On 24 June 2013, the EU Commission adopted a Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications (the "Regulation"). The Regulation has direct effect and will enter into force on 25 August 2013 and aims to harmonise the notification of data breaches by telecommunications companies and internet service providers.
Once in force, the Regulation will supplement the obligations of telecommunications companies and internet service providers under the e-Privacy Regulations 2011 (S.I. 336/2011) to notify the Data Protection Commissioner, and any affected data subjects, of personal data breach incidents, by requiring these providers to notify the Data Protection Commissioner (or the relevant national supervisory authority) of a data breach within 24 hours of its discovery "where feasible". The current obligation under the e-Privacy Regulations is to notify the Commissioner "without undue delay", which could, in certain circumstances, be interpreted as allowing a longer timeframe than 24 hours. The Recitals to the Regulation set out some general guidance on how to manage a data breach and in particular, Recital 8 to the Regulation states that:
"neither a simple suspicion that a personal data breach has occurred, nor a simple detection of an incident without sufficient information being available, despite a provider's best efforts to this end, suffices to consider that a personal data breach has been detected for the purposes of this Regulation. Particular regard should be had in this connection to the availability of the information referred to in Annex I."
Annex I sets out the content of a notification to the supervisory authority. Article 2 of the Regulation states that:
"detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation".
If the provider is unable to furnish all of the information set out in Annex I within 24 hours, it must provide a preliminary notification within the 24 hour period and subsequently furnish the remaining information no later than 3 days from the initial notification or provide a "reasoned justification" to the authority as to why it is not in a position to provide the remaining information.
The existing position under the e-Privacy Regulations will be maintained under Article 4 in that notification to data subjects is not required where technological measures applied to the personal data mean they are unintelligible to third parties. Also, there is no change in the timeframe for notification to data subjects from the existing regime, as the Regulation also requires that notification to data subjects, where required, is to be made "without undue delay". Annex II to the Regulation sets out the content of the notification to the subscriber or individual.
In assessing whether to notify subscribers or individuals of the data breach incident, companies and providers should take account of the following:
a. the nature and content of the data concerned, in particular where the data concerns financial information, sensitive personal data, location data, internet log files, web browsing histories, email data, and itemised call lists;
b. the likely consequences of the breach for the individual concerned e.g. a risk of identity theft, psychological distress; and
c. whether the data has been stolen or is in the possession of an unauthorised third party.
The Commission and ENISA (European Network and Information Security Agency) will publish an indicative list of appropriate technological measures to render the data unintelligible to any unauthorised person, the use of which will exempt organisations from notifying individuals in the event of a data breach. Once this list is published, telecommunications companies and ISPs should consider whether their existing security measures are in compliance to pre-empt a situation whereby it must demonstrate to the Data Protection Commissioner, in the event of a data breach, that the security measures applied to data have rendered it unintelligible to third parties.
The Regulation can be viewed at: http:// eur-lex.europa.eu/LexUriServ/LexUriServ. do?uri=OJ:L:2013:173:0002:0008:en:PDF
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
