On 26 June 2013, a new Commission Regulation on what precisely telecommunications operators (telcos) and Internet Service Providers (ISPs) should do if their customers' personal data is lost, stolen or otherwise compromised was published in the Official Journal of the EU. The purpose of the new rules is to ensure businesses, operating in more than one EU country, can take a pan-EU approach in the event of a data breach.
Since 2011, telecos and ISPs have had a mandatory obligation under the e-Privacy Regulations 2011 (S.I. 336/2011) to notify national data protection authorities, and any individuals adversely affected, about breaches of personal data. However the 2011 Regulations do not prescribe specific timeframes for breach notification.
The new Regulation provides businesses with clarity on how to meet their existing breach notification obligations. Companies will be required to:
- Notify the personal data breach to the competent national authority no later than 24 hours after detection of the breach, in order to maximise its confinement. If it is not feasible to make full disclosure within that period, an initial notification should be made within 24 hours, with the rest to follow within three days.
- Annex 1 of the Regulation sets out the information to be contained in the notification to the competent national authority.
In assessing whether to notify individuals of the data breach incident companies should consider:
- The nature and content of the data compromised, in particular where the data concerns financial information, location data, internet log files, web browsing histories, email data, and itemised call lists.
- The likely consequences of the breach for the subscriber.
- Whether the data has been stolen or is in the possession of an unauthorised third party.
- Annex 2 of the Regulation sets out the information to be contained in the notification to the individuals adversely affected by the breach.
The Regulation has direct effect and will come into force on 25 August 2013.