Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


New specific rules for consumers when telecoms personal data is lost or stolen in EU
New on LowEndTalk? Please Register and read our Community Rules.

New specific rules for consumers when telecoms personal data is lost or stolen in EU

The European Commission is putting into place new rules on what exactly telecoms operators and Internet Service Providers (ISPs) should do if their customers' personal data is lost, stolen or otherwise compromised. The purpose of these "technical implementing measures" is to ensure all customers receive equivalent treatment across the EU in case of a data breach, and to ensure businesses can take a pan-EU approach to these problems if they operate in more than one country.

Telecoms operators and ISPs hold a range of data about their customers, such as name, address and bank account details, in addition to information about phone calls and websites visited. These companies have been operating since 2011 under a general obligation to inform national authorities and subscribers about breaches of personal data (IP/11/622).

Thanks to a Commission Regulation, companies will have extra clarity about how to meet those obligations, and customers will have extra assurance about how their problem will be dealt with. For example companies must:

  • Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.

  • Outline which pieces of information are affected and what measures have been or will be applied by the company.

  • In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.

  • Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.

European Commission Vice-President Neelie Kroes said: "Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field."

Event Date: 24/06/2013

Source: http://europa.eu/rapid/press-release_IP-13-591_en.htm

Virtual private server hosting providers who operate in EU may be interested with this.

Comments

  • BrianHarrisonBrianHarrison Member, Provider

    Good. While full disclosure and transparency might not be the best for company PR, it definitely benefits the greater good.

    Reprise Hosting (AS62838) Specializing in self-managed cheap dedicated servers and and cheap VPS hosting.

  • doughmanesdoughmanes Member
    edited June 2013

    Virtual private server hosting providers who operate in EU may be interested with this.

    ... but located in non-EU countries with their business setup/organization = EU can't do anything except whine

    How to clean up a questionable reputation: throw the kids some BF/CM offers.

  • Nice! No pulling a Linode in the EU!

    I recommend Prometeus, the best provider ever!

  • SpiritSpirit Member

    @doughmanes said:
    ... but located in non-EU countries with their business setup/organization = EU can't do anything except whine

    Transparency in case of private data breach isn't only matter of EU laws but general business ethics. Any serious business should take this as example how to do things properly to protect own clients instead just look how to cover own ass from bad publicity.

  • I agree with the policy, but I would like to raise a point of interest as it was aimed at web hosting related companies when posted here.

    "telecoms operators and Internet Service Providers (ISPs)" to me are the people who provide you with the ability to make and receive phone calls and or connect you to the wider internet, which would not include web hosting related companies.

    Perhaps that is a perception or a country specific thing but personally I would never refer to a VPS hosting company as either a telecoms provider or an ISP, I think the confusion or loss in translation is the "internet service" element of ISP.

    There is a difference between providing access to the internet i.e. and ISP or telco, and providing a service 'on' the internet, or that requires the pre existence of an 'internet service' through a provider such as plusnet, road runner, t-mobile etc etc in order for the web hosting related service to be used.

    Just my view, not saying I am right but interested to hear other views on this point especially from the UK people.

    I am no longer active here, find me at https://talk.lowendspirit.com

  • SpiritSpirit Member
    edited June 2013

    @AnthonySmith ISP (internet service provider) is more general term. I checked wiki (I know, wiki is not law but still...) and from their description I would say that hosting providers fall also in category of internet service providers:

    An Internet service provider (ISP, also called Internet access provider) is a business or organization that offers users access to the Internet and related services. Many but not all ISPs are telephone companies or other telecommunication providers. They provide services such as Internet access, Internet transit, domain name registration and hosting, dial-up access, leased line access and colocation. Internet service providers may be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privately owned.

  • @Spirit yup, I cant argue with the wiki definition but I don't agree with it, I dont believe vps hosting companies are ISP's on the same way I don't consider facebook an ISP, both provide a service on the internet that requires you to already have a contract or agreement with an ISP to use.

