New Requirements For Data Breach Notifications

Author:Mr Rob Corbet and Olivia Mullooly
Profession:Arthur Cox

On 24 June 2013, the EU Commission adopted a Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications (the "Regulation"). The Regulation has direct effect and will enter into force on 25 August 2013 and aims to harmonise the notification of data breaches by telecommunications companies and internet service providers.

Once in force, the Regulation will supplement the obligations of telecommunications companies and internet service providers under the e-Privacy Regulations 2011 (S.I. 336/2011) to notify the Data Protection Commissioner, and any affected data subjects, of personal data breach incidents, by requiring these providers to notify the Data Protection Commissioner (or the relevant national supervisory authority) of a data breach within 24 hours of its discovery "where feasible". The current obligation under the e-Privacy Regulations is to notify the Commissioner "without undue delay", which could, in certain circumstances, be interpreted as allowing a longer timeframe than 24 hours. The Recitals to the Regulation set out some general guidance on how to manage a data breach and in particular, Recital 8 to the Regulation states that:

"neither a simple suspicion that a personal data breach has occurred, nor a simple detection of an incident without sufficient information being available, despite a provider's best efforts to this end, suffices to consider that a personal data breach has been detected for the purposes of this Regulation. Particular regard should be had in this connection to the availability of the information referred to in Annex I."

Annex I sets out the content of a notification to the supervisory authority. Article 2 of the Regulation states that:

"detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation".

If the provider is unable to furnish all of the information set out in Annex I within 24 hours, it must provide a preliminary notification within the 24 hour period and subsequently furnish the remaining information no later than 3 days from the initial notification or provide a "reasoned justification" to the authority as to why it is not in a position to provide the remaining information.


To continue reading