Going online can mean revealing your personal information, such as name, address and credit card number, but do you know your rights regarding your personal data online? EU common rules enable a high standard of protection for your personal information everywhere in Europe, and their scope has just been expanded by new specific rules for consumers when telecoms personal data is lost or stolen.
Personal data breeches must be reported
According to the EU Data Protection Directive, organizations that are gathering personal information must protect it from wrongful use and respect specific rights, and personal data can only be collected for legitimate purposes under strict conditions.
Protection of privacy over public networks is ensured by the Directive of Privacy and Electronic Communications also known as ePrivacy Directive, which was updated in 2009 to ensure clearer rules on customers’ rights to privacy. It states that any personal data breach must be reported to the specific national authority and the concerned subscriber informed directly when the breach is affecting them personally.
Complementing the existing legislation
The ePrivacy Directive also allows the Commission to suggest practical rules to complement the existing legislation. The purpose of these ‘technical implementing measures’ is to provide equivalent treatment of the customers across Member States in case of data breaches and also to be sure that businesses can take a comprehensive approach if they are operating in several counties.
The Commission has thus put together new rules and requirements in the form of a Commission Regulation on what exactly telecoms operators and Internet Service Providers should do if their customers’ personal data is lost, stolen or otherwise compromised. Some of the requirements are:
- Like before, to inform the specific national authority about the data breach, with the deadline for such a report limited to within 24 hours after the incident. If that is not possible, companies must reveal basic information within 24 hours and the rest of information within three days.
- To indicate which pieces of information are affected and what measures the company will apply.
- When estimating whether to inform the subscribers (if the breach is affecting personal data or privacy), companies should pay attention to the type of data compromised. In the telecoms sector this applies especially to financial information, internet log files, web browsing histories, e-mail data, call lists, etc.
- The use of a standardised format for informing the authority.
- The Commission also wishes to encourage the companies to encrypt personal data. If a data breach should occur, the encryption would make it impossible for an unauthorised person to use the data.
The rules will come into force in two months after publication in the EU Official Journal and will have direct effect, requiring no further transposition at national level.
Read this article in Slovene