The art. 29 data protection working party recently published a report on the implementation of the E-privacy Directive.
After a summary of the main elements of the personal data breach provisions in the ePrivacy Directive (Section II), the working document summarizes the personal data breach legislation in Member States (Section III). The summary is based on information provided by the national data protection authorities ("DPAs") but not reproduced here given the evolving character of the transposition. Section IV puts forward various actions to be carried out by competent authorities and by the Article 29 Working Party towards developing internal processes and setting forth cooperation procedures. Section V and VI focus on the new policy developments by recalling the overall scope and procedures for the expected policy actions regarding personal data breach and providing policy recommendations.
As explained in the report, the core elements set out in the ePrivacy Directive are:
a. The definition of data breach ex Art. 2 (i) which establishes that a
personal data breach "means a breach of security leading to the accidental
or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored or otherwise processed in
connection with the provision of a publicly available electronic
communications service in the Community". Thus, for the personal data
breach to occur, it must include "personal data", as defined under Art. 2(a)
of the Data Protection Directive6. A personal data breach encompasses
cases of unauthorized disclosure or unauthorized access to personal data
but also cases of simple accidental destruction or alteration which is not
followed (or very unlikely to be followed) by unauthorized access.
b. The applicable legal thresholds to notify individuals and authorities (Art.
4(3), subparagraphs 1-2). The thresholds define when an entity suffering a
breach is obliged to notify the breach to authorities and affected
individuals. The ePrivacy Directive requires notification to individuals
“When the personal data breach is likely to adversely affect the personal
data or privacy of a subscriber or individual...". All data breaches shall be
reported to the authorities.
c. The content and time of the notification. The time of notification to
individuals, according to Art. 4(3) subparagraphs 1-2: is "...without undue
delay...". As for content of the notification, it should include the nature of
the personal data breach, contact information and recommend measures to
mitigate possible adverse effects. The notification to the competent
national authority must also describe steps taken by the provider to address
the breach.
d. The possible exceptions relating to technological protection measures and
law enforcement (Art 4(3) subparagraph 3).
0 comments:
Post a comment on: Implementing the E-Privacy Directive.