This week a new breach notification regulation takes effect across the EU. The Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC (the “Regulation”) specifies the technical measures of how Internet service providers, telecommunications providers and other public electronic communications service (“ECS”) providers must notify of data breaches.
Under the EU e-Privacy Directive 2002/58/EC (as amended), public ECS providers are obligated to provide notice of data breaches, defined as a breach of security leading to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union.” Prior to the Regulation, ECS providers notified the relevant regulator of data breaches, in accordance with national laws. The aim of the Regulation is to ensure consistent breach notification requirements across the EU, so that subscribers receive consistent treatment and businesses can take a pan-EU approach when notifying.
Under the Regulation, notifications must specify the categories of affected data and the technical and organizational measures taken, or that will be taken, by the ECS provider, to mitigate potential adverse effects to data subjects.
The Regulation takes direct effect in all EU Member States as of August 24, 2013, at which point ECS providers will be required to carry out breach notification in accordance with the Regulation rather than existing applicable national requirements.