The European Parliament has just adopted at first reading a sweeping package of telecoms reforms proposed by the European Commission back in November 2007. This includes a proposal to introduce mandatory notification of data security breaches by telecoms operators and internet service providers (ISPs). In the wake of a number of high-profile security incidents in the UK and elsewhere, the debate has reopened as to whether there should be a mandatory breach notification law to force companies to keep data more secure.

The package, which will replace the 1997 Telecoms Directive, aims at reforming the regulation of the telecommunications market in Europe, with a focus on strengthening consumers' rights and increasing users' data security and access to new technology. This article focuses on just one of the Commissions proposals - to amend the E-Privacy Directive to require telecommunications operators and ISPs to notify the national regulator and users of data security breaches.

In the Commission's view, "consumer trust in the security of communications services and the protection of their personal data is essential". Telecoms operators should therefore be obliged to inform their customers without delay, whenever their personal data has been compromised (for example, illegally accessed, copied or lost) as a result of a security problem. The Commission also argues that this obligation will not only help consumers prevent financial fraud or identity theft by taking the necessary precautions, but the risks of bad publicity will give operators an added incentive to invest more in the security of their networks and services.

Not everyone supports a mandatory notification system. The Information Commissioner's Office (ICO) has in the past stopped short of recommending a mandatory requirement, because frequent news of minor breaches could be counterproductive by desensitising people to the effects of serious breaches - "it's like crying wolf". This is the position in the US and Japan, where they already have notification laws and their effectiveness has been questioned due to over-reporting. The ICO currently recommends "voluntary" notification, where as a matter of good practice organisations should inform the ICO of all "serious breaches".

The National Consumer Council (NCC), and its European counterparts, want the proposals to go further and have recently been lobbying the EU to extend the system to all information society services, such as on-line banks, credit card companies, and other on-line businesses. Broadening the scope of the system would bring the benefits to all individuals who face privacy risks from the on-line processing of their personal data. MEPs have also said they want privacy rules to "cover private not just public networks, so data stored on social networking sites such as Facebook will be covered by the rules". It will be interesting to see how far the EU will take these recommendations.

Among the other proposals in the reform package adopted by the European Parliament are:

  • The creation of an EU-wide co-regulatory body that would involve the Commission and the existing national telecoms regulators.
  • The requirement for telecoms operators to publish information on tariffs and conditions in a clear manner so as to make it easy for consumers to compare prices.
  • The introduction of "number portability", which would allow consumers to change their fixed or mobile operator while keeping their same phone number within one working day.
  • Improving the performance of the 112 EU-wide emergency number.
  • Harmonise the use of radio spectrum across the EU as space is freed up by the switch from analogue to digital TV, which should facilitate the rollout of "broadband for all" in Europe.

The next step for these reforms is when the European Council meets on 27 November 2008 to discuss the proposals. It is hoped the new framework could become law by 2010. The industry will be keenly watching how the proposals develop and we will keep readers up to date with any developments. In the meantime, organisations should ensure they are fully prepared to deal with any security breaches.