Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.
While this new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders.
For example, when amending their national laws, some of the EU Member States may opt to apply this security breach disclosure regime to the entire spectrum of data controllers and data processors, rather than limiting it to the smaller subset of electronic communication service providers that are subject to the ePrivacy Directive. Further, when the 1995 EU Data Protection Directive is revised, it should be expected, as well, that the security breach provisions of the ePrivacy Directive (as amended), at a minimum, will serve as a starting point.
The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011.
1. 2009/136/EC Directive
Directive 2009/136/EC entered into force on December 19, 2009. This directive amends and supplements the ePrivacy Directive, i.e., Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.
2. Security Measures
a. 2002 Draft
The 2002 version of the ePrivacy Directive requires covered entities to ensure adequate security. These provisions have been enhanced by the 2009 Amendment.
Under Article 4(1) of the e-Privacy Directive, Member States' national laws must require publicly available electronic communications service providers to take appropriate technical and organizational measures to safeguard the security of their services. If necessary, these security measures must be taken in conjunction with the providers of the public communications network with respect to network security.
These security measures must take into account the developments in technologies, the new risks created by new types of attacks, and the cost of implementing the measures in relation to the risks. Security is appraised in light of Article 17 of 1995 Data Protection Directive.
Article 17 of the 1995 Data Protection Directive requires the implementation of “appropriate technical and organizational measures” to protect personal data against accidental or unlawful destruction, accidental loss, alteration, or unauthorized disclosure of, or access to personal data. In addition, when the processing is carried out by a subcontractor, the data controller must:
Conduct due diligence before entering into a contract with this third party;
Require in a written agreement that the third party act only on instructions from the data controller and use security measures to protect personal data; and
Verify compliance with adequate and relevant security measures for so long as the data processor holds personal data on behalf of the data controller.
b. 2009 Additional Requirement
The 2009 Directive supplements Article 4(1) of the ePrivacy Directive with specific and precise instructions. The new Article 4(1a) directs that the security measures must:
Ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;
Protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure, and;
Ensure the implementation of a security policy with respect to the processing of personal data.
In addition, the 2009 Amendment grants the relevant national authorities the ability to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security that these measures should achieve.
3. Notice of Risk of Breach of Security
The concept of disclosure of a breach of security already existed in the 2002 version of the e-Privacy Directive. Covered entities, however, only had to notify their customers of a “risk of breach of security.” This requirement was usually fulfilled by adding a provision in the entities’ terms of service, which stated that wire or electronic communications are not secure or confidential and instructed the customers to use other communications means when transferring sensitive or valuable data. The 2009 Amendment preserves the original version of Article 4(2) of the ePrivacy Directive, but it supplements it with a more specific requirement for the disclosure of the breach of security.
Under Article 4(2) of the ePrivacy Directive, Member States' national laws must require providers of publicly available electronic communications services to inform subscribers of any special risks of a breach of the security of the network. Such risks may especially occur for electronic communications services over an open network such as the Internet or analog mobile telephony. If the risk lies outside the scope of the measures to be taken by the service provider, the provider must also inform subscribers of any possible remedies, and of the likely costs involved.
The preamble of the 2002 version of the e-Privacy Directive notes that providers of publicly available electronic communications services over the Internet should inform users and subscribers of the measures that they can take to protect the security of their communications, such as by using specific types of software or encryption technologies. This requirement to inform the subscriber, however, does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service.
4. Breach of Security
The 2009 Amendment goes beyond the mere notion of warning of a “risk of breach of security.” It defines the framework for a breach disclosure requirement that is similar to – but different from - the provisions that are in effect in the United States.
a. Personal Data Breach
The 2009 Amendment introduces the notion of “personal data breach.” The term is defined in the new Article 2(h) of the amended ePrivacy Directive as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.”
b. Notice Requirements
Article 4(3), which is introduced by the 2009 Amendment, requires providers of publicly available electronic communications services to give “without undue delay” a notice of the breach to the competent national authority. In addition, if the breach is “likely to adversely affect” the personal data or the privacy of a subscriber or individual, the service provider must also notify the subscriber or individual of the breach of security “without undue delay.”
