The European Commission has published a new Regulation dealing with the measures that should be taken by public electronic communications service providers (such as telecoms operators and internet service providers) if they discover that a subscriber or individual’s personal data is lost, stolen or otherwise compromised. The purpose of these measures is to ensure all customers receive equivalent treatment across the EU in the case of a data breach, and allow businesses that operate in more than one country in the EU to adopt a pan-EU approach to such problems.
In the UK, it is mandatory for the providers of public electronic communications services to notify any personal data breach to the Information Commissioner’s Office without delay, and the Information Commissioner has produced a standard letter for data breach notification. Apart from this, there is no legal obligation for data controllers to disclose data breaches.
The new Regulation does not introduce a new notification requirement, but it does give additional detail for telecoms operators and ISPs on the steps they should take if their customers’ personal data is lost. If a breach of data protection is suspected, companies must:
- Inform the national authority within 24 hours of detection of the breach, if feasible
- Outline which pieces of information are affected and what measures have been or will be applied by the company
- In deciding whether to notify subscribers, companies should pay attention to the type of data compromised, particularly, in the case of the telecoms sector, financial information, location data, internet log files, web browsing histories, email data and itemised call lists
- Notify the national authority on a standard online form which is the same in all EU member states
The Regulation is directly applicable and will come into force in member states on 25 August 2013.
The European Commission Press Release can be accessed here.