Even in the wake of the loss of 25 million UK residents'
personal details last month the Information Commissioner's Office
(ICO) cautioned that a poorly-drafted general security breach
notification law would be counter-productive because a large number
of notifications could make citizens complacent.
The Commission has published a proposal to amend the Privacy and
Electronic Communications Directive, which is designed to ensure
that EU citizens' privacy is not violated in telecoms networks.
A major proposal is that telecoms companies would be subject to
a security breach notification law which would force them to tell
customers when a privacy breach had occurred.
"A breach of security resulting in the loss or compromising
personal data of an individual subscriber may, if not addressed in
an adequate and timely manner, result in substantial economic loss
and social harm, including identity fraud," said the proposal.
"Therefore, subscribers concerned by such security incidents should
be notified without delay and informed in order to be able to take
the necessary precautions."
"The notification should include information about measures
taken by the provider to address the breach, as well as
recommendations for the users affected," it said.
Some privacy advocates have argued that a security breach
notification law would greatly improve awareness of privacy issues
and would force organisations to be more careful with people's data
because of the threat of public shaming should they lose data or
expose it to the public.
Privacy watchdog the ICO, though, has taken no firm stance on
such laws and said two weeks ago that their value would be
undermined if every little breach was notified, because it would
desensitise the public to more serious incidents.
The proposal seemed to urge that context be important in setting
the rules, and that danger levels should be assessed before public
notification.
"In setting detailed rules concerning the format and procedures
applicable to the notification of security breaches, due
consideration should be given to the circumstances of the breach,
including whether or not the personal data had been protected by
encryption or other means, effectively limiting the likelihood of
identity fraud or other forms of misuse," said the proposal.
Most US states have such laws. A significant number of breaches
have come to light because of the laws.
The EU proposal has some caveats. It says, for example, that
laws should not interfere with police work. "Rules and procedures
should take into account the legitimate interests of law
enforcement authorities in cases where early disclosure could
unnecessarily hamper the investigation of the circumstances of a
breach," it said.
The Commission proposals also want telecoms companies to be able
to sue spammers for the unwanted email they send over ISPs'
networks.
"Electronic communications service providers have to make
substantial investments in order to combat unsolicited commercial
communications ('spam')," it said. "They are also in a better
position than end-users in possessing the knowledge and resources
necessary to detect and identify spammers."
"Email service providers and other service providers should
therefore have the possibility to initiate legal action against
spammers and thus defend the interests of their customers, as well
as their own legitimate business interests," said the Commission
proposal.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
