Article 17 of the Data Protection Directive has been implemented in Sweden by Section 31 of the Swedish Personal Data Act (1998:204). Section 31 states that controllers of personal data shall implement appropriate technical and organisational measures to protect personal data. Such measures shall provide a level of security that is appropriate having regard to (a) the technical resources available, (b) what it would cost to implement the measure, (c) the particular risks that exist in relation to the processing of personal data, and (d) how sensitive the personal data processed really is.
The national regulatory authority for the Personal Data Act, the Data Inspection Board, has published recommendations describing different security measures which can be implemented to ensure an appropriate level of security. What measures are appropriate will depend on the circumstances in the individual case.
All electronic communications directives of 2002, including the E-Privacy Directive, have been implemented in Sweden by the Swedish Electronic Communications Act (2003:389). Section 4 of the E-Privacy Directive, which regulates security of publicly available electronic communications services and networks, has been implemented in Chapter 6, Sections 3-4 of the Electronic Communications Act (ECA). The supervisory authority for the ECA is the National Post and Telecom Agency.
Section 3 of the ECA mirrors Section 31 of the Personal Data Act, stating that “A party that provides a public electronic communications service shall implement appropriate measures to ensure that the data processed is protected. A party that provides a public electronic communications network shall implement those measures that are necessary to maintain the protection within the network. These measures shall be intended to ensure a level of security that, taking into account the available technology and costs for implementation of the measures, is adapted to the risk of infringement of privacy.”
Section 4 of the ECA provides that “If, upon the provision of a public electronic communications service, there is a particular risk of inadequate protection of the data processed, the party providing the service shall inform the subscriber about the risk. If the party that provides the service is not liable under Section 3 to remedy the risk, the subscriber shall be informed about how and at what approximate cost the risk can be remedied.”
The obligation to notify subscribers
Sections 3-4 of Chapter 6 of the ECA protect individuals’ data against security breaches such as unlawful interception. Security issues relating to network reliability are regulated by other parts of the directives and, consequently, other parts of the ECA. Sections 3-4 protect both personal data and other types of information, such as trade secrets, therefore, the term “data processed” is used in the provisions.
The notification requirement under Section 4 described above applies to parties providing public electronic communication services, therefore network operators and ISPs are only caught by the obligation when they are providing an electronic communications service. Such a service is defined as a service that is normally provided for payment, and which mostly or completely comprises the transmission of signals within electronic communications networks. Furthermore, the obligation is limited to situations where there is a risk that inadequate protection and information shall then be provided to subscribers, i.e. persons who have concluded a contract with a provider of public communications services. According to the preparatory works of the ECA the notification requirement does not extend beyond this category of users.
If a risk is identified which is outside the service provider’s scope of possible remedies, the service provider is still obliged to inform the subscribers of how and at what approximate cost such a risk can be avoided. An example is the use of encryption technologies for mobile telephony or communications over the internet, where the service provider’s responsibilities are often limited. In practice, those obligations are fulfilled through brief notices to subscribers.
The Swedish government’s response to the European Commission’s proposal
The Swedish government has submitted a response to the Commission’s proposed changes.
On a general level the Swedish government states that security in electronic communications services and networks is a very complex issue, which requires a thorough analysis of what the problem is, at what level it arises and how it can be resolved. Legislative measures regarding security must therefore be based on input from telecom operators and the telecoms market and requires an in-depth understanding of the present technological conditions. The Swedish government considers that the Commission’s proposal on improving security is lacking in this regard, and comments that the proposal focuses on electronic communications networks although many of the problems occur as part of electronic communications services provided over electronic communications networks. Furthermore, as identified by the National Post and Telecom Agency, interruptions in such services and networks are often caused by other things, such as cable faults, electricity failures, system upgrades and operational problems. The Swedish government considers that the Commission’s proposal should also reflect these kinds of security problems.
Regarding the proposal to require network operators and ISPs to notify security breaches, the Swedish government’s view is that rather than drafting additional principles on the protection of personal data the operators and ISPs should be required to ensure security and confidentiality on a general level. The notification requirement should not be limited to integrity-related incidents, but should also include an obligation to provide information about important service outages and other interruptions and how they will be resolved, as well as information about separate incidents which affect individual subscribers. During service outages, information should be provided continuously whilst the service or network is being restored, whilst in situations where there has been a breach of integrity subscribers should be provided with information as security breaches are often difficult to detect by users. Regarding the requirement to notify the national regulatory authority, the Swedish government’s view is that only serious incidents which affect large parts of the electronic communications services or networks or which are of general interest should be reported by network operators and ISPs. The national regulatory authority should also be given a right to request information regarding less important incidents.
It is not possible to predict the consequences of the Commission’s proposal to improve security at this stage of the consultation process, since it is uncertain whether the proposal will be adopted and implemented. The Swedish government has criticised the proposal, both on a general level and with regards to the notification requirement. Regarding the latter, the Swedish government suggests an even wider scope than what has been proposed by the Commission, which includes an obligation to report service outages and other reliability related interruptions. Whether a notification requirement with such a scope, or with the scope suggested by the Commission, will be an incentive for network operators and ISPs to invest in the security of their electronic communications services and electronic communications networks remains to be seen.