Thus, in most instances, two categories of notices must be given:
* One to the competent national authority, and
* The other to the subscriber or individual whose personal data or privacy is likely to be adversely affected.
It is not clear whether the subscriber, once informed, has to provide notice to all individuals affected, and who would bear the cost of making this notification.
There must be a “likely adverse effect.” According to the preamble, a breach should be considered as adversely affecting the data or privacy of a subscriber or an individual if it could result, for example, in identity theft or fraud, physical harm, significant humiliation or damage to reputation.
Thus, service providers would have to conduct a risk assessment, and presumably, would have to keep track of the assessment made and the grounds for their determination that a notice to subscribers or individuals was not warranted.
This assessment must be conducted in an expedited manner. The Preamble of the 2009 Directive stresses that the provider should notify the breach to the competent national authority as soon as it becomes aware that the breach has occurred.
The competent national authority is given an important role. It may force a disclosure. If the service provider has not already notified the subscriber or individual of the breach, the competent national authority may require the service provider to do so, after the competent national authority has evaluated the likely adverse effects of the breach.
There is an exemption to the obligation to notify subscribers or individuals of a breach. This happens if the provider of publicly available electronic communications services has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that these measures were applied to the data concerned by the security breach.
However, the service provider nevertheless would have to notify the competent national authority. An important aspect of this safe harbor is that the exemption applies only if the service provider has demonstrated to the competent authority that there was no adverse effect.
It should be noted, in addition, that the 2009 Directive grants the national authority the ability to require the service provider to make the notification, even if the service provider determined that it was not necessary, if the national authority has determined that the incident is likely to have an adverse effect.
In order to be able to take advantage of the exemption, the technological protection measures must be such that they render the data unintelligible to any person who is not authorized to access these data. There is no suggestion for the measures to be taken, and no specific requirement for the use of encryption. It is sufficient if the data are “unintelligible.” It is likely that the national law implementing the Directive will interpret this term differently, which in turn might cause significant discrepancies between the applicable regimes in the Member States.
d. Content of the Notice
The Directive specifies the content of the two notices that must be given, i.e., the notice that is to be provided to the competent national authority and the notice that is to be sent to the affected subscribers or individuals. Both notices must include the following information:
A description of the nature of the breach;
The contact points where information about the breach can be obtained; and
Recommended measures to mitigate the possible adverse effects of the breach.
In addition, the notice to the competent national authority must describe:
The consequences of the breach, and
The measure proposed or already taken by the provider to address the breach.
Under new Article 4(4), the national laws implementing the amendment must require service providers to maintain an inventory of breaches that comprise the facts surrounding the breach, the effects of the breach, and the remedial action taken. The information must be sufficient to enable the competent national authorities to verify compliance with the notice requirements.
f. Guidelines and Implementing Measures
Given the novelty of the requirement for most European Union Member States, the 2009 amendment provides several means to facilitate the implementation of these provisions. These include, the use of guidelines and instructions concerning the circumstances in which providers are required to make the notification, the format of such notification and the manner in which the notification is to be made. The 2009 Directive also suggests that implementing measures may be drafted in the future in order to specify the circumstances, format, and procedures applicable to the information and notification requirements.
The comments in the Preamble recommend that the rules concerning the format and procedures applicable to the notification of security breaches, should take into account the circumstances of the breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law enforcement authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach.
While the Directive itself does not provide for sanctions, it suggests that national laws may include appropriate sanctions for those who fail to make the required notification.
5. For More Information
For more information on the ePrivacy Directive and the 2009 Amendments, see Chapter 8 of Francoise Gilbert’s two-volume treatise Global Privacy & Security Law available through www.globalprivacybook.com