The European Commission has established new rules and regulations that require Internet Service Providers and telecommunications providers to notify authorities of a security breach within 24 hours. If the reporting entity is unable to provide a full explanation of the breach within 24 hours, it must provide “initial information” within 24 hours and a full explanation within three days following the incident.
While the revised 2011 E-Privacy Directive already requires telecom operators and ISPs to inform national authorities and subscribers about data breaches, the new rules clarify the requirement to outline the precise measures taken to address and resolve data breaches involving compromised customer personal data, as well as provide a description of the breached information.
European Commission Vice President Neelie Kroes stated, “consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity…these new practical measures provide that level playing field.”
While these new rules create more specific obligations on telecom operators and ISPs, any company that encrypts customer data is not required to notify customers in the event of a breach. These new requirements take effect at the end of August.
In other EU privacy news, the Federal Trade Commission has signed a memorandum of understanding (MOU) with Ireland’s Office of the Data Protection Commissioner “to promote an increased cooperation and communication between the two agencies in their efforts to protect consumer privacy.” According to a FTC Press Release, the MOU is designed to bolster the privacy enforcement relationship between the FTC and Ireland’s Office of the Data Protection Commissioner as part of an overall goal to protect consumer information across borders and allow the respective regulators to cooperate in cross-border enforcement. According to FTC Chairwoman Edith Ramirez, “Working closely with our international partners in this area benefits both consumers and companies.”
Cooperation between the FTC and EU data protection regulators is a natural consequence of the global nature of the Internet and the fact that more and more U.S. companies and consumers do business overseas. We expect to see additional agreements between the FTC and other overseas regulators over the coming months and years.