European Commission plans security breach notification law

The European Commission wants laws to be passed across Europe that would force telecoms companies to tell customers when personal data security has been breached. Security breach laws are common in the US but are still controversial.

Even in the wake of the loss of 25 million UK residents' personal details last month the Information Commissioner's Office (ICO) cautioned that a poorly-drafted general security breach notification law would be counter-productive because a large number of notifications could make citizens complacent.

The Commission has published a proposal to amend the Privacy and Electronic Communications Directive, which is designed to ensure that EU citizens' privacy is not violated in telecoms networks.

A major proposal is that telecoms companies would be subject to a security breach notification law which would force them to tell customers when a privacy breach had occurred.

"A breach of security resulting in the loss or compromising personal data of an individual subscriber may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud," said the proposal. "Therefore, subscribers concerned by such security incidents should be notified without delay and informed in order to be able to take the necessary precautions."

"The notification should include information about measures taken by the provider to address the breach, as well as recommendations for the users affected," it said.

Some privacy advocates have argued that a security breach notification law would greatly improve awareness of privacy issues and would force organisations to be more careful with people's data because of the threat of public shaming should they lose data or expose it to the public.

Privacy watchdog the ICO, though, has taken no firm stance on such laws and said two weeks ago that their value would be undermined if every little breach was notified, because it would desensitise the public to more serious incidents.

The proposal seemed to urge that context be important in setting the rules, and that danger levels should be assessed before public notification.

"In setting detailed rules concerning the format and procedures applicable to the notification of security breaches, due consideration should be given to the circumstances of the breach, including whether or not the personal data had been protected by encryption or other means, effectively limiting the likelihood of identity fraud or other forms of misuse," said the proposal.

Most US states have such laws. A significant number of breaches have come to light because of the laws.

The EU proposal has some caveats. It says, for example, that laws should not interfere with police work. "Rules and procedures should take into account the legitimate interests of law enforcement authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach," it said.

The Commission proposals also want telecoms companies to be able to sue spammers for the unwanted email they send over ISPs' networks.

"Electronic communications service providers have to make substantial investments in order to combat unsolicited commercial communications ('spam')," it said. "They are also in a better position than end-users in possessing the knowledge and resources necessary to detect and identify spammers."

"Email service providers and other service providers should therefore have the possibility to initiate legal action against spammers and thus defend the interests of their customers, as well as their own legitimate business interests," said the Commission proposal.