Europe's privacy watchdogs have reiterated their demand for a data breach notification law and have said that a proposed new clause in an EU Directive could threaten computer users' privacy.
The Article 29 Working Party is a committee of data protection and privacy commissioners from the European Union's 27 member states. It has published a revised opinion on changes being planned to the Privacy and Electronic Communications Directive.
Alterations to the Directive are being negotiated between the European Commission, the European Parliament and the Council of Ministers, who are all yet to agree on exact changes.
The Working Party said that it strongly backed the Parliament's position that companies which provide services on the internet should go public if they lose people's personal data. The Commission and Council's plans only extend to telecoms companies.
The Working Party had called for a wider breach notification requirement in two previous opinions on proposed amendments to the Directive, issued in 2006 and 2008.
"Breach notifications may become an important tool for Data Protection Authorities to increase focus and effectiveness when enforcing the obligation of service providers to take appropriate security measures," it said in this month's opinion. "The Working Party strongly supports an extension of the scope of the obligation to Information Society Services."
"An extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services. Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens," it said.
"Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm," said the Working Party.
Plans by Parliament and the Council to exempt companies who undertake some actions from being forced to go public were also attacked by the Working Party. Those plans involve exempting organisations which have taken "appropriate technological protection measures [which] were applied to the data concerned by the security breach."
The Working Party said that once data has been lost individuals are at risk and so should be told, regardless of what measures had been in place to protect their personal data.
"This provision would significantly reduce the quality and usefulness of the information delivered to affected persons," said the Working Party. "Affected users may only be in the position to take appropriate measures to mitigate the risks they are facing if they have been adequately informed. Therefore, the Working Party emphasises the importance of the notification format and risk assessment in determining whether individuals should be notified, regardless of the technical measures that were actually taken to protect their data."
All three EU governing bodies have agreed a clause which grants an exemption from the Directive for the processing of internet and phone traffic data for security purposes. The Working Party believes that this is unnecessary. It said that other laws already cover this area and that a new law could lead to snooping on internet traffic.
"[The Working Party] is concerned that the current wording might lend legitimacy to large scale deployment of deep packet inspection, both in the network and in user equipment such as ADSL boxes, while the current legal framework already details the cases in which traffic data may be processed for security purposes," it said.
The Working Party welcomed some changes to the law-making process, though, including ones that will include it in further consideration of how the Directive will be changed.