The EU’s Regulation on the notification of personal data breaches dated 24 June 2013 came into force on 25 August 2013.
The new Regulation applies to all providers of publicly available electronic communications services (including telecom operators, VoIP providers and ISPs), and sets new rules on notifying both regulators and customers about personal data breaches.
Under the Regulation all providers of publicly available electronic communications services in the EU will have to inform their competent national authority within 24 hours of detecting that they have experienced a personal data breach. The national competent authority may, depending on the location, be either the NRA or Data Privacy Commission. In particular, an ECS provider will need to supply the regulator with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected. If all the information is unknown, telecom companies should submit a partial initial notification within the 24h deadline and follow it up with a further notification that includes all the information required within 3 days of submitting that initial notification, unless it is not possible to meet this second deadline. In those circumstances companies would have to offer regulators a “reasoned justification” for its failure to meet the notification requirements on time.
In addition, operators will also generally have to notify individuals affected by a personal data breach “without undue delay” in cases where the breach is “likely to adversely affect the personal data or privacy” of those individuals. To assess whether a breach is likely to adversely affect individuals’ privacy, one should take into account the type of personal data that has been breached, the likely consequences of the breach for individuals, and the circumstances of the breach, such as whether the data has been stolen or where the provider knows the information is in the hands of an unauthorized third party.
However, telecoms providers would be able to avoid having to notify individuals if they can show regulators to their satisfaction that the use of “technological protection measures” has rendered the breached data “unintelligible to any person who is not authorized to access it”. An indicative list of the technological protection measures rendering personal data unintelligible still needs to be published.
Guidance:
We advise clients with operations in the EU to create a unit in the organization that will be assigned to deal with personal data breaches (if this is not the case yet), and/or to include the new rules in the data privacy policy and processes of your company.
Link to the EU regulation: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:173:0002:0008:EN:PDF
INTERNATIONAL REGULATORY COMPLIANCE SERVICES
In partnership with The CommLaw Group, Erik De Herdt and Aztec Consult (a global information technology legal & regulatory consultancy) provide U.S. and multi-national enterprise clients with international market entry, licensure and regulatory/legal compliance advisory counsel. Erik is counsel and managing partner of Aztec Consult, located in Brussels, Belgium. He possesses over 12 years experience in virtually all aspects of international communications & technology law and regulation serving executive officers and cross functional teams in cloud communication providers, telecom operators, technology enterprises and information service providers.
For more information regarding European Union and other international regulations affecting telecommunications and electronic communications services, please contact Jonathan S. Marashlian at jsm@commlawgroup.com or Erik De Herdt at edh@commlawgroup.com.