Operators of European telecoms networks and service providers may face substantial new data security obligations if the European Union adopts changes to the electronic communications regulatory framework that are making their way through the legislative process in Brussels. In particular, both public and private providers may have to notify either their national regulators or consumers of any breach of security that threatens personal data.
Such an obligation, mainly new to Europe, would set up new procedures and costs for any company involved with communications services - from traditional telecoms operators to any provider of "triple play" services. And proposals are afoot to extend the data security notification to private networks, which could pull in Internet service providers, hospitals, universities, and numerous other large systems.
The European proposals arose in mid-November 2007 when the European Commission issued hundreds of possible changes to the regulatory framework. Among them was an entirely new chapter to the Framework Directive 2002/21/EC on security and integrity of networks and services. Among other things, new chapter IIIa would require providers of public networks or services to notify their national regulator of any breach of security with a significant impact on operations. National regulators, in turn, would be given authority to issue binding orders to require operators to comply with security obligations. The Commission echoed this obligation in proposals to change the Electronic Communications Privacy Directive 2002/58/EC - the "ePrivacy" Directive. Those changes would require public providers to notify both subscribers and national regulators of any breach of security that threatened personal data.
Up to now, the regulatory framework maintained a general requirement for providers to take appropriate measures to safeguard security. But providers did not have to notify customers of security breaches, only of security risks.
These Commission proposals must be adopted by the European Parliament and Council to become law. In its first reading, in late September 2008, the Parliament agreed with the basic thrust of the Commission's proposals. The changes to the Framework Directive are mainly editorial, except that Parliament would limit national requirements to those that are "proportionate and economically and technically sustainable."
The Parliament has proposed changes, however, to the ePrivacy Directive, which could greatly expand its scope in important respects.
First, the Parliament would extend mandatory data breach notices far beyond providers of public networks and services. The Parliament proposes to change the Commission's definition of how the directive applies to public networks and services by bluntly adding the words "and private" in a key section. It also would apply the rules on data breach notices to "any undertaking operating on the Internet and providing services to consumers, which is the data controller and the provider of information society services."
In an explanatory text to the changes, a Parliament committee justified the extension based on the increasing mix of public and private services. It also said the amendment followed recommendations from the European advisory body on data privacy known as the Article 29 Working Party, and from the European Data Protection Supervisor.
A second Parliamentary change would draw back the notification requirement, at least a bit. The Parliament proposes that companies liable for the data breach notification first notify the national regulator. That regulator would in turn consider whether to require notice to subscribers based on the seriousness of the problem. Companies would, nonetheless, be required under the amendments to notify their affected users of all breaches of security for public communications services once a year. (It looks like the Parliament did not extend this annual requirement to the internet service providers.)
A third change is subtle, but hugely important. The original Commission version would establish a new right for interested parties to take legal action against infringements of the ePrivacy Directive, but only under the provision on unsolicited communications, or spam. The Parliament would extend this new cause of action to any infringement of the ePrivacy Directive. If the Parliament's version goes through, consumers could conceivably sue for infringements of the network integrity requirement or mishandling of data breach notifications.
The Commission took the unusual step in early November 2008 of issuing a counter-proposal to the Parliament amendments, which rejected most of these changes. The Commission said that including providers of information society services would go beyond the scope of the regulatory framework. It rejected without comment the effort to extend the rules to private networks or to expand legal rights of action. By late November 2008, the Council of Ministers proposed its own set of amendments, which at least on data breach are closer to the Commission position. The issues now return to the Parliament for its second reading in April 2009. With both Commission and Parliament supporting the basic outlines of data breach reporting, however, it is reasonable to expect that some version will be adopted - and European industry should be preparing for these new obligations.