The European Commission has passed a new e-Privacy Directive 2009/136/EC (the Directive) which makes it mandatory for public communications providers (ISPs and telcos) to inform national regulatory authorities of any data security breach. The deadline for transposition of the directive by member states is 25 May 2011.
The Directive amends e-privacy Directive 2002/58/EC. The Electronic Privacy Regulations (S.I. No. 535 of 2003 as amended by S.I. No. 526 of 2008), transpose e-privacy Directive 2002/58/EC in Ireland. The Regulations impose a specific obligation on public communications providers to inform subscribers of any "particular risk of a breach of the security of the public communications network".
The Directive now additionally requires that the national regulatory authority should be informed of any personal data breach* without undue delay**. It provides that subscribers or individuals should be notified when the personal data breach is likely to adversely affect the personal data or privacy of the subscriber or individual. The recitals to the new Directive, which are non-binding, but explain the Directive, state that "a breach should be considered as adversely affecting the data or privacy of a subscriber or individual where it could result in, for example identity theft or fraud, physical harm, significant humiliation or damage to reputation in connection with the provision of publicly available communications services in the Community".
The Directive does not require notification of a personal data breach to a subscriber or individual if the national regulatory authority is satisfied that it has implemented appropriate technological protection measures. Such technological measures must render the data unintelligible to any person who is not authorised to access it.
However, where a public communications provider has not already notified a subscriber or individual of a personal data breach, the national regulatory authority, having considered the adverse effects of the breach, may require it to do so.
Notification of the breach to the subscriber or individual should describe the nature of the personal data breach and the contact points where more information can be obtained, and should recommend measures to mitigate the possible adverse effects of the personal data breach. The notification to the national regulatory authority should additionally describe the consequences of, and measures proposed or taken by the provider to address the personal data breach.
The Directive applies only to personal data breaches which occur within the electronic communications sector, therefore outside of that sector, the position remains the same, namely that there is no express legal obligation for an organisation to notify data security breaches to the Data Protection Commissioner or any data subject affected. It is worth noting however that a Data Protection Review Group (the Review Group) was set up in Ireland by the Minister for Justice, Equality and Law Reform in November 2008 to examine whether changes need to be made to Irish data protection law to deal with personal data breaches. The Review Group issued a consultation paper last October 2009 outlining the main regulatory options available to Ireland in relation to legislating for data breaches and inviting submissions on its proposals.
The Data Protection Commissioner (the DPC) also published interim breach notification guidance in April 2009. The guidance recommends that as soon as an organisation becomes aware that personal data for which it is responsible has been compromised, it should immediately notify the DPC.
We will cover the reform package in more detail in a later update.
- "Personal data breach" is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community".
- "Without undue delay" is not defined but the recitals of the new Directive indicate the public communications provider should notify the breach to the national regulatory authority "as soon as the provider...becomes aware that such breach has occurred".