Under the so-called e-Privacy Directive, providers of publicly available electronic communications services (primarily telecom providers and ISPs) are obliged to notify the competent national authorities and, in certain cases also the subscribers and individuals concerned, of personal data breaches. In order to ensure consistency in the implementation of this notification obligation by the EU Member States the European Commission has adopted technical implementing measures in form of a Regulation No 611/2013 on the notification of personal data breaches in the electronic communication sector which entered into force on 25 August.
The Regulation, which has direct effect in all EU Member States, specifies the circumstances, the format and procedures applicable to these notification requirements under the e-Privacy Directive in case of personal data breaches (that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the EU).
With respect to the notification obligation vis-à-vis the competent national authority, the most important elements of the Regulation include:
- the obligation to notify no later than 24 hours after the detection of the personal data breach (such detection requiring sufficient awareness);
- the content of the notification which is specified in Annex I, covering information concerning the identification of the provider, information on the breach as well as possible notification to subscribers or individuals and cross-border issues.
- the possibility to make an initial notification, followed by a second notification (usually within three days) to provide missing information.
- the possibility to make the notification electronically (for example, the French data protection authority (the CNIL) offers such possibility on its website).
- the obligation of competent national authorities to inform other national authorities concerned.
Under the e-Privacy Directive, subscribers or users must only be notified when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual. In this respect, the Regulation specifies in particular:
- the circumstances to be taken into account when assessing whether there is such a likely adverse effect, namely, the nature and content of the personal data concerned (examples listed include financial information, sensitive data, location and e-mail data), the likely consequences of the breach (examples include identity theft and fraud) and the circumstances of the breach (for instance, whether data has been stolen);
- that notification shall be made without undue delay.
- the content of the notification in Annex II, which is more limited in scope than the notification to the competent authority. Such notification shall be in a clear and easily understandable language and should not be associated with information about another topic.
- the possibility to delay the notification (where the notification may put at risk the proper investigation, requiring prior approval of the authority).
- the manner in which notification shall generally be provided (for instance, ensuring prompt receipt of information and the possibility to inform via the media).
- further requirements regarding technological protection measures (for example, encryption and hashing provided certain conditions are met) the implementation of which exempts the providers from the notification obligation.
The Regulation also imposes a statutory obligation on other providers to which parts of the provision of the electronic communications service has been outsourced. Such providers must immediately inform the service provider who has a direct contractual relationship with the subscribers in case of a personal data breach.
The European Commission considers this Regulation to be fully consistent with the obligation on all controllers to notify personal data breaches as proposed in its General Data Protection Regulation (the “GDPR”). This Regulation is therefore indicative of the approach that the European Commission is likely to take in case the GDPR is adopted (and possibly also for the draft Directive on network and information security). However, at that time, it may already benefit from the statistical data that the competent national authorities will maintain of the notified personal data breaches under this Regulation.
In order to be able to comply with their notification obligation within the short time limits imposed by the Regulation, providers of publicly available electronic communications services must put in place the necessary procedures and policies, such as incident reporting policies, designation of contact points and training of employees.