The European Commission has thrown open the debate on refinements to laws on reporting data breaches
The European Commission is seeking advice from telecoms operators and Internet service providers on whether new rules on data protection breaches are necessary.
The recently revised ePrivacy Directive requiring operators and ISPs to report personal data breaches ‘to customers and national authorities without undue delay’ came into force in May.
To refine the directive, the EC is now seeking input from those working under it on their experience with the new rules.
It is considering whether additional rules are necessary to clarify when breaches should be reported, the procedure for doing so and the formats to be used.
Commission Vice-President for the Digital Agenda Neelie Kroes said: “The duty to notify data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes.”
Design by committee
The EC hopes to receive input on, among other things, what type of breaches trigger notification and example of methods for ensuring data is unintelligible should it be compromised.
It is also interested in cross-border breaches and compliance with additional related EU regulations.
The revised ePrivacy Directive covers personal information such as name, address and bank account details, in addition to information about phone calls and websites visited.
Rob Rachwald, Director of Security Strategy at Imperva, welcomed what he called the prescriptive approach to rule making as a steo in the right direction.
He said: “Governments today are approaching cyber security laws and regulations in an over heavy-handed fashion. Hackers are, by definition, early adopters, and government and private industry require an organic approach which enables constant adjustment”.
Contributions are being accepted until 9 September.