On 24 June 2013, the European Commission (“Commission”) published a draft Regulation (Regulation No. 611/2013) (“Regulation”) that clarifies and confirms the measures which telecommunications operators, internet service providers and other providers of publicly available electronic communications services (“Providers”) are required to take if their customers’ personal data is lost, stolen or otherwise compromised.
Providers in the European Union (“EU”) are currently subject to national laws implementing the 2002 ePrivacy Directive (2002/58/EC as amended) which require them to keep personal data confidential and secure (such data including customers’ names, addresses, bank account details and information about phone calls and websites visited). In the event that a “personal data breach” occurs and such personal data is compromised, Providers are required by Article 4(3) of the ePrivacy Directive to notify the competent national data protection authority (“DPA”), and in certain circumstances also the affected subscribers and individuals, about the breach.
The Regulation introduces “technical implementing measures” which aim to clarify how Providers should meet those obligations. For example, the Regulation states that Providers must:
- inform the relevant DPA of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, the Provider should provide an initial set of information within 24 hours, with the rest to follow within three days;
- take into account the type of data compromised when assessing whether to notify subscribers and individuals, in particular where the data concerns financial information, location data, internet log files, web browsing histories, e-mail data, itemised call lists and data that qualifies as ‘sensitive data’ under Article 8(1) of the Data Protection Directive (95/46/EC);
- provide to the DPA and/or relevant subscribers or individuals the information detailed in the Annexes to the Regulation (e.g. a summary of the incident, nature and content of the data affected, and the technical and organisational measures taken by the Provider to mitigate the consequences); and
- notify the DPA by using the secure electronic means of notification to be provided by the relevant DPA.
The purpose of these measures is to ensure that all customers receive equivalent treatment across the EU in case of a data breach as well as ensuring that Providers which operate in more than one EU country can adopt a standard approach across the EU to addressing data breaches. The Commission is also hoping to incentivise Providers to encrypt personal data by providing in the Regulation that the ePrivacy Directive exemption to the obligation to notify subscribers or individuals will apply where the Provider has encrypted the data such that it is unintelligible to unauthorised third parties without the relevant decryption key.
The Regulation will come into force in all 28 EU Member States on 25 August 2013 and will have direct effect without the need for implementing national legislation. Its provisions are likely to be welcomed by Providers as they provide a clearer roadmap to compliance with existing ePrivacy Directive obligations without imposing any additional new obligations.
The recitals to the Regulation confirm the Commission’s intention of ensuring that its provisions are consistent with the Commission’s proposal to introduce an obligation for all data controllers to notify personal data breaches as part of the draft Data Protection Regulation. Nevertheless, it is likely that Providers will remain subject to a higher regulatory burden than other data controllers, as demonstrated by the most recent draft of the proposed Data Protection Regulation which provides data controllers with a 72 hour period to notify breaches (as opposed to the 24 hour period for Providers under the Regulation).