From: EMD Advocates
Article by Annelise Abela
The new Commission Regulation1 outlining the measures to be taken by service providers2 in the event of a personal data breach has come into effect and is binding upon Member States as of the 25th of August 2013. Although telecoms and ISPs3 in Europe have been subject to notification requirements already4, this regulation amends and creates more burdensome obligations on the providers with tighter deadlines and more detailed notifications requirements. It is intended to ensure the protection of privacy and that any breach thereof is notified in a consistent manner across the EU.
The providers of electronic communication services are now obliged to notify the competent national authority of a breach within 24 hours from its detection. Furthermore, should the data breach be likely to adversely affect personal data or privacy of the concerned subscriber or individual, the provider is also obliged to inform the subscriber directly. Personal Data Breaches are defined in the Commission Regulation5 Preamble (2) as those ‘breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union.’
Rules to such effect are present in Maltese law by means of the Processing of Personal data (Electronic Communication Sector) Regulations6 which find in the Data Protection Commissioner the relevant national Authority for notification7. Through the transposition of Directive 2002/58/EC8 this Subsidiary Legislation (‘S.L.’) amended previous provisions which failed to impose any notification requirement. However, the new Regulation9 supersedes these rules by introducing new timeframes and information content for notification from 25th August 2013 going a step further than the current S.L.’s requirement of simple notice without undue delay. This requirement had been enforced on a national level since 1st January 2013 when L.N. 239 of 2011 came into effect.10
The content of the information to be passed on to the competent national authority listed in Annex I, includes information regarding the provider’s identification, the time and happenings of the breach, the nature and content of the personal data concerned, any measures applied to protect this data by the provider and the likely consequences of this breach.
Leave a Reply