PL&B International E-news, Issue 84

1. European Parliament adopts legislative resolution on data breach amendments to the European Union’s E-Privacy Directive for all sectors and all types of data

European Commissioner for the Information Society, Viviane Reding, announced on May 6th that the new E-Privacy rules “introduce mandatory notifications for personal data breaches” by providers of communications networks and services.

She was responding to the European Parliament which voted on the same day for data breach notification “regardless of sector or type of the data concerned.”

EU bodies differ on the scope of the breach notification provision. The European Commission, the Council of Ministers, the European Parliament and the European Data Protection Supervisor have all been grappling with the breach notification framework and are attempting to reach a compromise on the extent of the framework which includes deciding:

  • Which organisations are obliged to adhere to the notification requirement?
  • When should notification be triggered – how serious should the breach be for notification is made?
  • Which branch of the EU authorities should be implementing technical measures on security breaches?

Differences of views over the data breach notification requirements are expected to be resolved in June this year by the co-decision procedure. The European Parliament’s ‘Second Reading’ on 6th May adopted a text favouring data breach notification “regardless of sector or type of the data concerned.” The text included the following statement:

“…. the notification of security breaches reflects a general interest of citizens to be informed about security failures ….. This general interest for users to be notified is clearly not limited to the electronic communications sector and therefore explicit, mandatory notification requirements applicable to all sectors should be introduced at the Community level as a matter of priority. Pending a review to be carried out by the Commission of all relevant Community legislation in that regard, the Commission, in consultation with the European Data Protection Supervisor, should take appropriate steps without delay to encourage the application of the principles embodied in the data breach notification rules in Directive 2002/58/EC (Directive on privacy and electronic communications) throughout the Community, regardless of sector or type of the data concerned.”

The above text is an extract of the full document.

Europe’s position on breach notification will soon become much clearer when the Council of Telecommunications Ministers meet next month.

Privacy Laws & Business has now published its report on Data Breach Notification Laws in Europe which covers Data Protection Commissioners' views and recommendations from 21 European countries.

You may order your copy of this report in pdf format by contacting Glenn Daif-Burns at the PL&B office.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2009