    Just for clarity I agree with the proposal regardless :)

    I am no longer active here, find me at https://talk.lowendspirit.com

  • SpiritSpirit Member

    Out of curiosity. How do you see datacenter operations. Do you see datacenter as Internet service provider? :)

  • Good question, again for clarity I acknowledge that a grey area exists.

    Personally I do not consider a DC to be an ISP unless that DC also provides a method for people or business to connect to the internet directly, for example in most cases a DC does not sell connectivity to the internet directly to homes and businesses, as an individual or business you already need a connection to the internet in order to take out services that a DC offers.

    That said if a DC also has telco equipment and does in fact offer this then yes that does make them an ISP.

    At the same time some hosts here do offer internet connectivity and telecoms services such as OpenITC so that activity does classify them in my mind as an ISP as well as a web hosting related company.

    About the best analogy I can come up with is that driving instructors (at least in the UK) are not able to issue you with a provisional/trainee license in order to learn to drive, they do provide driving related services though. So the driving standards agency that can provide you with your trainee/provisional license would be the ISP and the instructor (who in the UK are private companies) would be the VPS host, you cant use the driving instructors services/VPS without first getting the access/connection through the driving standards agency/ISP.

    I am no longer active here, find me at https://talk.lowendspirit.com

  • SpiritSpirit Member
    edited June 2013

    We should not forget that this regulation actually isn't anything new and it's just more detailed part of the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications and hosting business isn't exception here.

    Under Article 4 of Directive 2002/58/EC, providers of publicly available electronic communications services are obliged to notify the competent national authorities, and in certain cases also the subscribers and individuals concerned, of personal data breaches. Personal data breaches are defined in Article 2(i) of Directive 2002/58/EC as breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provisi on of a publicly available electroniccommunications service in the Union

    http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?action=display&doc_id=2323

    Under the Regulation all providers of publicly available electronic communications services in the EU need to inform their competent national authority – which depending on where they are based may be the national data protection watchdog or communications regulator, for example – within 24 hours of detecting that they have experienced a personal data breach.

    The companies need to supply the regulator with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected.

    In case of your clients personal data breach in EU you have obligations to notify the competent national authorities, and in certain cases also the subscribers and individuals concerned, of personal data breaches since 2002.

  • Interesting read, you are absolutely correct, the EU baffles me, I contacted the ICO in the UK and they explicitly informed me I was not required to register with them as the data I use is not for marketing or promoting any third parties services and I do not hold any financial details for my customers.

    According to that link you posted and subsistent searches I did, I do have to notify the ICO regardless of being registered as a data controller or not within 24 hours of any known data leek that is not encrypted in any way, they will then impose the appropriate action/fine.

    So the discussion of what is an ISP is no longer relevant, I hold data in an electronic format so it applies.

    Thanked by 1Spirit

    I am no longer active here, find me at https://talk.lowendspirit.com

  • dont believe vps hosting companies are ISP's

    Depends on the laws of the country. In the US, under 47 USC § 230 ("the ISP immunity law") ISPs, web hosting companies, forums/social media sites etc., all get lumped together under the same broad category of "provider of an interactive computer service"

  • Sorry to dig up an old thread but in my mind:

    IAP = Internet access Provider = Broadband etc.
    ISP = Internet service Provider = Web hosts, IAPs and so on.

    Technically, IAPs are in the telecoms market while ISPs are not (unless they're also an IAP). You could provide telecoms without being classed as an IAP or ISP.

    Just my 2 cents.

  • john_kjohn_k Member
    edited October 2013

    @AnthonySmith said:
    they explicitly informed me I was not required to register with them as the data I use is not for marketing or promoting any third parties services and I do not hold any financial details for my customers.

    That is key. Regardless of the argument on whether or not VPS hosting companies can be considered as ISPs.

    If you use your customer's data for marketing purposes, or holding their financial details, you have a duty of care of their data, and you may be well abode by the Law.

  • HOLY NECROPOST BATMAN!

    I am no longer active here, find me at https://talk.lowendspirit.com

Sign In or Register to comment.