The European Commission has launched a public consultation on whether additional rules are needed to ensure telecoms operators and internet service providers (ISPs) report personal data breaches in a consistent way across the EU.
The data breach notification (DBN) requirement for the electronic communications sector was introduced in the review of the ePrivacy Directive (2002/58/EC), and is regarded by the European Commission (EC) as vital to shoring up data security in Europe.
In May this year, the EC released the revised ePrivacy Directive (2009/136/EC) that requires telecoms operators and ISPs to make breaches public.
This consultation will provide the industry with the opportunity to give feedback on existing practice and initial experience with the new telecoms rules.
The EC may then propose additional practical rules to make clear when breaches should be reported, the procedures for doing so and the formats that should be used.
Neelie Kroes, Commission vice-president for the Digital Agenda, said the duty to notify data breaches is an important part of the new EU telecoms rules.
"But we need consistency across the EU so businesses don't have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses," Neelie Kroes said.
What the EC wants to know
The consultation seeks feedback on how organisations intend to comply with the data breach notification rule. The EC also seeks consultation on what types of breaches would require notification.
The EC wants feedback on how long organisations should be allowed to take before notifying of a breach, what the notification should contain and what procedures should be used.
In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches.
The consultation will close on 9 September 2011 and if, after considering the feedback, the EC decides to introduce technical implementing measures, this will be done in consultation with the European Network and Information Security Agency (ENISA), the Article 29 Data Protection Working Party and the European Data Protection Supervisor (EDPS).
Read more about EC data legislation
- EC lawyers declare EU/US passenger name record unlawful on data protection grounds >>
- Suppliers lobby EC on data breaches >>
- EC to set RFID tag guidelines to address privacy concerns >>
- Tougher EU data protection laws likely to create 'right to be forgotten' >>
- EC to take UK to court over privacy and data protection >>
- EC delays revision of data protection directive >>
- EC pushes for uniform data protection legislation across Europe >>
- EC pushes for umbrella data protection agreement with the US >>
- Revised EU privacy laws to demand greater transparency on the web >>
- EU privacy watchdog calls for built-in data deletion >>