On March 2, 2011, the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act. The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.
According to the proposal, telecommunications companies must report data breaches to the Federal Network Agency (the Bundesnetzagentur or “BNetzA”), and the Federal Commissioner for Data Protection and Freedom of Information. In the event the rights or protected interests of subscribers or other persons are affected by the data breach, such individuals also must be notified without undue delay. Notification is not necessary, however, if the telecommunications provider can demonstrate that it had in place a security plan to protect the potentially-affected personal data by appropriate technical means, such as encryption. Notwithstanding this exception, the BNetzA will have the authority to require any telecommunications company to provide notification to individuals regardless of information security protections in place at the time of the breach.
The law also contains detailed content requirements for the notifications that must be sent to data subjects and the two authorities. In addition, telecommunications companies will be required to maintain records of data breaches in accordance with specific provisions set forth in the law.
The revised data protection provisions also require providers of location-based telecommunications services to send text messages informing users whenever their mobile devices are being tracked based on location.