Summary and implications
The Article 29 Working Party (the Working Party) has issued a new Opinion on personal data breach notification that will have important repercussions for all data controllers in the European Union.
Data controllers are strongly advised to read the Opinion and to consider what changes, if any, they may wish to make to their current data protection policies and procedures.
What is the Article 29 Working Party?
The Working Party is an independent European advisory body on data protection which was set up under the Data Protection Directive 1995/46/EC (the Directive). It is made up of representatives from each of the European Union national data protection authorities, the European Data Protection Supervisor and the European Commission. Its Opinions do not have the force of law but are highly influential.
Who are data controllers?
Data controllers are companies or other bodies that - either alone or jointly with others - determine the purposes and means of processing of personal data.
What is a "personal data breach"? What is the current EU law on breach notification?
A "personal data breach" is defined in the Directive on Privacy and Electronic Communications 2002/58/EC (the e-Privacy Directive) as a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community".
The e-Privacy Directive contains the only European Union legal obligation on data controllers to notify personal data breaches. As can be seen, this applies only to a very limited category of data controllers who provide publicly available electronic communications services (each, an ECS provider) such as internet service providers. An ECS provider is obliged to notify any personal data breach to the relevant data protection authority - and also to the data subjects themselves where the breach is likely to adversely affect the personal data or privacy of the data subjects.
Where is EU data protection law heading?
There has been a growing international trend towards personal data breach notification. This has meant that certain countries such as Germany and Ireland have introduced more stringent national data breach notification requirements than those provided under the e-Privacy Directive.
The latest draft of the proposed General...