Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communication sector (the e-Privacy Directive) obliges providers of publicly available electronic communications networks and services to notify personal data breaches to competent national authorities, subscribers, and individuals. To ensure a certain level of uniformity, Directive 2002/58/EC also mandated the Commission to prescribe technological protection measures concerning information and notification requirements. The new Regulation 611/2013 covers these measures. The key points of this Regulation are summarized hereunder.
- Notification to the national competent authority
The provider is obliged to notify personal data breaches to the competent national authority (BIPT for Belgium) within the 24 hours after the provider has detected the breach.
The data breach is considered to have taken place when the provider is sufficiently aware of the occurrence of a security incident which compromises personal data. From that moment on, the provider must send a notification to the national competent authority. This notification must include information concerning the identification of the provider, the content and nature of the personal data breach, the date, time, and circumstances of the breach, among other things. If the required information is not yet available, the provider may issue a first notification which contains only a minimum of information only if this is followed by a second notification within three days following the first notification. This second one must contain the outstanding information. If, within this three-day period, the provider could not gather all necessary information, it must notify as much information as it has along with a justification for the late notification.
If a subcontractor is involved, it must immediately inform the main contractor about the data breach.
The competent national authority is obliged to provide a secure electronic means for the notifications and also provide information on the procedure to be followed. If the data breach affects subscribers or individuals residing in another Member State, the competent national authority to which the data breach has been notified must inform the national authorities in other Member States.
- Notification to the subscriber or individual
If a personal data breach risks having adverse effects on the personal data or privacy of the subscriber or individual, the provider must also notify the subscriber or the individual of the breach without undue delay after it has detected the breach. The Regulation enumerates a number of circumstances, such as the nature and contents of the personal data or the consequences of the breach for the subscriber or the individual, which must be taken into account to assess whether the breach may have any adverse effects on the subscriber or individual.
The notification must contain certain information relative to the incident. This information must be received promptly, clear, and understandable. The means of communication by which the notification is conducted must be appropriately secured. In exceptional circumstances, if the notification puts at risk the proper investigation of the personal data breach, the notification may be delayed.
If the provider cannot identify all subscribers and individuals who would be affected by the breach, the provider may notify them by placing advertisements in major national or regional media. The advertisements should contain the same information as mentioned above, and in a condensed form, if necessary.
- Technological protection measures
As an exception, notification to a subscriber or individual is not required if the provider proves that it has implemented appropriate technological protection measures and has applied these measures to the compromised data. These technological protection measures should render the data unintelligible for any unauthorized person (e.g., by encryption).
This new Regulation can be found on http://eurlex.europa.eu