The European Commission is putting into place new rules on what exactly telecoms operators and ISPs should do if their customers’ personal data is lost, stolen or otherwise compromised.
The purpose of these “technical implementing measures” is to ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country.
Telecoms operators and ISPs hold a range of data about their customers, such as name, address and bank account details, in addition to information about phone calls and websites visited. These companies have been operating since 2011 under a general obligation to inform national authorities and subscribers about breaches of personal data (IP/11/622).
Thanks to a Commission Regulation, companies will have extra clarity about how to meet those obligations, and customers will have extra assurance about how their problem will be dealt with. For example companies must:
- Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.
- Outline which pieces of information are affected and what measures have been or will be applied by the company.
- In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.
- Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.
The Commission also wishes to incentivise companies to encrypt personal data. As such, and in conjunction with ENISA, the Commission will also publish an indicative list of technological protection measures, such as encryption techniques, which would render the data unintelligible to any person not authorised to see it.
If a company applies such techniques but suffers a data breach, they would be exempt from the burden of having to notify the subscriber because such a breach would not actually reveal the subscriber’s personal data.
European Commission Vice-President Neelie Kroes said: “Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field.”