The European Council of Ministers has rejected a proposal to extend the scope of security breach notification law to companies that provide services on the internet, such as online banks.
The European Commission, the European Parliament and the Council of Ministers are currently negotiating changes to the ePrivacy Directive (2002/58/EC). The three institutions have adopted varying approaches on the issue of notification of security breaches. The Commission and Council support a data security breach notification law for providers of publicly available electronic communications services (ie. telecoms companies) only. However the European Parliament, as well as the European Data Protection Supervisor (EDPS) and the Article 29 Working Party, have called for an extension of the notification requirement to companies offering services over the internet, known as Information Society Service Providers (ISSPs).
There is currently no explicit statutory obligation for any organisation to notify data security breaches to the Data Protection Commissioner or any data subject affected, in Ireland.
On 16 February, 2009 the Council proposed changed wording for the proposed Directive, which provides that the notification provision applies only to telecoms companies, and not to ISSPs. It states that, in the case of a personal data security breach, telecoms companies should evaluate the seriousness of the breach and consider the necessity of notifying the breach to the national regulatory authority and subscriber concerned. Where the personal data breach amounts to a "serious risk" for the subscriber's privacy, the Council has said that the telecoms company "shall notify the competent national authority and the subscriber of the breach without undue delay".
The Council has therefore left it to the telecoms company to decide if the breach is serious enough for notification or not. In contrast, the European Parliament and Commission had proposed an obligation to notify the national regulatory authority or competent authorities ("the authorities") of any security breach, and leave it to the authorities to decide whether a breach is serious enough to require notification to the data subjects concerned.
The next step is a vote on the proposed Directive at a second reading by the European Parliament, expected for April 2009. The Parliament can either: agree with the Council position, or re-install, with a majority of its members, all or part of the amendments voted in its first reading. To become law, there must be agreement between the Parliament and the Council.