Skip to main content
SpringerLink
Log in

The Emerging European Union Security Breach Legal Framework: The 2002/58 ePrivacy Directive and Beyond

  • Chapter
  • First Online:
Data Protection in a Profiled World

Abstract

This chapter analyses the security breach notification framework as it is being established under the revised ePrivacy Directive. The chapter first looks at the need for a breach notification requirement, as well as the principles and purposes underpinning the new EU security breach notification framework. Second, it analyses the main elements of the new EU provisions, including (i) the scope of the obligation to notify, (ii) the notification criteria, timing, content and means of providing notice, and (iii) the enforcement provisions. The chapter also undertakes to compare this new framework with current breach notification requirements in the US. The last section discusses the future steps, including the expected forthcoming implementing measures complementing the present framework.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

  2. 2.

    The new rules will have to be transposed into national law by the 27 Member States by 25 May 2011.

  3. 3.

    COM (2007) 698 final (“Citizens’ Rights Directive”) which in addition to the ePrivacy Directive also includes proposed changes to Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and Regulation (EC) No. 2006/2004 on consumer protection cooperation. While the proposal contained amendments also to two other Directives, for simplicity we will refer directly to the ePrivacy Directive, not the Citizens’ Rights Directive.

  4. 4.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

  5. 5.

    Article 4 of the ePrivacy Directive includes an obligation to notify subscribers in cases of risk of a breach of the security of the network: “In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.

  6. 6.

    For an overview of the German law, see e.g. Hunton & Williams, “Germany Adopts Stricter Data Protection Law: Serious Impact on Business Compliance”, http://www.hunton.com/files/tbl_s10News/FileUpload44/16482/germany_adopts_stricter_data_protection_law.pdf.

  7. 7.

    Stewart Dresner and Amy Norcup,“Data Breach Notification Laws in Europe”, Report on Privacy Laws & Business, (8 May 2009), 14 f.

  8. 8.

    Situation as of 27 July 2009. The laws can be found here: http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm.

  9. 9.

    The bill can be found here: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h2221ih.txt.pdf. The bill would also introduce requirements for those owning or possessing data to establish policies and procedures regarding information security practices for the treatment and protection of personal information. As regards the effect on state law, the bill provides that it “supersedes any provision of a statute, regulation or rule of a State … with respect to those entities covered by … this Act”. Later proposals are pending, see e.g. http://threatpost.com/en_us/blogs/two-data-breach-notification-bills-advance-senate-110609, but not addressed here.

  10. 10.

    The proposals forming the telecoms package as well as the impact assessment and other relevant documentation can be found here: http://ec.europa.eu/information_society/policy/ecomm/library/proposals/index_en.htm.

  11. 11.

    The relevant documents produced by the European Parliament, Council and Commission during the legislative process can be found here: http://www.europarl.europa.eu/oeil/file.jsp?id=5563642, here: http://www.europarl.europa.eu/oeil/file.jsp?id=5563972 and here: http://www.europarl.europa.eu/oeil/file.jsp?id=5563982.

  12. 12.

    The European Parliament reinstated the so-called Amendment 138, which refers to three strikes approach schemes.

  13. 13.

    While the changes to the ePrivacy Directive are introduced through the separate Citizen’s Rights Directive, to facilitate understanding this paper, as mentioned, refers directly to the ePrivacy Directive where possible. References to Articles therefore are to, and follow the numbering of that Directive unless otherwise stated. References herein to recitals are to recitals to the Citizens’ Rights Directive, unless otherwise stated. The text of the Citizen’s Rights Directive as adopted by the European Parliament on 6 May 2009, which includes the Commission declaration referred to under Sect. 5.8.3 below, can be found here: http://www.europarl.ep.ec/sides/getDoc.do?pubRef=-//EP//TEXT±TA±P6-TA-2009-0360±0±DOC±XML±V0//EN&language=EN. The final text is available here: http://eurlex.europa.eu/JOIndex.do?year=2009&serie=L&textfield2=337&Submit=Search&_submit=Search&ihmlang=en.

  14. 14.

