On June 24, 2013, the European Commission announced new technical implementing measures that address the EU data breach notification requirement for telecom operators and internet service providers (“ISPs”). Based on a Commission Regulation, these companies must:
- notify the competent national authority of the incident (or at least provide an initial description thereof) within 24 hours after detection of the breach;
- outline which data are affected and what measures have been or will be taken by the company;
- pay attention to the type of data compromised when assessing whether to notify subscribers (i.e. evaluating whether the breach is likely to have an adverse effect on personal data or privacy); and
- use a standardized format for notifying the competent national authority (e.g. an online form which is the same for all EU Member States).
Since 2011, telecom operators and ISPs have been operating under an obligation of the revised e-Privacy Directive to notify national authorities and subscribers in the event of a breach of personal data. A “breach” is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The aim of the new measures is to ensure consistent implementation of the data breach notification requirement across EU Member States so that all subscribers will receive equal treatment across the EU and businesses can take a pan-EU approach when complying with the notification requirement.
In conjunction with ENISA, the Commission will also publish an indicative list of technical safeguards, such as encryption techniques. Companies that apply such safeguards would be exempt from the burden of having to notify affected subscribers because such a breach would not reveal personal data.
The technical implementing measures are adopted as a Commission Regulation, which has direct effect and does not require an implementation into the national law of the EU Member States. The new measures will become effective two months after their publication in the EU Official Journal.