EC Security Breach Notification

The European Commission, Parliament and Council of Ministers have been discussing revisions to the package of Telecoms Directives for a couple of years, but now seem to be approaching a final conclusion. Once the new Directives are published, member states will have a fixed time period – normally 18 months – in which to implement them in national law.

It seems likely that the revised Directives will include a requirement on network providers to provide notifications when they suffer any incident that affects the privacy of personal data. Details of the requirements, and which providers are covered, will depend on how the Directives are drafted and transposed into national law. Three possible benefits have been suggested:

  • Informing people whose personal data may have been affected may help them to recover from any impact;
  • Informing a regulator may allow the causes and prevalence of incidents to be determined, resulting in improved practice by everyone (as with air accidents and near misses);
  • Publishing the fact that a company has suffered a security breach may shame it into improving its practice in future (this appears to be the motivation behind some American state laws in this area).

Unfortunately these objectives may be incompatible. If the effect of a notification is to “name and shame” then organisations will be reluctant to admit to problems, thereby harming the first two objectives; notifying users is only relevant if there is something they can do to address the problem, whereas for improvements in practice breaches with no effective remedy are particularly important. It is not clear which of these will be prioritised in European legislation: a speech by the Commissioner mentions informing customers and learning lessons, but also views notification as a “negative incentive” to improve practice.

There also seems to be recognition that legislating only for communications providers is rather strange, since they hold relatively little personal information and the majority of privacy breaches have occurred in other types of organisation. The Article 29 Working Party on Data Protection and the EU Data Protection Supervisor called for the breach notification law to cover all businesses that work on-line, and it seems that both Commission and Parliament support that objective. Further legislation therefore seems likely.

Whether or not JANET and its customers are covered by the rules for communications providers will depend on how those are drafted and transposed into UK law: the Communications Act 2003 that implements the current Directives imposes different requirements on public and private networks.  However it seems likely that future legislation to cover all on-line business will indeed apply to us and that developments over the next few years will be worth  monitoring.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *