Under a new regulation on the notification of personal data breaches, providers of publicly available electronic communication services must provide notices to authorities of breaches within 24 hours. If the provider lacks full information about the data breach, a preliminary notice is required, with a subsequent notification within 3 days after the initial notification. The subscribers must be notified without undue delay if the data breach is likely to adversely affect the personal data or privacy of the subscribers. Encryption of data could prevent such notification to subscribers. An indicative list on sufficient technological standards of encryption will be published only in the future. This new regulation will enter into force 2 months after its publication in the official journal.
EU-wide harmonised approach to data breach notification
The ePrivacy Directive 2002/58/EC, as revised (2009/136/EC), sets out privacy requirements for telecoms operators and Internet service providers. In case data is stolen or lost or accessed by unauthorised persons (‘personal data breaches’), the provider has to report this to a specific national authority, usually the national data protection authority or the communications regulator. Also, the provider has to inform the concerned subscriber directly when the breach is likely to adversely affect personal data or privacy. To ensure consistent implementation of the data breach rules across Member States, Article 4 of the ePrivacy Directive allows the Commission to adopt “technical implementing measures” – practical rules to complement the existing legislation – on the circumstances, formats and procedures for the notification requirements.
Details of the new regulation
The “technical implementing measures” contain very specific provisions on deadlines for the notification and the content of such notification. Companies must:
• Inform the competent national authority of the incident within 24 hours after detection of the breach. The content of such notification is specified in an annex to the regulation. If full disclosure is not possible within that period, they should provide an initial set of information (also specified in the annex of the regulation) within 24 hours. In case of an incomplete first notification, the rest (or anything that is available at that time) must follow within three days after the initial notification.
• Outline which pieces of information are affected and what measures have been or will be applied by the company.
• In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.
In this case of a likely adverse effect, the subscribers must be informed “without undue delay”. If a company decides that the need to investigate the data breach requires that the information to subscribers should be delayed, the company must obtain the authority’s approval for such delay.
The Commission will also publish an indicative list of technological protection measures, such as encryption techniques, which would render the data unintelligible to any person not authorised to see it. If a company applies such techniques but suffers a data breach, they would be exempt from the burden of having to notify the subscriber because such a breach would not actually reveal the subscriber’s personal data.
The current wording of technological protection measures, as defined in Article 4 paragraph 2 of the regulation, is very strict: The data are unintelligible if the key used to decrypt the data has been generated so that “it cannot be ascertained by available technological means by any person who is not authorised to access the key”. Thus, the wording is rather absolute, and one can only notice the absence of any reference to “unreasonable efforts” or similar terms.
Relevance for further legislation, in particular the Draft Regulation on Data Protection
The new regulation is independent of the EU Commission’s proposal for a Draft Data Protection Regulation, and only implements the authority granted to the EU Commission by Article 4 of the ePrivacy Directive to adopt “technical implementing measures”. However, the EU Commission points out in Recital (19) of the new regulation that the Draft Data Protection Regulation would introduce a general data breach notification obligation, and that the new regulation is “fully consistent with this proposed measure”.
This is true for the initial Draft Data Protection Regulation, also providing for a 24 hour notification obligation. This was heavily discussed and proposed to be altered in Jan Philipp Albrecht’s report. The now presented regulation, however, still refers to the 24 hours.
Once published in the official journal, there are only 2 months until the regulation will enter into force. Each telecoms operator and ISP provider falling offering “publicly available electronic communications services” under the jurisdiction of an EU member State will have to alter existing internal procedures to comply with the new 24 hour notification deadline. Encryption and other technological measures will have to be screened whether they comply with the new requirements as set out in general terms, and any indicative list published in the future.