On May 6, 2009, the proposed amendments to the e-Privacy Directive received a second reading in the European Parliament. In addition to other measures, it will include a definition of “personal data breach” and will introduce a data breach notification requirement.
The review of the e-Privacy Directive forms part of a wider review of telecoms legislation. The objective of that review is to improve network security and integrity, to increase protection for user personal data and to improve measures to prevent spam and “cyber attacks.” The scope of the amended Directive will include the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks within the European Community, including public communications networks supporting data collection and identification devices.
For the first time in EU law the amendments introduce a definition of “personal data breach” and a data breach notification requirement.
The amendments provide that, in the event of a breach, the provider must, without undue delay, notify the breach to the competent national authority. The notification to the competent national authority must, in addition to the elements included in the notification to the subscriber or individual outlined below, describe the consequences of and the measures proposed or taken by the provider to address the breach. Furthermore, providers must maintain an inventory of personal data breaches, including details of the facts surrounding such breaches, their effect and the remedial action taken, sufficient for the purpose of enabling the competent national authorities to verify compliance with the notification requirement.
In cases where the breach is likely to affect adversely the personal data and privacy of a subscriber or an individual, the provider also must notify the subscriber or individual of the breach without undue delay. At a minimum, the notification to the subscriber or individual must describe the nature of the breach and provide contact details for further information. The notification also must recommend measures to mitigate the possible adverse effects of the breach. Notification of the breach to a subscriber or individual is not required if the provider has demonstrated to competent authority’s satisfaction that it has implemented appropriate technical measures and those measures were applied to the affected data. Such technical measures must render the data unintelligible to persons who are not authorized to access the data. The amendments do provide that, without prejudice to the provider’s obligation to notify subscribers and individuals of a data breach, the competent national authority, having considered the likely adverse effects of the breach, may require the provider to do so in any event.
There is some disagreement regarding unrelated elements of the telecom package currently under consideration. As a result, the entire telecom package will undergo a conciliation procedure, but the proposed amendments to the e-Privacy Directive are not likely to be challenged.
It is not clear when the revision will be adopted. The timing is particularly significant given the forthcoming EU elections. If agreement on the unrelated elements of the telecoms package cannot be reached before June 4, the new parliament may revisit the telecom package in the fall of 2009. If agreement is reached before June 4, the Council could agree on the telecoms package on June 12. Member States will have 18 months from the date of adoption to implement the new requirements into their domestic legislation.
The parliament’s adopted position is available here.