In light of the imminent EU-wide requirement for mandatory notification of data breaches in the telecommunications sector, the European Network and Information Security Agency ("ENISA") - the agency charged with improving network and information security in the EU - has published a report in order to better understand the challenges posed by this requirement.
Currently, most Member States do not have a mandatory data breach notification requirement. In the UK, for example, the Information Commissioner's Office ("ICO") - the UK's data protection authority - issued a guidance note in 2008, advising that it should be notified of serious data breaches. Importantly, however, there is no legal obligation to do so. This is set to change.
Following the agreement on EU Telecoms Reform reached in November 2009; as from May 2011, all communications service providers will be required to inform their relevant data protection authority, and, in some circumstances, the affected customers, of data breaches affecting personal data.
The Telecoms Reform package comprises a number of new Directives and Regulations and aims to strengthen competition and consumer rights in Europe's telecoms markets and, at the same time, facilitate high-speed internet broadband connections in Europe. The Reform package also establishes a European Body of Telecoms Regulators "to complete the single market for telecoms networks and services".
As such, it can be seen that many aspects of reform will undoubtedly prove challenging; although the notification requirement for communications service providers - to be brought in as part of Directive 2009/136/EC amending the E-Privacy Directive - may prove particularly so. It is indeed, "the first law of its kind in Europe".
In order to facilitate the effective implementation of the notification requirement, ENISA compiled the current report, informed by feedback from regulatory authorities, industry and legal experts, in order to identify challenges, good practices and potential solutions. Specifically, the report includes analysis and views on the following:
- The current understanding and adequacy of the definition of "personal data";
- The timescale for undertakings to notify the relevant data protection authority of a data breach;
- The information required to be notified to the relevant authority;
- The circumstances under which notification to customers affected by a data breach will be appropriate;
- How compliance with the notification requirement is to be sought; and
- Whether there is a need to have a data breach audit mechanism in place, as well as a notification requirement.
The introduction of mandatory data breach notification will require considerable preparation from all stakeholders. However, it is hoped that further clarification and support will ensure that this requirement provides optimum efficacy for service providers, data protection authorities and users.
The full text of the report can be accessed by clicking here.