Home Knowledge Opinion of EU Data Protection Commissioners on Data Security Breaches

Opinion of EU Data Protection Commissioners on Data Security Breaches

May 13, 2011
Partner
Leo Moore

The EU Data Protection Commissioners grouping called the Article 29 Working Party (the Working Party) has given an opinion on the operation of a mandatory requirement to notify national data protection regulators (such as the Irish Data Protection Commissioner) of breaches in relation to personal data. The current deadline for implementation of this requirement into Irish Law is 25 May 2011.

This mandatory notification obligation requires public communications service providers (this largely refers to telecommunications and internet access service providers) to notify the national data protection regulator of personal data breaches.

The issue of personal data security breaches has previously been considered by the Irish Data Protection Commissioner who adopted a Personal Data Security Breach Code of Practice in 2010. See our article here. That code of practice has applicability to all data controllers.

The Working Party opinion considers how this notification requirement is currently being transposed into national law in EU member states and aims to assist national data protection regulators in achieving increased harmonisation across the EU.

The Working Party makes various recommendations to national data protection regulators including measures to increase data security and to increase coordination in the approach taken to cross-border data breaches. It further recommends that the European Commission swiftly initiates the adoption of technical implementation measures to guide member states to promote consistent implementation.

The Commission’s intention to extend security breach notification obligations beyond public communications service providers to other parties is supported in the opinion.

The insight provided by this opinion should help streamline implementation and compliance in different member states and in this way it is likely to be welcomed, especially by data controllers engaging in cross-border activities. However, while Ireland has taken some steps via its code of practice to broaden the scope of breach notification requirements to all data controllers, the future potential widening of the notification obligation to a legal formalised requirement and to encompass other actors/sectors may receive a mixed response.

Contributed by Leo Moore.

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Partner
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all