Notification of security breaches in the EU
October 25th, 2007 | Published in Google Public Policy
California has a way of inventing things that turn out to be popular around the world (hey, not just Google). California passed the first so-called security breach notification law, in 2002. To date, 39 U.S. states have enacted laws that require notice if some form of personal information is compromised in a data security breach.
Since then, the trend has gone global. In August, the Office of the Privacy Commissioner of Canada issued guidelines on how to handle a security breach, which are just that – guidelines – but provide sensible recommendations for the handling of security breaches, including the notification to affected individuals where a breach creates a risk of harm. The logic behind the Canadian approach is that prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. New Zealand has followed a similar line by issuing guidelines on how to handle privacy breaches, which also focus on the role of notification to avoid or mitigate harm to individuals.
This trend is about to come to Europe too. The European data protection directives do not have any express provisions requiring companies that have suffered some sort of security breach to notify the individuals affected. The traditional thinking is that Europe does not need such a measure because there is already a well known obligation that calls for the adoption of appropriate technical and organisational measures to protect personal data against security breaches.
However, a European Commission consultation document of 2006 hinted at the prospect of security breaches notification obligations for providers of electronic communications networks and services, on the basis that network operators and ISPs, as the gatekeepers for users’ access to the online world, carry a special responsibility in this regard. This was followed by recommendations made by the Article 29 Working Party to extend those obligations to "data brokers," banks and other online service providers. The Working Party went on to say that for important breaches, all customers of the communications provider – not just those directly affected – should be informed.
The European Commission is now expected to include a formal proposal introducing mandatory security breach notifications or otherwise, into its review of the EU’s e-communications regulatory framework. Bearing in mind the experiences in other parts of the world and the latest thinking in jurisdictions like Canada and New Zealand, the risk of harm to the individual should be a determining factor in triggering notification obligations. Otherwise, the real risk is to trivialise notification obligations to such an extent that they become meaningless and ineffective in terms of data protection. In fact, the potential damage to consumers of a blanket notification obligation could be twofold: on the one hand, it can create unjustified anxieties and on the other hand, it may result in a lack of proper attention to more serious incidents.
Hopefully, the EU will benefit from other countries’ experiences in this area and adopt a balanced and realistic regime. It will be important to ensure from the outset a harmonised implementation of well-defined principles across the 27 EU countries, to avoid a patchwork of diverging laws. The ultimate purpose of security breach notification obligations should be to contribute to the protection of personal information by ensuring that consumers know when there has been a serious security leak and helping them to take prompt and effective action to avoid harm.