EU citizens to remain in the dark on data breaches
Telecom operators and Internet Service Providers (ISPs) will not have to tell people their personal data has been hacked if they adhere to European Commission guidelines.
The commission on Monday (24 June) said the yet-to-be published guideline includes a new safeguard on encrypting personal data, which would spare companies the embarrassment of having to go public if the information is stolen by a hacker or released by accident.
Join EUobserver today
Get the EU news that really matters
Instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
“If a company applies such techniques but suffers a data breach, they would be exempt from the burden of having to notify the subscriber because such a breach would not actually reveal the subscriber’s personal data,” the commission said in a statement.
Digital agenda commissioner Neelie Kroes said it would “level the playing field” between consumers and businesses.
“Businesses need simplicity,” she noted.
She added that consumers also need to know when their personal data has been compromised, but only when this is possible.
The encryption rule is bundled with a new set of other measures to clarify what the industry should do in the event of a breach.
The rules enter into force in August and would set up a common online identification form for data loss notifications. Companies would use the form to notify a national authority if their system has been hacked.
The rules are being added to the existing ePrivacy directive which requires companies to keep people’s data secure and to notify them of data breaches.
Companies are required to erase or anonymise any data that serves no purpose.
But a controversial article in the EU legislation allows member states to keep the data in the event of criminal investigations or in cases involving national security.
The article is similar to one in the EU data retention directive, which is currently being challenged in the EU court in Luxembourg.
The data retention directive requires mobile phone companies and ISPs to monitor a person’s location, calls and emails.
The companies are then obliged to store the data for up to two years in the event of a police investigation.
Digital Rights Ireland has filed a case against the EU data retention law in the European Court of Justice, arguing there are not enough safeguards in the legislation.
A verdict is due on 9 July.
Digital rights experts say that even if the data retention directive is overturned the corresponding article in the ePrivacy law could remain intact.