The Commission’s proposal to introduce an obligation on network operators and Internet Service Providers to notify users of data security breaches has not been debated in detail in Italy.
The Italian Data Protection Authority has not commented on the Commission’s proposal even though it is significant as it imposes a new obligation on network operators and service providers.
The Directive on Privacy and Electronic Communications has been fully implemented in Italy through the Legislative Decree 30 June 2003, n. 196 (“Data Protection Code”). In addition to the requirements set out in the Directive, the Data Protection Code sets out additional standards relating to the technical and organisational steps that must be taken.
Section 31 of the Data Protection Code states that when personal data is processed it shall be kept and controlled in a way that minimises the risk of accidental or deliberate destruction or loss of the data, unauthorised access to the data, unlawful processing or processing that is inconsistent with the purposes for which the data has been collected. This should be achieved by having suitable preventive security measures in place. To decide what is suitable technological innovations will be considered, as well as the nature of the information and any specific features of the processing.
What is the technological standard for electronic communications networks in Italy?
In addition to the general security requirements described above, the Data Protection Code places specific security obligations on “the provider of a publicly available electronic communications services”. “Electronic communications service” is defined in the Data Protection Code as a “service which consists wholly or mainly of the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting.” This specific category of data controllers includes both network operators and Internet Service Providers.
With specific reference to the controllers mentioned in Section 31, Section 32 requires them to take suitable technical and organisational measures to safeguard the security of its services and the integrity of traffic data, location data and electronic communications against any form of unauthorised use or access. The measures taken must be adequate in the light of the risk.
Section 34 of the Italian Data Protection Code sets out minimum security measures which must be adopted any time personal data is processed by electronic means. These minimum standards include:
- computerised authentication (i.e having ID codes and passwords for users. If technically possible these ID codes should be at least 8 characters)
- implementing management procedures to deal with computerised authentication
- use of an authorisation system, (to ensure that individuals only have access to data that it is necessary for them to see)
- regular updates of the specifications concerning the scope of the processing operations that may be performed by individual entities in charge of managing and/or maintenance of electronic means (these updates should take place annually - but for sensitive data some updates should take place at least every six months)
- protection of electronic data against unlawful data processing operations, unauthorised access and specific software
- implementation of procedures to protect backup copies, restore data and ensuring system availability
- keeping an up-to-date security policy document
- implementation of encryption techniques or identification codes for specific processing operations performed by health care bodies in respect of data disclosing health and sex life.
For example where a person is processing sensitive information, they should ensure that it has a security document (giving information about how information is processed) in place and that any computer programmes used are updated every six months.
These minimum security measures are to be implemented in accordance with the arrangements laid down in the technical specifications set out in Annex B of the Data Protection Code (the English version of the Italian Data Protection Code which also contains Annex B is available on the Italian Data protection Authority web-site: www.garanteprivacy.it).
Additionally, whenever the security of personal data or the service makes it necessary to take measures that apply to the network, network operators and Internet Service Providers shall take those measures jointly with the provider of the public communications network. Failing an agreement between these providers, the dispute shall be settled, at the request of either provider, by the Authority for Communications Safeguards.
Who must disclose security breaches in Italy?
The disclosure obligation established by the Data Protection Code is imposed on the providers of a publicly available electronic communications service.
As mentioned above the definition of providers of a publicly available electronic communications service may include both network operators and ISPs.
What must they disclose and when?
Section 32 (3) of the Data Protection Code states that, where there is a particular risk of a breach of network security, the provider of a publicly available electronic communications service shall inform subscribers and, if possible, users concerning the risk.
Where this risk lies outside the scope of the technological standard measures to be taken in compliance of the Data Protection Code, the provider of a publicly available electronic communications service shall also inform subscribers and, if possible, users of all the possible remedies including an indication of the likely costs involved.
Moreover, in this specific situation the information shall be also given to the Italian Data Protection Authority and the Authority for Communications.
To whom must they disclose the information?
The information relating the risk of a possible breach of network security shall be given by the provider of a publicly available electronic communications service to the subscribers, the users (if possible), and – only in the case that the risk lies outside the scope of the technological standard measures to be taken in compliance of the Data Protection Code – to the Italian Data Protection Authority and the Authority for Communications Safeguards.
Likely impact of the Commission’s proposal in Italy
- The change put forward by the European Commission proposal goes further than Italian legislation. The changes and the consequences of those changes are set out below: The Italian government should actively participate in setting standards for security networks. It is possible therefore that Italian legislation will have to further define the meaning of ‘suitable technical and organisational measures’ required under Section 32 of the Data Protection Code.
- Italian ISPs and network operators will have to state in their contracts with their customers what actions would be taken in response to security breaches. The benefits to customer of this are firstly that customers will be more aware of ISP and Network operators’ security procedures and secondly, in critical network security situations, SP and Network operators’ duties towards clients will be clearly defined in the contract. This will help to determine Internet service providers’ and Network operators’ liabilities in cases of theft or unauthorised third-party access to customers’ data.
- Italian ISPs and network operators should inform the Italian Data Protection Authority any time a breach of security that would lead to a loss of personal data or interruption to the service occurs not only in cases of exceptional security risk (see Section 32 (3) of the Data Protection Code) but the Italian Data Protection Authority will also then be able to keep track of ISP’s and network operators’ security failures. The availability of this data will improve the Italian Data Protection Authority’s understanding of ISPs and network operators’ practice and of the related data protection issues for customers.
- Italian ISPs and network operators will have to inform customers of security breaches leading to loss, modification, destruction of, or unauthorised access to their personal data. This practice will enhance customers’ control over their data. It will also give customers the chance to sue ISPs or network operators for infringements of their privacy.
The additional obligations on ISPs and network operators set out in the European Commission’s proposal may mean that ISPs and network operators will implement more appropriate security measures and avoid both economic loss and damage to their reputation resulting from them having to notify subscribers of any security breach. Another consequence is that subscribers’ and users’ personal data will be better protected. The proposal may also change the approach of Italian companies to their security obligations making them more attentive to security issues, as they along with Internet Service Providers and network operators, have often underestimated the importance and the relevant risks of security breaches.