    At a high level, the Commission impact assessment, SEC (2007) 1472, indicates the following advantages and disadvantages on p. 115: “On the other hand, notification to individuals on occasions where their personal data had been compromised could potentially discourage certain groups from using new technologies altogether or limit their use to the absolute minimum. However, this possible negative effect could be counter-balanced by the experience of empowerment and ‘being in control’, at least with respect to personal data.”

  15. 15.

    “Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.”

  16. 16.

    Article 4(1): “The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.”

  17. 17.

    The text added to the ePrivacy Directive reads: “Without prejudice to Directive 95/46/EC, the measures referred to in paragraph 1 shall at least: ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;—protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and—ensure the implementation of a security policy with respect to the processing of personal data.” The new provisions in the Framework Directive (Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services) require providers to notify the authorities of any breach of security or integrity having a significant impact on the operation of the network or services.

  18. 18.

    Cost estimates relating to 2007, while difficult to interpret, are USD 197 for the US and GBP 47 for the UK, in both cases per record compromised (2007 Annual Study: U.S. Cost of a Data Breach and 2007 Annual Study: U.K. Cost of a Data Breach, published by PGP and Symantec for the US and PGP and Vontu for the UK, both based on research by the Ponemon Institute). The Ponemon Institute also indicate the average cost of a data breach in Germany in 2008 as EUR 112 per record compromised, http://www.pgp.com/insight/newsroom/press_releases/2008_annual_study_germany_cost_of_data_breach.html. For the UK and Germany, these estimates of course do not take into account a mandatory breach notification requirement. The New York State Consumer Protection Board’s Business Privacy Guide (October 2008) indicates an average cost for the provider of each breach incident of USD 192. The Commission’s Impact Assessment does not attempt to particularise costs.

  19. 19.

    This could be viewed as an argument for a data breach notification obligation already being imposed by the information principle as laid down in existing EU data protection law.

  20. 20.

    See P.M. Schwartz and E.J. Janger, “Notification of Data Security Breaches”, Michigan Law Review 105 (March 2007): 913, 916 “… seek to punish the breached entity and protect consumers …”. The aim of punishing the breached entity may be dominant, idem p. 957: “Notification letters have the potential to (1) create a credible threat of negative costs or other punishments for the firm…” and 917: “…notification serves another, often overlooked function: it can help … consumers … mitigate the harm caused by a leak”. The federal bill discussed above under Sect. 5.1.1 states that its purpose is “to protect consumers by requiring reasonable security policies…to protect personal information, and to provide for nationwide notice in the event of a security breach”.

  21. 21.

    See Recital 10 to the Framework Directive, Recital 6 and 16 to the ePrivacy Directive and Recital 13 to Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. Eleni Kosta and Peggy Valcke, “Retaining the Data Retention Directive”, Computer Law and Security Report 22 (2006):, 374, discuss problems relating to the definition of electronic communications services, in particular in relation to webmail.

  22. 22.

    Compare Recital 55. See also the elaborate analysis in Ofcom’s Regulation of VoIP Services, paragraphs A.5.39–45: http://www.ofcom.org.uk/consult/condocs/voipregulation/voipstatement/voipstatement.pdf.

  23. 23.

    Compare the distinction made in Recital 47 of the Data Protection Directive. That recital establishes that the controller for traffic data relating to an email is the provider whereas the controller with respect to the content of the same email is the sender.

  24. 24.

    Working Party 29 was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of the Data Protection Directive and Article 15 of the ePrivacy Directive.

  25. 25.

    EDPS Second opinion of 9 January 2009 on the review of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, Official Journal C128 (06 June 2009): 28); Working Party 29 opinion 2/2008 on the review of the Directive 2002/58/EC on privacy and electronic communications (ePrivacy Directive), adopted on 15 May 2008. The issue of a broader scope was raised by the EDPS in his first opinion of 10 April 2008, Official Journal C181 (18 July 2008): 1. The EDPS opinions are available here: http://www.edps.europa.eu/EDPSWEB/edps/site/mySite/pid/82 and the Working Party 29 opinions here: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_en.htm.

  26. 26.

    COM (2008)723 final, p. 17.

  27. 27.

