Home Knowledge EU Data Protection Commissioners Grouping Issues Opinion on Data Security Breaches

EU Data Protection Commissioners Grouping Issues Opinion on Data Security Breaches

June 2, 2011
Partner
Leo Moore

The EU Data Protection Commissioners grouping (the Working Party) has given an opinion on the operation of a mandatory requirement to notify national data protection regulators (such as the Irish Data Protection Commissioner) of breaches in relation to personal data. The deadline for implementation of this requirement into Irish law was 25 May 2011, but like many other EU jurisdictions, this has not been met. We understand that implementing legislation is due to be published in June 2011.

This mandatory notification obligation requires public communications service providers (this largely refers to telecommunications and internet access service providers) to notify the national data protection regulator of personal data breaches.

The issue of personal data security breaches was recently addressed by the Irish Data Protection Commissioner who adopted a Personal Data Security Breach Code of Practice in 2010. That code of practice has applicability to all data controllers.

The Working Party opinion considers how this notification requirement is currently being transposed into national law in EU member states and aims to assist national data protection regulators in achieving increased harmonisation across the EU.

The Working Party makes various recommendations to national data protection regulators including measures to increase data security and to increase coordination in the approach taken to cross-border data breaches. It further recommends that the European Commission swiftly initiates the adoption of technical implementation measures to guide member states to promote consistent implementation.

The Commission’s intention to extend security breach notification obligations beyond public communications service providers to other sectors is supported in the opinion.

The insight provided by this opinion should help streamline implementation and compliance in different member states and in this way it is likely to be welcomed, especially by data controllers engaging in cross-border activities. However, while Ireland has taken some steps via its code of practice to broaden the scope of breach notification requirements to all data controllers, the future potential widening of the notification obligation to encompass other sectors may receive a mixed response.

Contributed by Leo Moore.

Back to LegalNews

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Partner
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all