New EU Data Breach Notification Requirements

Public communications providers (ISPs and telcos) in Europe will soon be required to inform their customers and national regulatory authorities about security breaches affecting their personal data.

The European Commission hopes that the new rules will increase the incentives for better protection of personal data by providers of communications networks and services.

The new e-Privacy Directive, 2009/136/EC, enacted on December 18, 2009, amends earlier Directive 2002/58/EC. In addition to mandatory breach notification, communications providers are also required to implement a security policy, adopt measures to restrict access to personal data, and to protect against data breaches. National data protection authorities are given authority to audit compliance with these measures.

Where there is a personal data breach, notice must be given to the national regulator "without undue delay" -- a phrase that is not defined in the Directive. A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service." This definition tracks directly the language of state security breach notification bills that exist in nearly every state in the United States.

In addition to the national regulator, customers must also be informed without undue delay of any breach that is likely to adversely affect their personal data or privacy, unless the communications provider can demonstrate to the national regulator that the information was protected by a technological measure that would render it unintelligible to those with unauthorized access, e.g. encryption.

The new e Privacy Directive must be implemented into national law in the EU member states by May 2011.