    The Commission impact assessment, see footnote 15, reports on p. 115 that 64% of Europeans responded positively to the proposition that they would like to be informed “in all circumstances” if their personal data (such as name, address and credit card details) were lost. The question asked was not limited to telecom providers: “Companies like telecom providers collect personal data such as name, address and credit card details. In case any of your personal data was lost, stolen or altered in any way, would you like to be informed or not?”, Special Eurobarometer 274, E-communications household survey, July 2006, http://ec.europa.eu/information_society/policy/ecomm/library/ext_studies/index_en.htm.

  28. 28.

    Article 2(a) of the Data Protection Directive: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. The issue as to whether and when e.g. IP addresses are personal data is discussed at length elsewhere and not addressed here. See generally on the concept of personal data e.g. Working Party 29 opinion 4/2007 and specifically with respect to IP addresses, Peter J. Hustinx, “Protection des données à caractère personnel en ligne: la question des adresses”, Légicom 42 (1) (2009): 1–9.

  29. 29.

    Compare, for a more limited approach, the type of data covered by the US bill referred to under Sect 5.1.1 above, namely personal information consisting of name, address or phone number in combination with e.g. a social security number or other additional identifier.

  30. 30.

    See, regarding state laws, Lisa J. Sotto and Aaron P. Simpson, “A How to Guide to Information Security Breaches”, Privacy and Security Law Report 6 (14) (2007): 559–62.

  31. 31.

    The US bill referred to above requires unauthorized acquisition of the personal information. A US commentator argues against the application of mandatory notification in circumstances where the data merely could have been accessed, even if there is no evidence that they have been. See Fred H. Cate, “Information Security Breaches. Looking Back & Thinking Ahead”, The Centre for Information Policy Leadership (2008), 5.

  32. 32.

    The revised ePrivacy Directive does not contain provisions requiring a data processor to notify the covered entity in case of data breach. Although the obligation to notify does not arise until the breach is known by the covered entity, it might still want to consider including such a requirement in its contract with the processor.

  33. 33.

    Opinion 1/2009 of 10 February 2009: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp159_en.pdf.

  34. 34.

    As regards the action required by the authorities, see Sect. 5.7.2 below.

  35. 35.

    See e.g. the second EDPS opinion referenced in footnote 25, at §§ 35 and ff.

  36. 36.

    Such a global assessment may for example conclude that there is no likelihood of adverse effect if a password-secured laptop (see footnote 39 below re adequacy of password protection as a technological protection measure) has been stolen but quickly recovered and investigation shows that the information was not accessed. Compare guidelines issued by the New Zealand Privacy Commissioner available here: http://www.privacy.org.nz/privacy-breach-guidelines-2/. P.M. Schwartz and E.J. Janger, op. cit. 937 ff, quote an example from 2005, where a courier service lost a backup tape containing personal data for around two million persons. The tape was found after one month, and no third party had gained access to it. As the EU rules do not allow a delay in notification lasting for one month, notification would have had to be given.

  37. 37.

    Compare ECJ judgment of 7 September 2004 in case C-127/02 regarding the Habitats Directive. The Court found that a requirement of “likely to have a significant effect” means that a “mere probability”, “probability” or “risk” is enough, and that the requirement, in light of the precautionary principle applicable in environmental law, is met “if it cannot be excluded on the basis of objective information” that there will be significant effects. See also the interesting discussion in the AG Kokott opinion at par 61–74. It is submitted that the purpose of the EU data protection legislation to protect fundamental rights and freedoms would lead to a similar conclusion in the current context as the precautionary principle did in the case.

  38. 38.

    Albeit in a different context, a definition of technological protection measures, and effectiveness of such measures, can be found in Article 6(3) of Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society. For the purpose of that Directive, such measures are defined, somewhat edited for relevance in our context, as “any technology, device or component that, in the normal course of its operation, is designed to prevent or restrict acts which are not authorised … Technological measures shall be deemed ‘effective’ where the use … is controlled … through application of an access control or protection process, such as encryption, scrambling or other transformation which achieves the protection objective.”

  39. 39.

    It may be expected that systems relying on password protection, if and to the extent they can be considered technological protection measures at all, will not easily be approved by the authorities, given the frequent lack of security around passwords.

  40. 40.

