On 25 August 2013, a new Regulation (Regulation No. 611/2013 - the “Regulation”) came into effect regarding the measures which telecommunication operators, internet service providers, and other providers of publicly available electronic communications services (together “Providers”) are required to take in the event that their customers’ personal data is lost, stolen or otherwise compromised.
Under Article 4(3) of the e-Privacy Directive (Directive 2002/58/EC, as amended - the “Directive”), in the event of a personal data breach Providers are under a general obligation to notify the appropriate data protection authority (“DPA”) and, in certain circumstances also the affected subscribers and users, about the breach. However, the Regulation provides clarification about what ‘technical implementing measures’ are required of Providers to meet their obligations under the Directive.
Under the Regulation, Providers will have to do the following:
- notify the DPA of personal data breaches within 24 hours where possible, setting out certain prescribed information (contained at Annex I to the Regulation), including the number of persons affected, the cause and circumstances of the breach, the nature of the affected data and the damage caused, what measures were in place to prevent breaches and what has been done to mitigate further harm (Article 2(2));
- where a Provider is not in a position to give all the information required, it may make an initial report and follow this with a subsequent report containing the information as soon as possible. If this cannot be done within three days then a reasoned justification for the delay will have to be provided (Article 2(3);
- except in cases where the lost data is unintelligible by virtue of ‘technological protection measures’ (i.e. by encryption/cryptography), Providers have an obligation to notify subscribers or individuals who are likely to be adversely affected by a data breach without undue delay (delay may, with the agreement of the DPA, be permitted in exceptional situations to avoid prejudicing an investigation into the breach). In deciding whether someone will be so affected, the Provider should consider the nature/content of the information (for example it may be particularly important if the data is financial, sensitive, personal or geographical), the likely consequences (such as identity theft or fraud), and the circumstances of the breach (Article 3). Annex II to the Regulation sets out prescribed information which must be provided to affected individuals;
- providers should inform affected persons in a way that ensures prompt receipt of the notification. In the event that a Provider cannot reach affected users with whom there is a direct contract, then Providers should publicise the breach in the media (Article 3(7)); and
- where another Provider is contracted to deliver part of the services without having a direct contractual relationship with end-users then this other Provider must notify the Provider who has contracted with end-users in the case of a personal data breach and who in turn is under an obligation to inform affected end-users (Article 5).
The Regulation further provides that each DPA will have to make available a secure electronic method for notification (Article 2(4)). In the event that a data breach relates to the personal data of EU citizens in other EU Member States, then the Provider’s DPA will inform the affected users’ DPA (Article 2(5)).
The reasons for adopting the Regulation are, ultimately, to further the protection of personal data collected and processed by Providers, which includes (according to the European Commission’s press release) “a range of data about their customers, such as name, address and bank account details, in addition to information about phone calls and websites visited”. More specifically though, the Regulation is designed to harmonise data breach notification obligations and remove the uncertainty created by differing national requirements and procedures. It only applies to actual data breaches though, and does not offer any clarity on the obligation to notify subscribers of a particular risk of a breach (Article 4(2) of the Directive).
In adopting the Regulation, the European Commission has sought to ensure that it is fully consistent with the Commission’s proposal to introduce an obligation for all data controllers to notify personal data breaches as part of the draft Data Protection Regulation. However, Providers should be aware that they are likely to remain subject to a higher regulatory burden than other data controllers with the most recent draft of the proposed Data Protection Regulation proposing that the obligation on data controllers will be to notify breaches within a 72 hour period (as opposed to the 24 hour period for Providers under the Regulation).
The European Commission will review and report on the impact and effectiveness of the Regulation by 24 August 2016.
The Regulation provides welcome clarity as to what exactly is required of Providers under the Directive. Whilst some of the notification provisions might appear quite onerous, the Regulation does provide greater certainty and harmonisation of Providers’ notification obligations. Further, the ability to provide preliminary notification reports which are later updated is a sensible and pragmatic approach. However, some points of uncertainty remain, and it is not yet clear what will suffice as a ‘reasoned justification’ for a delay of more than three days in providing DPAs with information about a data breach.
The relief from having to notify users whose data has been properly encrypted or registered unintelligible is an appropriate concession to those Providers which do take proper measures to ensure the security of customer data, particularly when it is of a sensitive nature. Those businesses which fail to take such basic precautions will, in addition to having to notify the individuals affected by a data breach, also face public pressure to explain why they their security was lapse and risk losing the confidence, trust and business of their customers.