Data breach notification - different opinions in EU bodies ?
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The amendments adopted on 24 September 2008 by the European Parliament (EP) on the ePrivacy Directive includ the obligation of information society services providers to notify personal date related security breaches to the national authorities. However, a recent proposal of the European Commission seems to put the amendment back on the discussion list, reffering only to telecom operators for such an obligation.
Following the European Data Protection Supervisor's opinion on the ePrivacy directive in April 2008 that suggested a mandatory security breach notification from "providers of public electronic communication services in public networks" but also from other actors, such as "providers of information society services which process sensitive personal data (e.g.online banks and insurers, on-line providers on health services, etc.)", the MEP Alexander Alvaro included amend ments on these aspects in the report from the Standing Committee on Civil Liberties, Justice and Home Affairs, backing up a procedure to inform users in case of security breaches at service providers.
The amendments adopted by the European Parliament on 24 September 2008 include these additions to the text initially proposed by the Commission.
Amendements 187/rev and 184 now ask for an obligatory notification to the national regulatory authority or the competent authority according to the individual law of the respective Member State, of any personal data related security breaches from any "provider of publicly available electronic communications services, as well as any undertaking operating on the internet and providing services to consumers, which is the data controller and the provider of information society services."
Other amendments adopted by the EP (124 and 125) explain the procedure following such notifications. Thus the competent authority will consider and determine the seriousness of the breach and, if the breach is serious, the provider will be obliged to send a notification to all persons that were affected.
Even though it appears that the next Council of Telecoms Ministers will agree to the EP position, the European Commission has change the legislative texts, as a compromise between the opinions of the European Parliament and the European Council.
The new statements of the European Commission on data security are intriguing, as they discuss about security breaches only in case of telecom operators:
"The Commission reaffirms the need of telecoms operators to notify regulators and the public about security breaches. The Commission reaffirms that notifications must, as a matter of principle, be sent to the individuals affected by them and that the notification procedure must remain swift, simple and effective. In order to clarify, in an objective manner, the cases where such notifications will be required, the Commission will, under the new legislative text, give more detailed guidance as to the circumstances of a breach that would trigger a notification."
Since there are yet no official documents provided on the European Council website regarding the next Council of Telecoms Ministers meeting on 27 November 2008, it is unclear whether the European Parliament's opinion will try to be disregarded in this respect or not. In any case, the EP will have a second reading on the telecom package which is scheduled for April 2009.
Telecoms Reform: Commission presents new legislative texts to pave the way
for compromise between Parliament and Council (7.11.2008)
European Parliament legislative resolution on ePrivacy directive
Documents for the Council of Telecoms Minister on 27 November 2008
EDRi-gram: ePrivacy Directive debated in the EP's Civil Liberties Committee
EDRi-gram: EDPS endorses data breach notification provision in ePrivacy