New EU Data Breach Notification Requirements
Client Alert | 1 min read | 01.04.10
Public communications providers (ISPs and telcos) in Europe will soon be required to inform their customers and national regulatory authorities about security breaches affecting their personal data.
The European Commission hopes that the new rules will increase the incentives for better protection of personal data by providers of communications networks and services.
The new e-Privacy Directive, 2009/136/EC, enacted on December 18, 2009, amends earlier Directive 2002/58/EC. In addition to mandatory breach notification, communications providers are also required to implement a security policy, adopt measures to restrict access to personal data, and to protect against data breaches. National data protection authorities are given authority to audit compliance with these measures.
Where there is a personal data breach, notice must be given to the national regulator "without undue delay" -- a phrase that is not defined in the Directive. A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service." This definition tracks directly the language of state security breach notification bills that exist in nearly every state in the United States.
In addition to the national regulator, customers must also be informed without undue delay of any breach that is likely to adversely affect their personal data or privacy, unless the communications provider can demonstrate to the national regulator that the information was protected by a technological measure that would render it unintelligible to those with unauthorized access, e.g. encryption.
The new e Privacy Directive must be implemented into national law in the EU member states by May 2011.
Contacts
Insights
Client Alert | 5 min read | 08.04.25
The Belgian federal government has taken two decisive steps in the implementation of its reform agenda. First, the adoption of the so-called Summer Agreement on July 21 outlines an ambitious fiscal and social overhaul. Second, the long-awaited Program Act was approved during the night of July 17 to July 18 and introduces a historic limitation on unemployment benefits. Together, these measures significantly redefine the Belgian labor market ecosystem.
Client Alert | 2 min read | 07.31.25
A Greater Sum of Certainty: ASBCA Weighs in on when Sum Certain Defense Is Not Waived
Client Alert | 7 min read | 07.31.25
Significant Changes Are in the Works for EU Environmental, Social, and Governance (ESG) Laws
Client Alert | 6 min read | 07.30.25
The new EU “Pharma Package”: Global (Orphan) Marketing Authorization