EP limits data breach notification
This article is also available in:
Deutsch: Europäisches Parlament schränkt Meldungen von Datenverstößen ein
The modification of the Privacy and Electronic Communication directive voted by the European Parliament (EP) on 6 May 2009, as part of second reading of the telecom package, limits the data breach notification only to the electronic communications service providers.
Initially, in its first reading of the telecom package last year, the European Parliament insisted to expand the data breach notification beyond the initial provision, to online services or even public administration. This idea was supported by privacy experts such as Peter Hustinx, the European Data Protection Supervisor who insisted to apply the system not only to "providers of public electronic communication services in public networks but also to other actors, especially to providers of information society services which process sensitive personal data (e.g. online banks and insurers, on-line providers on health services etc.)."
But in the negotiations with the Council and the European Commission on this point the EP diluted its initial claims. Thus, the adopted text includes a mandatory obligation only for ISPs and telecoms. For the rest of the categories the Commission just takes note of the EP will and says that it will "initiate the appropriate preparatory work, including consultation with stakeholders, with a view to presenting proposals in this area, as appropriate, by the end of 2011. In addition, the Commission will consult with the European Data Protection Supervisor on the potential for the application, with immediate effect, in other sectors of the principles embodied in the data breach notification rules in Directive 2002/58/EC, regardless of the sector or type of data concerned."
The adopted text includes a similar recital that notes the "general interest for users to be notified is clearly not limited to the electronic communications sector and therefore explicit, mandatory notification requirements applicable to all sectors should be introduced at the Community level as a matter of priority."
According to the text of the Directive approved by the EP in the case of a personal data breach, the telecom operator or ISP has the obligation to notify the personal data breach right away to the competent national authority. The text also says that if the data breach "is likely to adversely affect the personal data and privacy of a subscriber or an individual, the provider shall also notify the subscriber or individual of the breach without undue delay."
The EDPS considered the voted text as "a satisfactory approach". He also noted that it is good to see the mandatory notification for personal data breaches in the final text, which is one of the core elements of the Directive. However, he expressed his regrets that "its application is limited to ISPs and network operators. One would hope that the Commission, in consultation with the EDPS, will soon put forward proposals setting up mandatory notification requirements applicable to all sectors, as the Commission has undertaken to do in a declaration annexed to the text adopted by the EP."
The European Parliament rejected on 6 May the telecom package, due to the 3 strikes-related article, that was presented in extenso in the past EDRi-gram issue. Now the package needs to be negotiated again with the other EU institutions, but it is hard to believe that the data breach notification provisions will be modified.
Modification of the E-privacy Directive - adopted text (6.05.2009)
European Parliament abandons plan to extend data breach notification law (13.05.2009)
EDRi-gram: Data breach notification - different opinions in EU bodies ?
EDPS endorses data breach notification provision in ePrivacy Directive