Data breach: new EU Regulation on the procedures for notification to DPAs and users imposed on Internet providers and telephone companies
On August 25, the new Regulation (EU) no. 611/2013 on the measures applicable to the notification of personal data breaches imposed on Internet providers and telephone companies under article 4 of the e-Privacy directive 2002/58/Ce, as amended by directive 2009/136/Ce (respectively the “Regulation” and the “Directive”), came into force. Pursuant to said article 4, in particular, providers of publicly available electronic communications services (“Providers”) are obliged to notify the competent national protection data authorities (“DPAs”), and in certain cases also the subscribers and other individuals concerned, of possible personal data breaches. As it is well known, however, the existence of different notification requirements in each Member State implied expensive, complex and quite inconsistent procedures, which have now been harmonized by introducing a uniform procedure and equal notification deadlines in all Member States according to the new Regulation.
Pursuant to article 2 of the Regulation, the Provider shall always comply with the duty to notify the breach to national DPAs – in Italy called “Autorità Garante per la Protezione dei Dati Personali” (the “Garante”) – no later than 24 hours after the detection of the problem, by providing its contact details and information about the breach as per Annex 1 of the Regulation. In case all such information is not immediately available, the Provider shall make an initial notification within 24 hours including only some data (the “ initial information” under Section 1 of Annex 1). The Provider shall make a second notification within three days following the initial one including the remaining information. However, where the Provider is unable to provide the requested data even within such postponed deadline, the same shall notify the elements at its disposal and submit a reasonable justification for the late notification of the remaining information, which is still to be provided as soon as possible.
Neither a simple suspicion, nor a simple detection of an incident can be considered as “sufficient awareness” that a personal data breach has occurred and that such notification is needed. Therefore, the Provider shall carefully assess if the information requested by the Regulation is at its disposal on a case-by-case basis, according to Recital 8.
Pursuant to article 3 of the Regulation, the Provider shall also make an additional notification to the subscriber or other individual, only in case the breach “is likely to adversely affect the personal data or privacy” of the same. The Regulation, for the first time, introduces strict criteria upon which such prejudice is to be assessed, i.e. i) the nature and content of the personal data concerned (namely sensitive data, financial information, web browsing histories, location data etc.), ii) the likely consequences of the breach (identity theft, damage to reputation etc.) and iii) the circumstances of the breach (if the data has been stolen or when provider knows that the data is in the possession of an unauthorized third party). In these cases, the notification to the subscriber is made “without undue delay after the detection of the breach” and shall include a minimum content, specified for the first time in Annex 2 of the Regulation (nature and content of the data concerned, likely consequences of the breach, measures taken to address the breach etc.). In case individuals other than the subscribers are adversely affected by the breach and their data is not immediately available, the Provider should be permitted to notify them initially through advertisements in major national or regional media.
The abovementioned provisions concerning the subscriber, however, do not apply if the Provider “has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach” (article 4(1) of the Regulation). According to this provision, the measures in question (basically, encrypting or hashing techniques appropriate according to current practices) shall render the data unintelligible to anyone who is not authorized to access it.
Within three years from the entry into force of this Regulation, a report on the application of the new procedures is to be issued in order to assess their impact and efficacy on the individuals and entities concerned (article 6 of the Regulation). On the basis of that report, the Regulation will be reviewed, also taking into account the future legal context, resulting, in particular, from the possible reviews of the e-Privacy Directive and the entering into force of the new Privacy Regulation, which will probably replace data protection directive no. 95/46/CE currently in use.
As regards the impact on the Italian legal system, the above procedures do not seem to depart much from the Guidelines issued by the Garante on 12 July 2012, containing detailed instructions for complying with the notification obligation, which has been introduced within the Italian legal system under Articles 32 and 32-bis of Legislative Decree no. 196/2003 (“Privacy Code”), as recently amended by Legislative Decree no. 69/2012 implementing the Directive.
Such Guidelines, in fact, already provided a 24-hour deadline for the first notification of the breach to the Garante, to be completed within the following three days. The only new elements introduced by the Regulation concern the notification to the subscriber or to other individuals and the above mentioned criteria to assess the possible prejudice suffered by the user (and therefore the opportunity of the notification), as well as the specific content of the notification.
In addition to these provisions, the Italian Guidelines also clarify further aspects which are not part of the Regulation, namely the obligation to provide a preliminary data breach risk assessment and to keep an updated inventory of occurred breaches, as well as the mechanisms to notify contracting parties and the penalties for non-compliant or delayed notifications by Providers. This part of the Guidelines will probably continue to apply in Italy, as these aspects are not touched by the Regulation.