On June 24th, 2013, the European Commission adopted a new Regulation No 611/2013 (the “Regulation”) on the measures applicable to the notification of personal data breaches under the Directive 2002/58/EC (the “ePrivacy Directive”). This Regulation came into force on August 25th, 2013.
Since the revision of the ePrivacy Directive in 2009, providers of electronic communications services to the public (mainly telecom providers and ISPs) must notify the competent national authority in Member States when a personal data breach occurs. The Regulation harmonizes the technical measures that apply to data breaches across EU Member States.
Timeline for notifying data breaches
Under article 4-3 of the ePrivacy Directive, service providers are required to notify the regulator “without undue delay”. The Regulation introduces a new obligation for service providers to notify the competent national authority no more than 24 hours after the detection of a data breach, where feasible.
The Regulation specifies that a data breach is considered to be detected when the service provider has sufficient awareness that a security incident leading to personal data being compromised has taken place. At this point it is necessary for the service provider to make a meaningful notification to the competent national authority. This provision illustrates the need for organizations to adopt an internal action plan allowing them to assess and to respond to data breaches effectively.
Where the company handling the data has no direct relationship with the end user (for example where the service provider uses another provider to perform part of the service, e.g. in relation to billing or management functions), the company is not required to issue notifications, but still has a duty to alert and notify its customer (i.e., the electronic communications service provider) when it becomes aware of a data breach. In this respect, providers of electronic communications services must ensure that this obligation exists in their service provider agreements.
Content of the notification to the regulator
The Regulation specifies under Annex 1 the information that must be mentioned in the notification to the national authority, including: the name of the service provider, the name and contact details of the data protection officer (or another contact person within the organization) and the details of the personal data breach (date and time of incident, circumstances surrounding the breach, nature and content of the data concerned).
Two-step notification process
Where the service provider is unable to gather all the required information within 24 hours because the data breach is still being investigated, the Regulation authorizes the company to make an initial notification within 24 hours of the breach being detected, followed by a second notification as soon as possible and no later than three days following the initial notification. This second notification should complete and, if needed, update the initial notification. If the service provider is unable to provide all the information within the subsequent three day period, it must submit a reasoned justification to the national authority for the late provision of the remaining information.
Electronic procedure for notifying data breaches
The Regulation is particularly innovative in that it obliges the competent national authorities to provide a secure electronic means for the notification of personal data breaches. The Regulation mentions that this procedure should be available in a common format (such as XML) and should contain the information set out in Annex 1 in all the relevant languages. The purpose is to enable all service providers in the EU to follow a similar notification procedure, irrespective of their location or where the breach occurs. This provision is likely to pave the way towards a general data breach notification procedure for all data controllers once the proposed EU Data Protection Regulation comes into force.
Notification to individuals and subscribers
The Regulation clarifies the circumstances under which a data breach is likely to adversely affect the personal data or privacy of subscribers or individuals, for example, where the data concerns financial data (e.g., credit card data or bank account details), sensitive data, or certain data specifically relating to the provision of telephony or Internet services (e.g., emails, location data, Internet log files, web browsing history, and itemised call lists).
In principle, the service provider must notify the subscribers and other individuals concerned “without undue delay”. However, in exceptional circumstances the provider may delay this notification, with the national authority’s permission, where the notification may put the investigation of the data breach (e.g., a criminal investigation) at risk.
If the service provider does not possess the contact details of all the individuals who are adversely affected by the data breach, it may mitigate this by making a notification through advertisements in major national or regional media (such as newspapers) until it is able to identify all the individuals affected and send them an individual notification.
Cross-border data breaches
If a data breach affects the personal data of individuals located in several EU member states, the Regulation imposes on the competent national authorities a duty to inform one another and to cooperate. One can only regret, however, that the European Commission did not go one step further by enabling a “lead” authority to act as the single point of contact for organizations that are facing a cross-border data breach. The European legislator perhaps missed a chance here to streamline the notification procedure and to remove some of the administrative burden on companies.
Direct applicability in Member States
The Regulation is legally binding and is directly applicable in all Member States, which means that in the case of a conflict between the Regulation and a national law, the Regulation must prevail.
Finally, it should be noted that the Regulation was drafted to be consistent with the proposed Data Protection Regulation so as to avoid conflicting legal provisions in the future. It is also expected that technical adjustments will be made to the ePrivacy Directive once the Data Protection Regulation comes into force.
Click here for an overview of upcoming legislation on data breaches in Europe.