Home Knowledge New Pan-European Data Breach Rules for Telecos & ISPs

New Pan-European Data Breach Rules for Telecos & ISPs

July 10, 2013
Partner
Leo Moore

A new European law will unify the rules applicable to telecos and ISPs in the event of a breach of data security. The aim of this new law is to ensure consistency of approach across all member states and to clarify how companies should respond in the event of a data breach.

On 26 June 2013, the European Commission published a Regulation on the measures applicable to the notification of personal data breaches. This Regulation supplements the ePrivacy Directives in relation to data breaches, which imposed an obligation on telecos and ISPs to notify the relevant national authorities and affected individuals of the occurrence of any breach. The new Regulation imposes a short timeframe for these notifications and introduces several clarifying measures. The Regulation will enter into force across the EU two months after its publication in the Official Journal of the EU.

The main aspects of the new Regulation are:

  • Telecoms operators and ISPs must inform the competent national authorities of a data breach within 24 hours of detection of that breach.  If full disclosure is not possible in that timeframe, an initial notification should be given within 24 hours and a full notification provided, at the latest, within three days following the initial notification.
  • Individuals must also be notified of any breach that is likely to adversely affect their personal data or privacy and such notification must be done without undue delay.
  • In notifying the competent national authorities the teleco/ISP must outline the data affected and what measures have been or will be taken in response.
  • In assessing whether the data breach is likely to adversely affect the personal data of the individuals involved, regard must be had to the type of data compromised (e.g. financial information, location data, cookies etc.) and other relevant factors.
  • There is now a standardised format for notifying the competent national authorities of data breaches.
  • Notification exemptions for telecos/ISPs that implement certain technological protection measures (e.g. encryption of personal data).

For telecos and ISPs that operate in several European member states, this new Regulation should provide for consistency of approach in terms of how the authorities expect any future data breach notification requirements to be addressed. This clarity should reduce the compliance costs for affected companies and should also give individuals more clarity as to how data breach notifications should be handled by those companies that hold information relating to them.

Contributed by: David Cullen

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Partner
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all