Privacy Advisor

Information Security Notification Laws on the Horizon

June 1, 2008

By Jan Dhont

Information Security Notification Laws on the Horizon

Compared to their American colleagues, European privacy professionals have been somewhat spared from the headaches caused by information security breach notification requirements. There are, however, signs on the horizon that this tranquil European climate is about to change. The proposed amendments to the Electronic Communications Privacy Directive 2002/58—already introduced in the autumn of last year—impose security breach notification obligations for network operators and Internet service providers.

The Article 29 Working Party stated in 2006 that it was in favor of security breach notification obligations, not only for ISPs and network operators, but also for certain content and information service providers such as data brokers, online banks and other online service providers. In an opinion of April 10, 2008, the European Data Protection Supervisor (EDPS) endorsed the Working Party's position by putting its political weight behind the proposal.

The proposed amendments to the Electronic Communications Privacy Directive 2002/58 require ISPs, telecom operators and other providers of publicly available electronic communications services to notify their clients and the national regulatory authority of information security breach incidents. As the text is currently formulated, the exact triggers and modalities of the notification obligations stand in penumbra. According to the proposed texts, electronic communications service providers would need to give notice of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of electronic communication services. Electronic communication service providers would need to (i) explain to their clients the type of breach, and (ii) provide recommendations for the reduction of the potential negative effects of security incidents. Furthermore, electronic communications service providers would be bound to inform national regulatory authorities about (i) the consequences of the breach, and (ii) the actions taken by the service provider to "address the breach."

The position of the EDPS is likely to speed up the introduction of security breach notification measures in the EU. The EDPS—represented in the Working Party—shares the view that such measures "reinforce […] the accountability of organizations, [are] a factor that drives companies to implement stringent security measures, and […] permit the identification of the most reliable technologies towards protecting information." The EDPS formally endorses the view of the Working Party that notification requirements should be imposed upon certain information services providers such as online banks, online businesses and e-health service providers. Moreover, the broadening of the scope of the notification requirements beyond the electronic communication services industry appears, indeed, to be the next logical step in the legislative process. Specifically, it can be expected that all industry sectors that process sensitive data (e.g. insurance companies, health sector and pharmaceutical companies, etc.) will be "served" next. The EDPS puts it as follows: "The EDPS views this obligation and its application to both [electronic communication service providers] and information society service providers as a first step of a development which may eventually be applied to all data controllers in general."

The information security measures as currently formulated in the proposal are not an example of legislative precision; for instance, it is not entirely clear exactly what incidents qualify as security breaches, the conditions and timing under which notices must be served, etc. These operational aspects will be dealt with in separate secondary legislation. It can only be hoped that political consensus can be reached on such implementation measures that are granular enough to allow service providers to roll-out pan-European action plans. Leaving too much latitude to the EU member states risks compromising harmonization and would add an unnecessary level of complexity to pan-European security breach notification strategies.

It is expected that public consultations will be organized by the Commission for the purpose of learning from (mainly U.S.) industry's experience in this field, as well as from public actors such as Data Protection Authorities and the European Network and Information Security Agency (ENISA).

The exact parameters of the change with respect to breach notifications in Europe will become clear in the months to come. The proposed amendments are, however, not yet final. The council was casted to debate the text on June 12, 2008 and the European Parliament will hold a first reading on July 8, 2008.

Jan Dhont is a partner at Lorenz in Brussels. Reach him at j.dhont@lorenz-law.com.