On April 5, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the current EU personal data breach framework and recommendations for future policy developments (the “Opinion”).
In 2009, the revised ePrivacy Directive 2002/58/EC (the “ePrivacy Directive”) introduced a mandatory data breach notification regime for the telecommunications sector. Pursuant to the ePrivacy Directive, telecommunications and internet service providers are required to report certain data breaches to their national regulator and to affected individuals.
The Opinion describes the current status of the implementation of the mandatory breach framework in the various EU Member States, and provides guidance to national regulators and the European Commission (the “Commission”) for future developments on this topic.
Current Status of Implementation
Although EU Member States are supposed to implement the data breach framework into their national legislation by May 25, 2011, the Working Party anticipates that a significant number of them will not meet this deadline. Most of the Member States have prepared draft bills, but none of the bills have been enacted into law. Based on the input received from the Member States, the Working Party also observes that, except for Austria and Germany, which have had national breach notification laws in place for some time, none of the Member States have expanded the scope of the data breach framework beyond the telecommunications sector.
New Subgroup within the Working Party
The Working Party’s Opinion notes that awareness and the status of implementation of data breach notification procedures varies among the Member States. To help remedy these disparities, the Working Party intends to set up a new subgroup to serve as a platform for the exchange of views and strategies with respect to implementation. Initially, the platform would focus on (1) the circumstances under which data breaches should trigger the notification of affected individuals, (2) how and when regulators and affected individuals should be notified, and (3) criteria for measuring the effectiveness of technical data protection measures such as encryption. The Working Party also envisions that the platform may be used to coordinate notification procedures in the event of a cross-border data breach.
Recommendations for Future Developments
The Opinion provides various recommendations, including that the Commission should use the implementation powers it has been delegated to promote the harmonization of data breach responses across the Member States. This would include developing (1) a standardized definition of when a breach would trigger notification, (2) procedures to be followed in the event of a breach, (3) a standardized format for breach notices, (4) methods for notifying affected individuals, (5) how companies should maintain inventories of their breach notifications, and (6) the technical safeguards that, if implemented, would exempt a company from having to provide notification in the event of a data breach.
Finally, the Working Party encourages the Commission to extend the scope of the breach notification regime to include all data controllers as part of the Commission’s ongoing review of the Data Protection Directive 95/46/EC.
View a copy of the Opinion.