On June 24th, 2013, the European Commission announced that it is putting into place new rules on what exactly telecoms operators and Internet Service Providers (ISPs) should do if their customers’ personal data is lost, stolen or otherwise compromised, in accordance with the ePrivacy Directive that allows the Commission to propose “technical implementing measures” – practical rules to complement the existing legislation – on the circumstances, formats and procedures for the notification requirements.
These “technical implementing measures” have the purpose to ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country.
Therefore, under the new rules, Telecoms operators and ISPs, which have been operating since 2011 under a general obligation to inform national authorities and subscribers about breaches of personal data, will have extra clarity about how to meet those obligations.
In this regards, the new rules lay down that operators of communication services must:
- Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.
- Outline which pieces of information are affected and what measures have been or will be applied by the company.
- In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.
- Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.
The Commission is implementing these rules following its 2011 public consultation, showing widespread stakeholder support for a harmonised approach in this area. The rules were agreed by a committee of Member States and scrutinised by the European Parliament and Council. They are adopted in the form of a Commission Regulation, which has direct effect and requires no further transposition at national level, and will come into force two months after publication in the EU Official Journal.