Brussels, 24/06/2013 (Agence Europe) - On 24 June, the European Commission announced that it had set in place new rules governing the procedure to be followed by telecoms services operators and internet service providers (ISP) in the event of the loss, theft or compromise of their clients' personal electronic data. This initiative is a response to the information gathered at a public hearing held in 2011 (see EUROPE 10419). The aim of these measures is to guarantee that all citizens are treated in the same way across the whole of the EU in the event of a breach of their data, and to ensure that companies with a presence in more than one country are able to have a pan-European approach to the issue. “Consumers need to know where their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field”, stressed Neelie Kroes, the commissioner responsible for the digital strategy.
Telecommunications operators and internet service providers hold a range of data on their clients (name, address, bank details), as well as the histories of their telephone calls and of websites they have visited. Since 2011, these companies have been under a general obligation to inform the national authorities and subscribers in the event of a breach of personal data. With the regulation proposed by the Commission, the companies will have clearer instructions on how to comply with these obligations and clients will enjoy a greater degree of certainty as to how the problem will be dealt with. The Commission also wishes to encourage businesses to encrypt personal data. This is why, in collaboration with the European Network and Information Security Agency (ENISA), it is also to publish an indicative list of technical protection measures, such as encryption techniques. If a company using techniques of this kind should experience a compromise of data in its possession, it would be exempt from the obligation to notify the subscriber, because such a breach would not actually reveal the subscriber's personal data, the Commission clarifies. (IL/transl.fl)