New EU rules on personal data breach notification for telecoms and ISPs came into force recently (on 25 August 2013). European Commission Regulation (EU) 611/2013 of 24 June 2013 on the measures applicable to the notification or personal data breaches under the ePrivacy Directive (2002/58/EC) aims to ensure that telecoms operators, internet service providers and other public electronic communications service providers notify personal data security breaches consistently across the EU.
The revised ePrivacy Directive (2009/136/EC) requires telcos and ISPs to keep personal data secure and confidential and to notify relevant national data protection authorities of any breach where the affected individuals’ personal data or privacy are likely to be adversely impacted, in particular where the data is stolen, lost or accessed by unauthorised persons. The Notification Regulation requires service providers to notify the relevant national DPAs within 24 hours of detection of the breach. In addition, affected individuals must be notified without undue delay and provided with detailed information about the data breach.
Since the legislative instrument is a Regulation, it is directly applicable in each of the EU member states without the need to enact any national law. The UK Information Commissioner’s Office (ICO) says it will publish updated guidance sometime in September on the new procedure.
Breach notifications are not required where the telco or ISP can demonstrate that it had implemented appropriate technological protection, such as by using various encryption measures. The Regulation also contains annexes setting the detail of what must be notified to both the national DPAs and to individuals affected.