recent work

New EU Regulation about notifying Personal Data Breaches enters into force – it applies to Electronic Communications Service Providers (ECPs). A Possible Future for All?

A new EU Regulation applicable to the notification of personal data breaches came into force on 25 August 2013.

Broadly, this new duty requires publicly available electronic communications service providers (ECPs) operating in the EU, such as telecoms operators and internet service providers, to notify their national authority (e.g. ICO), without undue delay, of any ‘personal data breach’.

A ‘personal data breach’ is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

The expectation is that any such breach is reported to the relevant national authority within 24 hours of it occurring.  However, companies may make an initial notification to the national authority within the 24 hour timescale and a second notification with more information as stipulated by the Regulation within three days of the initial notification.

In addition, the ECPs must notify individuals of the breach “without undue delay after the detection of the personal data breach” if it is “likely to adversely affect [their] personal data or privacy,” “unless the ECP affected by the breach can demonstrate to its national authority that it has implemented appropriate technological protection measures.”  It is expected that this will occur within 24 hours of the breach.

The Regulation details the content of what must be notified to the national authority and what must be reported to the individual(s) affected.

ECPs do not have to notify subscribers or individuals if they are able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach; such measures must render the data ‘unintelligible’ and this is defined as:

(a)   it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b)    it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

However, the proposed new data protection Regulation would provide for such an obligation for all data controllers; could your organisation be confident of meeting such a requirement?

The ICO will be issuing its own guidance to ECPs shortly.

Tags: , , , , ,