{php}echo $_SESSION['the_Crumb'];{/php}

short lines

commission proposes radical change to data protection rules for isps and telcos

July 2006

On 29th June the European Commission published a consultation on a set of changes to the regulatory framework for electronic communications. Consisting of almost 200 pages of detail, most of this will be of interest only to those directly concerned with the regulation of telecoms in Europe. There is, though, one suggestion which will have a much more wide ranging and significant effect. This is the proposal to require both ISPs and network operators as "providers of electronic communications networks or services" to notify their customers, and the national regulator, of any security breaches involving personal data that occur.

Contained in a "Staff Working Document"[i] the Commission states (without giving its source) that "the market has so far failed to address security problems to the satisfaction of users". To remedy this problem it proposes to require providers of electronic communications networks and services to:

notify the relevant national regulator of any breach of security that led to the loss of personal data and/or to interruptions in the continuity of service supply. The regulator would then be able to inform the general public of the breach if they considered that it was in the public interest to do so; and
notify their customers of any breach of security leading to the loss, modification or destruction of, or unauthorised access to, customer personal data.

This would of course be a radical change to the current law, which is contained in the 2002 e-Privacy Directive[ii]. This states that providers of electronic communications services (NB:- not network operators) must inform customers only (not the regulator) of particular security risks. There is no requirement to notify security breaches.

A similar law was passed in California in 2003 (and has since been copied in 33 other States), though in that case the notification obligation is wider - it usually applies to all companies, government agencies and nonprofit organizations, regardless of geographic location, who have Californian customers. Under this law[iii] Citigroup, for example, was forced to disclose, in June 2005, that it had lost personal data including names, social security details and account history, on 3.9 million customers while data storage tapes were in transit with UPS [iv].

The introduction of a similar law throughout the EU, albeit one with a more limited scope, would clearly have very significant consequences for ISPs and for telecoms operators. It seems surprising that the Commission has made such a radical proposal without trailing it in advance with the relevant industry groups, and that it is tucked away in just a couple of pages of a large and significantly more esoteric consultation.

The consultation runs until 27th October 2006.

Mike Conradi/Calum Murray

[1] SEC(2006) 816 - found at http://tinyurl.com/nsck6 (section 7.2, page 29). This document explains in detail all of the changes to the regulation of communications in the EU which are being proposed.

[2] Directive 2002/58/EC - the Directive on privacy and electronic communications - Article 4.

[3] The California Security Breach Notification law, SB1386

[4] See http://tinyurl.com/c7jzw