers of any breach of security leading to the loss, modification or destruction of, or unauthorised access to, personal customer data (it is not clear from the proposal wording whether providers would be required to notify all their customers, or only those affected by the breach).

Reasons

The proposal states that network operators and ISPs, "as the gatekeepers for users' access to the on-line world", carry a "special responsibility" for protecting personal data against loss, alteration and unauthorised disclosure or access. The notification requirements would "create an incentive for providers to invest in security", and would do so without the need to micro-manage the providers' security policies.

Source

On 29th June 2006 the European Commission issued a Communication to launch a public consultation on the future of the regulatory framework for electronic communications. The consultation is to run until 27 October 2006. The details of the proposed requirement to notify security breaches are set out at paragraph 7.2 of the accompanying Staff Working Document.

Comment

The proposal, if adopted, would have important practical consequences for network providers and ISPs and would represent a significant tightening of the data protection regime in which they currently operate. The obligation to notify regulators and customers of data security breaches (and to notify regulators of interruptions to the continuity of service) might seriously damage a provider's public reputation. It would certainly oblige such a provider to devote considerable resources to the task of speedily reassuring customers, responding to regulators' queries and instructions, and carrying out a PR damage-limitation exercise. This would be in addition to implementing a technical remedy, which would be needed in any case.

The proposal does, however, fall short of the obligations in similar legislation applicable in other jurisdictions. For example, the California Security Breach Notification Law of 1 July 2003 requires all government agencies, companies and non-profit organisations who process personal data relating to Californian residents to notify those residents where their data has been compromised by unauthorised access i.e. the obligations under Californian law are not limited to network providers and ISPs but extend to all data processors who hold personal data on California residents in computerised form.

Note: the consultation ends on 27th October 2006