Regulation (UE) n. o 611/2013 of the Commission, of 24th June 2013, regarding the measures that will apply to the notification of personal data breaches under the ePrivacy Directive, has just been published.

Background

In accordance to the press release of the European Commission this Regulation foreseeing “technical implementing measures” intents to “ensure all (Telecoms Operators and IPS) customers receive equivalent treatment across the EU in case of a data breach and to ensure businesses can take a pan-Europe approach to these problems if they operate in more than one country” and that is the main reason why these rules will take the form of a Regulation.

The European Commission is also keen to encourage the encryption of data because it will simplify the data breach notification procedure as, in that case, telecoms operators and ISP will be exempt to notify the subscriber or data subject. Soon the Commission "will publish an indicative list of such technological protection measures".

Notification to the Data Protection Authority (DPA)

The data breach notification is mandatory to the providers of publicly available electronic communications services and shall be made within 24 hours after the data breach is discovered, i.e., “when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised”.

If, within the first 24 hours, it is not feasible to bring together all the information required for the data breach notification, the provider shall complete the notification to the DPA with such information within 3 days.

The initial notification, made within the first 24 hours, shall include the following information:

  1. Identification of the provider and contact point;
  2. Initial information on the personal data breach (which can be further completed and updated) explaining the information affected and the measures applied or that will be applied:
  • Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident;
  • Circumstances of the personal data breach (e.g. loss, theft, copying);
  • Nature and content of the personal data concerned;
  • Technical and organisational measures applied (or to be applied) by the provider to the affected personal data;
  • Relevant use of other providers (where applicable).

Later notification, whenever it was not possible to obtain all the information within the first 24 hours, made within 3 days after the initial notification, should include:

  1. Further information on the personal data breach:
  • Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved);
  • Number of subscribers or individuals concerned;
  • Potential consequences and potential adverse effects on subscribers or individuals
  • Technical and organisational measures taken by the provider to mitigate potential adverse effects.
  1. Possible additional notification to subscribers:
  • Content of notification;
  • Means of communication used;
  • Number of subscribers or individuals notified
  1. Possible cross-border issues:
  • Personal data breach involving subscribers or individuals in other Member States
  • Notification of other competent national authorities

In case the provider is unable to provide all the information above referred within the 3 days after the initial notification, the provider shall notify the DPA within such period of time with all the information he was able to get and present a reasoned justification for the delay.

Later notification should also be made to update any information previously provided to the DPA.

DPAs shall make available to all providers:

  1. a secure electronic means for notification of personal breaches; and
  2. information on the procedures for its access and use.

If the data breach affects subscribers and data subject of other member-states the notified DPA shall inform the others DPAs.

Notification to the subscriber or data subject

Providers shall only notify the subscribers or data subjects in case the data breach is likely to adversely affect their personal data or privacy.

This Regulation gives some guidance and examples to assess whether the data breach is likely to adversely affect the personal data or privacy of the subscribers or data subjects:

  1. Nature and content of the personal data concerned:

Ex.: financial information, location data, internet log files, web browsing histories, e-mail data and itemised call lists;

  1. Likely consequences to the subscriber or data subject:

Ex.: identify theft or fraud, physical harm, psychological distress, humiliation or damage to reputation;

  1. Circumstances of the personal data breach:

Ex.: where the data has been stolen or when the provider knows that the data are in the possession of an unauthorised third party.

The notification to the subscriber or data subject (i) shall be made without undue delay and (ii) is not dependent on the notification to the DPA. In case it is not possible to identify all individuals, the notification can be made through advertisements in major national or regional media (in a condensed form), without prejudice of further endeavour to identify such individuals and notify them as soon as possible.

The notification to the individuals must be made (i) in a “clear and easily understandable language” (ii) “by means of communication that ensure prompt receipt of information and that are appropriately secured”. Moreover, it should not be used for any other purposes apart from the data breach.

The notification to the individuals shall include the following information:

  • Name of the provider;
  • Identity and contact details of the data protection officer or other contact point where more information can be obtained;
  • Summary of the incident that caused the personal data breach;
  • Estimated date of the incident;
  • Nature and content of the personal data concerned;
  • Likely consequences of the personal data breach for the subscriber or individual;
  • Circumstances of the personal data breach;
  • Measures taken by the provider to address the personal data breach;
  • Measures recommended by the provider to mitigate possible adverse effects.

The notification to the individuals may be delayed if and under the terms authorised by the DPA if, in exceptional circumstances, the notification may jeopardize the investigation of the personal data breach.

Use of another provider

Pursuant to this Regulation, in case of use of other providers (without having a direct contractual relationship with subscribers) they shall immediately inform the prime contracting provider in the case of a personal data breach.

Entry into force

This Regulation will enter into force on August 25 2013, being directly applicable in all EU Member States.

Final considerations

Only time and practical experience will tell and reveal to what extent these measures need to be further regulated at EU level or by each Member State, bearing in mind particularly the 4 words of the European Commission Vice-President Neelie Kroes regarding this Regulation “…, and businesses need simplicity.”.