European Commission In Favor Of Security Breach Requirements
Client Alert | 1 min read | 09.15.06
The European Commission recently announced in a public consultation concerning the review of the EU telecom regulations that it favors adopting security breach notification requirements for network operators and electronic service providers, similar to the requirements contained in laws passed by more than 30 states in the U.S. in the last two years. If the Commission proposal finds acceptance within the broader political community, it could have important consequences for the communications sector, create important compliance issues and expose the sector to adverse publicity and associated liabilities. Analogous obligations may spill over to other business sectors, particularly to businesses that process sensitive personal information, such as, for instance, the banking and insurance industry, as well as the health-care sector.
The current EU Directive 2002/58 on privacy in the electronic communication sector (the E-Privacy Directive) imposes a notification requirement upon electronic communication service providers "in case of a particular risk of a breach of the security of the network […]" (Article 4 (2) of the E-Privacy Directive, stress added). An existing Directive does not directly require such service providers to notify of [or "in the event of"] actual security breaches. The general EU Data Protection Directive 1995/46 does not contain a security breach notification obligation either, as it only sets forth only general technical and organizational security and confidentiality requirements.
The Commission believes that "a requirement to notify [individuals of] security breaches would create an incentive for providers to invest in security but without micro-managing their security policies." If the proposal becomes effective, network operators and electronic service providers will be required to: (i) notify the National Regulatory Agency (NRA) of any security breach resulting in the loss of personal data and/or that may cause the interruption of the services', and (ii) notify customers of any security breach leading to the loss, modification or destruction of, or unauthorized access to, personal customer data.
Corporations and stake-holders can participate in the public consultation until October 27, 2006 by sending their opinions or position papers to the European Commission.
Insights
Client Alert | 3 min read | 06.12.26
DOJ Guidance Backs Away From Disparate Impact Liability
On June 9, 2026, the U.S. Department of Justice (DOJ) issued a formal opinion concluding that the Equal Opportunity Employment Commission’s (EEOC) existing interpretations of Title VII of the Civil Rights Act of 1964 (Title VII) disparate-impact liability, including the Uniform Guidelines on Employee Selection Procedures (UGESP), are unconstitutional. According to the opinion, EEOC’s prior interpretations contemplate liability based on disproportionately adverse effects alone, without regard to an employer’s likely intent, rather than treating disparate impact as an evidentiary mechanism to “smoke out” intentional discrimination. DOJ found that this approach functions as a “qualified racial-proportionality mandate” that places “a racial thumb on the scales, often requiring employers to evaluate the racial outcomes of their policies, and to make decisions based on (because of) those racial outcomes.” The opinion fulfills one mandate of Executive Order 14281, which rejected disparate-impact liability insofar as it “creates a near insurmountable presumption that unlawful discrimination exists wherever there are any differences in outcomes among different [demographic groups].”
Client Alert | 4 min read | 06.12.26
Auto Dealers: The FTC Is Back in the Driver’s Seat — Warning Letters Signal Renewed Federal Scrutiny
Client Alert | 13 min read | 06.12.26
Client Alert | 4 min read | 06.12.26
