First the European Commission, now Europe’s data privacy regulators have called for laws obliging data controllers to fess up if personal data security breaches occur. Stephen Groom reports.
Who: The European Commission and the Article 29 Working Party
When: June and September 2006
Should data controllers be legally obliged to notify data subjects and/or data protection regulators of actual or suspected data security breaches?
The topic recently exercised the European Commission and then the "Article 29 Working party", a group of Europe's data protection authorities including the UK's Information Commissioner's Office.
Currently there is no EU-wide obligation on data controllers to go public when personal data is lost. The closest any EU measure comes is Article 4 of the Privacy and Electronic Communications Directive 2002/58. This states that providers of publicly available electronic communications services must inform subscribers about any "particular risk of a breach of the security of the network." So perhaps strangely, risks of security breaches have to be notified, not actual breaches, and then only by electronic communications service providers, not by data controllers generally.
In the U.S, where California and over thirty other states have legislation obliging data controllers to notify the authorities and affected individuals where lost data includes fields such as social security number and credit card details.
Some European states do already have their own equivalent laws or enforcement authorities who interpret them as creating a disclosure obligation.
Germany, Hungary, Italy, Malta, Norway (ex EU member now EEA), and Sweden are examples, but just as the FTC is mulling federal disclosure obligations, now Brussels has taken up the issue.
First up was a Commission staff document released in June 2006, on "Review of the EU regulatory Framework for electronic communications networks and services". Included in various proposed changes was a requirement on electronic communications network and service providers to:-
– notify their state data protection authority of any breach of security that led to the loss of personal data and/or to interruptions in the continuity of service supply. The regulator would have the possibility to inform the public if they considered that it was in the public interest; and
– notify their customers of any breach of security leading to the loss, modification or destruction of, or unauthorised access to, personal customer data.
Article 29 party wades in
Then in October 2006 was published an opinion of the EU data protection regulators' super group the Article 29 Working Party ("AWP").
The AWP concentrated their fire initially on the lack of sanctions for telecoms operators and ISPs who failed to inform their customers about data breaches.
They then criticised the Commission's June proposals by suggesting that the categories of organisation who would be bound by the new rules was too narrow.
Along with ISPs and telecom providers, the AWP felt that "data brokers," banks and other online service providers should also be bound to disclose.
Why this matters:
It is high time the anomaly of having to come clean on data security "risks" but not actual breaches was corrected and a clear head of steam is building up for EU-wide measures. The only question is how long this will take if the proposals stay part of the wider ongoing review of the regulatory landscape for electronic communications networks and services. Maybe 2009?
In the meantime, UK data subjects do already have potential rights of action under the Data Protection Act 1998 or in contract under privacy policies if it turns out their data has been lost or compromised, while failure to take proper security measures will bring data controllers into breach of data protection principle seven.