Report on Data Breach Notifications in the EU
.jpg)
The E-Privacy Directive (2009/136/EC), which formed part of the EU telecommunications regulation reform package passed in November 2009, makes it mandatory for public communications providers (i.e. ISPs and telcos) to inform national authorities of any data security breaches. Member States have until 25 May 2011 to transpose this Directive. (See our Weekly Knowledge Update - 2 February 2010).
The European Network and Information Security Agency (ENISA) recently published a Report on ‘Data Breach Notifications in the EU’ which provides a review of the new mandatory notification requirement and also looks at what steps members have already taken independent of this requirement.
The Report highlights that data breach notifications are not yet mandatory in most EU countries, and consequently stakeholders are looking for information and best practices from countries that already have notification procedures either as a mandatory law, or as a code of practice. In Germany for example, there is a legal obligation to issue notifications to both the local Data Protection Authority (DPAs) and data subjects in cases of data breaches. Also, in Spain, there is a legal obligation for data controllers, as part of their security policy, to draw up provisions providing for a procedure of notification, management and response to data security breach incidents.
Meanwhile, in the UK and in Ireland, there is no legal obligation to notify the local DPA. However, in Ireland, last year, the Office of the Data Protection Commissioner issued a Data Security Breach Code of Practice and a Guidance note, which recommends notification of all security breach incidents to the DPC within two working days of becoming aware of the incident. Organisations should also give immediate consideration to notifying data subjects. Similarly, in the UK, the DPA has issued a guidance note, which recommends that it should be notified of serious breaches.
The majority of regulatory authorities surveyed by ENISA indicated their support of mandatory data breach notifications for the telecoms sector, but raised concerns about their ability to handle the workload, fearing that the number of breaches would result in a large number of investigations. They agreed that a system to prioritise notifications would be the best approach. The DPAs also raised concerns about the fact that mandatory notifications are not yet extended to other sectors of the economy, which might cause members of the public to single out telecoms operators as being less safe than other companies, since notifications will be coming primarily from service providers
The Report identifies a number of areas that require further support at EU or national level, in order to ensure a smooth transition to mandatory notifications, including:
- Risk Assessment Guidance – so as to avoid issuing notifications for breaches that pose no risk and undermine customers’ confidence in an organisation;
- Notification Threshold Criteria – to enable consistent methodology across Europe;
- Procedures for responding to a breach;
- Evaluation Period – to review how the notification process is working;
- Automation – development of an automated system of data breach notifications through a web-based form; and
- Extension of mandatory notifications to other sectors.
