The new Commission Regulation1 outlining the measures to be taken by service providers2 in the event of a personal data breach has come into effect and is binding upon Member States as of the 25th of August 2013.Although telecoms and ISPs3 in Europe have been subject to notification requirements already4, this regulation amends and creates more burdensome obligations on the providers with tighter deadlines and more detailed notifications requirements. It is intended to ensure the protection of privacy and that any breach thereof is notified in a consistent manner across the EU.

The providers of electronic communication services are now obliged to notify the competent national authority of a breach within 24 hours from its detection. Furthermore, should the data breach be likely to adversely affect personal data or privacy of the concerned subscriber or individual, the provider is also obliged to inform the subscriber directly. Personal Data Breaches are defined in the Commission Regulation5 Preamble (2) as those ‘breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union.’

Rules to such effect are present in Maltese law by means of the Processing of Personal data (Electronic Communication Sector) Regulations6 which find in the Data Protection Commissioner the relevant national Authority for notification7. Through the transposition of Directive 2002/58/EC8 this Subsidiary Legislation (‘S.L.’) amended previous provisions which failed to impose any notification requirement. However, the new Regulation9 supersedes these rules by introducing new timeframes and information content for notification from 25th August 2013 going a step further than the current S.L.’s requirement of simple notice without undue delay. This requirement had been enforced on a national level since 1st January 2013 when L.N. 239 of 2011 came into effect.10

The content of the information to be passed on to the competent national authority listed in Annex I, includes information regarding the provider’s identification, the time and happenings of the breach, the nature and content of the personal data concerned, any measures applied to protect this data by the provider and the likely consequences of this breach.

If the required information is not available immediately a second notification is to be made within three days of first notice including more detailed information describing the incident, the subscribers involved, the risks subjected to and the actions taken to mitigate potential adverse effects.

If the provider is then still unable to provide all information within this timeframe, a reasoned justification as to the late notification of remaining information must be presented.

The information which must be presented to the subscriber is listed in Annex II and is similar to that required on first notification to the national authority. This notification is to be made without any undue delay; no other restrictive timeframe is applied in this scenario.

However, if the provider can prove that an appropriate technological protection measures was implemented by him in relation to the concerned data to the satisfaction of the competent national authority, it will not be required to notify the subscriber or individual concerned. These technological measures must ensure that the data is rendered unintelligible to anyone that is not authorised to access it such as data’s encryption or destruction.

In practice these Regulations impose a significant burden on providers. Twenty-four hours may in fact be too short a timeframe if considered from the service provider’s perspective especially in a scenario where the service provider is not immediately aware of the breach, and considering the investigation that will need to be carried out to establish whether a breach was committed and the source of such breach. Realistically it will be difficult in most situations to keep in line with this timeframe.

By Dr. Annelise Abela

  1. No 611/2012 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications, OJ L 173, 26.6.2013, p. 2.
  2. Ibid., Article 1 ‘providers of publicly available electronic communications services.’
  3. Internet Service Providers.
  4. Directive 2002/58/EC (as amended by Directive 2009/136/EC) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37.
  5. Measures applicable to the notification of personal data breaches (n 1).
  6. Subsidiary Legislation 440.01
  7. Ibid., Article 3A.
  8. As amended by Directive 2009/136/EC.
  9. Measures applicable to the notification of personal data breaches (n 1).
  10. LN. 24 of 2013.