Client Alerts & Newsletters

New EU Data Breach Notification Requirements

January 4, 2010

Public communications providers (ISPs and telcos) in Europe will soon be required to inform their customers and national regulatory authorities about security breaches affecting their personal data.

The European Commission hopes that the new rules will increase the incentives for better protection of personal data by providers of communications networks and services.

The new e-Privacy Directive, 2009/136/EC, enacted on December 18, 2009, amends earlier Directive 2002/58/EC. In addition to mandatory breach notification, communications providers are also required to implement a security policy, adopt measures to restrict access to personal data, and to protect against data breaches. National data protection authorities are given authority to audit compliance with these measures.

Where there is a personal data breach, notice must be given to the national regulator "without undue delay" -- a phrase that is not defined in the Directive. A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service." This definition tracks directly the language of state security breach notification bills that exist in nearly every state in the United States.

In addition to the national regulator, customers must also be informed without undue delay of any breach that is likely to adversely affect their personal data or privacy, unless the communications provider can demonstrate to the national regulator that the information was protected by a technological measure that would render it unintelligible to those with unauthorized access, e.g. encryption.

The new e Privacy Directive must be implemented into national law in the EU member states by May 2011.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Kris D. Meade
Partner – Washington, D.C.
Phone: +1.202.624.2854

Crowell & Moring LLP is an international law firm with offices in the United States, Europe, MENA, and Asia that represents clients in litigation and arbitration, regulatory and policy, and transactional and corporate matters. The firm is internationally recognized for its representation of Fortune 500 companies in high-stakes litigation and government-facing matters, as well as its ongoing commitment to pro bono service and diversity, equity, and inclusion.

View Desktop Site | Mobile Sitemap |

Contact | Subscribe | Terms of Use | Privacy Statement | Alumni

© Crowell & Moring LLP 2023
Attorney advertising - prior results do not guarantee a similar outcome.