The European regulatory framework on electronic communications obliges providers of public electronic communications services to notify personal data breaches to their national authorities.(1) However, the European Commission recently found a lack of harmonisation among member states in this respect, and exercised its power to issue technical implementing measures on the notification obligations by publishing EU Regulation 611/2013.(2) This directly applicable and fully binding regulation will enter into force on August 25 2013.
The new regulation applies to all providers of public electronic communication services. If a provider detects a personal data breach it must notify the competent national authority of this breach within 24 hours.(3) This can put the provider under undue pressure, as it can be hard to meet this deadline when the attending circumstances are taken into account. However, the regulation provides a loophole by stating that the notification must occur within 24 hours "where feasible". Therefore, in cases in which a provider cannot provide all information about the incident within this timeframe, the regulation permits it to file only an initial (but still comprehensive) notification within 24 hours. Within three days of this initial notification, the provider must provide a second set of information which gives further details about the data breach.
Additionally, the provider must notify affected individuals without "undue delay" if the data breach is likely to affect adversely their personal data or privacy.(4) Each provider must therefore assess whether individuals may be adversely affected in the wake of a data breach (the regulation explicitly determines some parameters that must be considered in the course of this assessment). The regulation does not set a firm timeframe for notifying individuals, but requests that the provider issue the notification without "undue delay". However, under exceptional circumstances, the notification can be delayed with the permission of the national authority.(5) When notifying individuals, the provider must issue information according to Annex 2 of the regulation.
From August 25 2013 the regulation will apply directly in all EU member states. Taking into account the precedence principle,(6) under which EU law is superior to the national laws of the member states, national rules that contradict EU law do not apply from that date. National law will be neither rescinded nor repealed, but its binding force will be suspended.
From a superficial glance at the Austrian Telecommunications Act,(7) one might conclude that the notification requirements implemented in the act are more or less in line with the new regulation. However, a closer look raises some substantial questions.
Most importantly, it should be considered whether the new regulation will lead to any changes in the national authority's competencies. The regulation refers to the "national competent authority".(8) However, in Austria this raises the question as to whether such authority should be the national telecommunications regulator or the data protection regulator. The existing act requires providers to notify the Data Protection Commission, which must then inform the telecommunications regulator. It is unclear whether this allocation of competencies will still be in line with the new regulation.
The regulation itself stays silent on this question. However, it seems doubtful whether a data protection authority equates to the "competent national authority" in terms of the regulation, since the EU Data Protection Directive did not force member states to install national data protection regulators.(9) If the "competent national authority" in terms of the regulation was understood to be a country's data protection regulator, this would deprive the regulation from its applicability in states with no such regulator. Therefore, it appears that the regulation instead implies that notification must be made with the national telecommunications regulator. If so, this would contradict (and arguably suspend) the Austrian act.
To be on the safe side, Austrian communication service providers are therefore advised to submit their notification to both the telecommunications regulator and the data protection regulator.
This is only one example of the complex considerations that the new regulation triggers in relation to its interplay with existing national telecommunications and privacy law. However, such considerations will not be solvable within the regulation's 24-hour notification limit, and should therefore be scrutinised thoroughly well in advance of the occurrence of a data breach.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
(3) Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under Article 2(2) of the regulation.
(6) The European Court of Justice enshrined the precedence principle in Costa v Enel on July 15 1964. With later cases, the court clarified that the precedence of European law must be applied to all national acts.