    Appropriate encryption could be an adequate technological protection measure, assuming that any key is not lost together with the data. Depending possibly on the character of the personal data concerned, the encryption should be state-of-the-art. As an example, the former encryption standard DES was approved as a US federal standard in 1977 but became defunct in 1998, when various advances in hardware, software etc enabled the encryption to be broken in 56 hours, see Mccafftey, “Encrypt It”, http://msdn.microsoft.com/en-us/magazine/cc164055.aspx. The US federal bill referred to under Sect. 5.1.1 above requires that encryption must include appropriate management and safeguards of encryption keys to protect the integrity of the encryption.

  41. 41.

    The language/-s of the notification should be the same as those normally used by the provider to communicate with its customers.

  42. 42.

    See further P.M. Schwartz and E.J. Janger, op. cit. 951 ff, regarding fuzzy notification letters, mentioning examples of breached entities including offers for credit monitoring and identity theft insurance in notification letters.

  43. 43.

    The Data Protection Directive provides that every person shall have a right to a judicial remedy for any breach of the rights guaranteed in relation to processing (Article 22), and that any person who has suffered damage shall be entitled to receive compensation (Article 23).

  44. 44.

    For the US, P.M. Schwartz and E.J. Janger, op cit. 925, note that only three states provide a private right of action for individuals whose information has been breached.

  45. 45.

    Comitology involves the adoption of technical implementing measures through a committee of Member State representatives chaired by the Commission. For the ePrivacy Directive, the so called regulatory procedure with scrutiny applies, meaning that the European Parliament, as well as Council, can oppose measures proposed by the Commission. See further http://europa.eu/scadplus/glossary/comitology_en.htm.

  46. 46.

    Commission declaration on data breach notification, included in the text adopted by the European Parliament on 6 May 2009: “The Commission takes note of the will of the European Parliament that an obligation to notify personal data breaches should not be limited to the electronic communications sector but also apply to entities such as providers of information society services. Such an approach would be fully aligned with the overall public policy goal of enhancing the protection of EU citizens’ personal data, and their ability to take action in the event of such data being compromised. In this context, the Commission wishes to reaffirm its view, as stated in the course of the negotiations on the reform of the Regulatory Framework, that the obligation for providers of publicly available electronic communications services to notify personal data breaches makes it appropriate to extend the debate to generally applicable breach notification requirements. The Commission will, therefore, without delay initiate the appropriate preparatory work, including consultation with stakeholders, with a view to presenting proposals in this area, as appropriate, by the end of 2011 ….”

Author information

Authors and Affiliations

  1. European Parliament Committee on Industry, Research and Energy (ITRE), ATR 00K035,  ,  

    Peter Traung

Authors
  1. Rosa Barcelo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Traung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter Traung .

Editor information

Editors and Affiliations

  1. Law, Science, Technology & Society, (LSTS), Vrije Universiteit Brussels, Pleinlaan 2, Bruxelles, 1050, Belgium

    Serge Gutwirth

  2. Research Centre for Information, Technology & Law, University of Namur, Rempart de la Vierge 5, Namur, 5000, Belgium

    Yves Poullet

  3. Center for Law, Science, Technology, and Society Studies (LSTS), Vrije Universiteit Brussel, Pleinlaan 2, Brussels, 1050, Belgium

    Paul De Hert

Additional information

Rosa Barcelo is legal adviser at the office of the European Data Protection Supervisor (EDPS). Peter Traung is an administrator at the Committee on Industry, Research and Energy of the European Parliament. Both authors were involved in the legislative process leading to the data breach notification rules discussed here. The views in this paper are personal to the authors and do not represent the views of either the European Parliament or the EDPS.

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Science+Business Media B.V.

About this chapter

Cite this chapter

Barcelo, R., Traung, P. (2010). The Emerging European Union Security Breach Legal Framework: The 2002/58 ePrivacy Directive and Beyond. In: Gutwirth, S., Poullet, Y., De Hert, P. (eds) Data Protection in a Profiled World. Springer, Dordrecht. https://doi.org/10.1007/978-90-481-8865-9_5

Download citation

Publish with us

Policies and ethics

Search

Navigation