Data Protection Consulting

The European Commission is currently reviewing European data protection law.  In two separate speeches in June and July 2011, Vice-President Reding plainly stated that she intended to introduce a mandatory data security breach notification law as part of the review.  She made reference to the data security breach notification law which currently only applies to telecommunications service providers  introduced in the ePrivacy Directive. 

The Article 29 Working Party (advisory body to the EC on data protection issues) has published a Working Document (reference 01/2011, adopted 5 April 2011) on the current EU personal data breach framework and it makes recommendations for future policy developments.

 Based on the ePrivacy Directive, the Working Party identifies core elements that must be included in a data security breach notification law:

a) the definition of data breach, it "means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed..."

 b) the legal thresholds for notifying both individual data subjects and the regulatory authorities.  This is "When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual.."

c) the content and timing of the notification "  The timing should be “without undue delay”.  The content includes the nature of the personal data breach, contact information and measures to mitigate possible adverse effects.  It should also include an outline of the steps taken to address the breach.

d) possible exceptions from the need to report a breach where technological protection measures are in place such an encryption.