On 5 April 2011, the Article 29 Working Party issued a working document in which it reviewed the manner in which the different Member States have transposed the data breach provisions of Directive 2009/136 of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive”).
The ePrivacy Directive provides that Member States should oblige providers of publicly available electronic communications services (i.e. internet service providers) to notify the authorities and the individuals concerned if a breach of security leads to the accidental or unlawful disclosure or access to personal data of such individuals (also known as a data breach).
Although the ePrivacy Directive had to be transposed into national law by 25 May 20011, the Article 29 Working Party concludes that currently not a single Member State has transposed the ePrivacy Directive. According to the Working Party, the delay in the transposition of the ePrivacy Directive in the different Member States mainly results from a lack of awareness of this subjectmatter in some Member States. In order to adequately address this issue, the Article 29 Working Party proposes to establish a sub-group which raises awareness regarding data breach notifications by exchanging knowledge between the different Member States and by developing harmonized procedures on this matter. In addition, the Article 29 Working Party also proposes that the sub-group will coordinate the data breach notifications procedures in case of crossborder data breaches.
In addition, the Article 29 Working Party also welcomes the European Commission’s initiative to extend the scope of the data breach notification obligation. This initiative implies that the obligation on the data breach notification, which currently only applies to providers of publicly available electronic communications services, will be made applicable to all data controllers. (LDA) The working document can be found on http://idpc.gov.mt/dbfile.aspx/WP_184.pdf.