European Data Privacy Supervisor Issues Press Release on ePrivacy Directive

The EDPS titled its press release as “improvements on security breach, cookies and enforcement, and more to come.”  It expanded on this theme with the following: 

• For the first time in the EU, a framework for mandatory notification of personal data breaches.  Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.  Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation.  The notification will include recommended measures to avoid or reduce the risks.  The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;

• Reinforced protection against interception of users’ communications through the use of – for example – spyware and cookies stored on a user’s computer or other device.  Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;

• The possibility for any person negatively affected by spam, including ISPs, to bring effective legal proceedings against spammers; and

• Substantially strengthened enforcement powers for national data protection authorities.  They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

These provisions could impose substantial new requirements for industry.  The data breach requirement in particular could lead to heightened security for all companies – after a 26 October seminar on data breach protection, the EDPS stated: 

data controllers, together with other stakeholders, [must] adopt proper risk management in order to appropriately mitigate the risk of such breaches.  It was stressed that this will not only require technological solutions but also organisational measures, including increasing the responsibility of the highest management levels of entities concerned.  They should also promote the development of adequate safeguards and facilitate a more transparent distribution of responsibilities.

 In light of this emphasis on the new provisions, it will be necessary in the near term to consider company procedures on data protection and breach notification, to the extent that a company or its affiliates provide public electronic communications services.

Authored by Gerry Oberst