So the European Council has finally approved amendments to the “E-Privacy” Directive (Directive 2002/58/EC) which will introduce a formal data security breach notification obligation for providers of telecommunications services.
This brings a temporary end to the wrangling which saw the European Parliament pushing for the notification requirements to extend also to providers of other information society services. However “temporary” is the operative word as the amending Directive makes it clear in its recitals that the Commission should in the meantime be working with the European Data Protection Supervisor to “encourage” the application of the principles embodied in the new rules throughout the Community, regardless of sector or nature of personal data involved.
I said in my post on the California law position a few weeks ago, that flexibility and proportionality are key if data breach notification is to fulfil its purpose. For that reason, the march towards wide ranging mandatory breach notification requirements in Europe in itself doesn’t fill me with quite as much enthusiasm as might be expected of a conscientious data protection lawyer.
However the approach taken by the new legislation is encouraging. The obligation will be to notify the Information Commissioner without undue delay of a data security breach and to notify any data subject only if the breach is likely to adversely affect that person’s personal data or privacy. And the telecoms provider will be relieved of the obligation to tell data subjects if it can show that the data affected by the breach was protected by appropriate security measures, rendering the data “unintelligible” to anyone not authorised to access it. So, in theory, this approach means that the information overload/breach fatigue which I discussed in my earlier post could be restricted to the Information Commissioner, with data subjects only finding out about incidents where there is a real risk that they may be adversely affected.
Of course there is still a risk that cautious data controllers will tell data subjects anyway, regardless of the likelihood of their being affected. But there is a right in the new legislation for the Information Commissioner to effectively make this judgment for the data controller and order it to tell data subjects if it hasn’t already done so. Whilst that right doesn’t excuse a failure on the part of the controller to make the right decision on this in the first place, there is perhaps at least some scope for this mechanism to curb unnecessary notification in practice. Time will tell.
On November 13, 2009