Public consultation on personal data breach notifications
Following the public consultation on 'personal data breach notifications under ePrivacy Directive' (see below), the Commission has published the contributions received.
Deadline: Friday 9 September 2011
Telecoms operators and internet service providers normally hold a range of data about their customers, such as name, address and bank account details, in addition to information about phone calls and internet connections. In general, providers are required by EU law to keep this data confidential and secure. However, sometimes the data can be stolen or lost, or someone could gain unauthorised access to the data. These cases are known as 'personal data breaches'. Under the revised ePrivacy Directive (2002/58/EC), when a personal data breach occurs, the provider has to report this to a specific national authority, usually the data protection authority or the communications regulator. Also, the provider has to inform the subscriber or individual directly if there is a risk to personal data or privacy.
To make sure that data breaches are reported in a consistent manner across the EU, the ePrivacy Directive allows the Commission to propose 'technical implementing measures' – practical rules to complement the existing legislation – on the circumstances, formats and procedures for the notification requirements. With the transposition deadline for the revised ePrivacy Directive having passed (on 25 May 2011), the Commission has now started its preparatory work on the technical implementing measures for personal data breach notifications.
As a first step, the Commission wants to engage all relevant stakeholders – such as telecoms operators, Internet Service Providers, Member States, data protection authorities, national regulatory authorities and consumer organisations – in a public consultation process in order to gather practical input based on existing practice and initial experience with the new rules. This will help the Commission to determine whether technical implementing measures are required to ensure harmonised national measures on personal data breach notifications, and if so, what form they should take.
Respondents are encouraged to provide practical examples of how they handle data breaches and notifications in the Member State(s) where they are active. The Commission also invites organisations not directly involved in the notification process, such as consumer groups, to express their views on the issues involved, even if it may not be possible to provide answers to all questions.