Neelie Kroes, vice-president of the European Commission and commissioner for the Digital Agenda, has announced new "technical implementing measures" to ensure that consumers across Europe receive equal treatment from their communications providers if their personal information is compromised. Since 2011 providers have had an obligation to inform both national regulators and individual subscribers about any breaches of their personal information – but the implementation of that obligation varies from country to country.
Although a public consultation indicated “widespread stakeholder support for a harmonised approach in this area,” individual countries’ preferences differed widely. The UK would prefer that disclosure is only mandatory for serious breaches; Ireland would like disclosure within 2 days, Greece within 10 days. Now, however, says the Digital Agenda statement, the new rules have been “agreed by a committee of Member States and scrutinised by the European Parliament and Council. They are adopted in the form of a Commission Regulation, which has direct effect and requires no further transposition at national level, and will come into force two months after publication in the EU Official Journal.”
Those rules include informing the competent national authority of a breach within 24 hours of its discovery. If full disclosure is not possible within this timeframe, an initial disclosure needs to be made, with full details following within 3 more days. The notification must outline “which pieces of information are affected and what measures have been or will be applied by the company.” And the notification must be done in a standardized format identical across all member states.
"Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field”, said Neelie Kroes.
The Commission is also keen to encourage the use of encryption for personal data. To this end, “and in conjunction with ENISA, the Commission will also publish an indicative list of technological protection measures, such as encryption techniques, which would render the data unintelligible.” In principle, if the data is adequately encrypted, it will not be considered ‘lost’ even if it is stolen. “If a company applies such techniques but suffers a data breach, they would be exempt from the burden of having to notify the subscriber because such a breach would not actually reveal the subscriber's personal data,” says the Commission.
These new rules “are separate and distinct from the Commission's proposed revision of EU legal framework for data protection and the Commission's proposal for a Directive on network and information security,” concludes the announcement. Nevertheless, compulsory breach notification’ is part of the Commission’s proposed General Data Protection Regulation, and as such these new rules for the telecommunications industry can be viewed as a foretaste of what the Commission plans more generally.