EDPS endorses data breach notification provision in ePrivacy Directive
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The European Data Protection Supervisor (EDPS) has issued his opinion on the new draft text of the Directive on Privacy and Electronic Communications (ePrivacy Directive) as proposed by the European Commission.
One of the important changes supported by the EDPS with the new text is the creation of a mandatory security breach notification system. The system should require the Telecoms and ISPs to notify their customers when personal information has been lost. But Peter Hustinx wants to go further and asked for the system to apply not only to "providers of public electronic communication services in public networks but also to other actors, especially to providers of information society services which process sensitive personal data (e.g. online banks and insurers, on-line providers on health services, etc.)."
EDPS has explained in his opinion that such a notification has clear benefits: "it reinforces the accountability of organisations, is a factor that drives companies to implement stringent security measures and it permits the identification of the most reliable technologies towards protecting information." and openly supported the concept, despite some private sector opposition. "Indeed, the simple fact of having to publicly notify security breaches causes organisations to implement stronger security standards that protect personal information and prevent breaches."
Another important change backed by EDPS in the ePrivacy Directive is the possibility given to legal persons to take action against those who infringe spam provisions. Thus the ISPs, as well as consumer associations and trade unions representing the interest of spammed consumers, may take legal action on their behalf before courts. EDPS wanted to go further by proposing "class actions, empowering groups of citizens to jointly use litigation in matters concerning protection of personal data. In the case of spam, where a large number of individuals are receiving spam, the potential exists for classes of individuals to join together and launch class actions against spammers."
EDPS also asked to extend the possibility for the legal persons to ask for damages for any infringement to any provision of the ePrivacy Directive.
Peter Hustinx considered that the Directive should therefore broaden its scope of application to include providers of electronic communication services also in mixed (private/public) and private networks and welcomed the clarification regarding the inclusion of a number of RFID applications in the scope of application of the Directive.
Opinion of the European Data Protection Supervisor on the Proposal for a
Directive amending, among others, Directive 2002/58/EC (Directive on
privacy and electronic communications) (10.04.2008)
EDPS Opinion on ePrivacy Directive review: overall positive, but further
improvements should be considered (14.04.2008)
EU privacy chief wants data breach law for business (17.04.2008)