EU nations oppose extension of data breach notification law

The European Commission, European Parliament and Council are all considering changes to the Privacy and Electronic Communications Directive, and the issue of whether or not it should create a security breach notification requirement for companies that provide online services.

The Commission and Council have backed a notification law for telecoms firms but not for online banks, email companies or web publishers.

Security breach notification laws force companies which have lost customers' or employees' personal data to announce the loss. They are in place in most US states but not even all privacy activists agree on the requirement for the laws. The UK's Information Commissioner has expressed reservations in the past about the desensitising effect of a constant barrage of breach news.

The European Data Protection Supervisor (EDPS) and the group of EU privacy watchdogs the Article 29 Working Party have both backed the extension of the breach from telecoms firms to companies which offer services over the internet. In the discussions over the issue these are called information society service providers (ISSPs)

The Council has disagreed, though, and has proposed changed wording for the Directive which makes it clear that the notifications apply only to telecoms companies, or publicly available electronic communications service providers. It also says that the telecoms firms themselves will make the decision about whether a breach is serious enough for notification or not.

"In the case of a personal data breach, the provider of publicly available electronic communications services shall assess the scope of the personal data breach, evaluate its seriousness and consider whether it is necessary to notify the personal data breach to the competent national authority and subscriber concerned," said the Council's amendment.

"When the personal data breach represents a serious risk for the subscriber's privacy, the provider of publicly available electronic communications services shall notify the competent national authority and the subscriber of the breach without undue delay," it said.

This is a change to the Parliament and Commission proposals, which leave it up to the regulator to decide whether a breach is serious enough to merit notification or not.

The Article 29 Working Party had argued that it made no sense to restrict notification laws to telecoms firms when so many other companies hold citizens' personal data.

"An extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services. Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens," said the Article 29 Working Party last month.

"Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm," it said.

The Council's views are contained in a common position on the issue which will now be debated at the European Parliament in an attempt to find a compromise that can be passed into EU law.