New specific rules for consumers when telecoms personal data is lost or stolen in EU
The European Commission is putting into place new rules on what exactly telecoms operators and Internet Service Providers (ISPs) should do if their customers' personal data is lost, stolen or otherwise compromised. The purpose of these "technical implementing measures" is to ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country.
Telecoms operators and ISPs hold a range of data about their customers, such as name, address and bank account details, in addition to information about phone calls and websites visited. These companies have been operating since 2011 under a general obligation to inform national authorities and subscribers about breaches of personal data (IP/11/622).
Thanks to a Commission Regulation, companies will have extra clarity about how to meet those obligations, and customers will have extra assurance about how their problem will be dealt with. For example companies must:
Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.
Outline which pieces of information are affected and what measures have been or will be applied by the company.
In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.
Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.
European Commission Vice-President Neelie Kroes said: "Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field."
Event Date: 24/06/2013
Virtual private server hosting providers who operate in EU may be interested with this.