On 25 August 2013, a new European Regulation 611/2013 (“Regulation”) came into effect, changing and expanding the procedure for breach notification laid out in the E-Privacy Directive 2002/58/EC as amended (“E-Privacy Directive”).  It applies to “providers of publicly available telecommunications services” (e.g. telecommunication companies, ISPs, email providers, often collectively known as “PECS providers”). However, as the draft General Data Protection Regulation promises to introduce general breach notification requirements, it is also of general interest as a sign of things to come.

As a Regulation, the instrument is already legally binding and directly effective in all Member States. Its rules take the place of the Member State specific requirements in this area.

The Regulation outlines two breach notification obligations: (i) to the relevant national authority (which is not necessarily the local data protection authority), and (ii) to affected individuals.  We have highlighted the main obligations from the new Regulation, as compared with the E-Privacy Directive. We have also collated online forms for all Bird & Bird countries, to provide an easy-to-use resource for PECS providers.

Click here to view table.

The following table outlines where the new online notification procedures can be found in different Member States:

Click here to view table.