The European Data Protection Supervisor (EDPS) has come out in favor of the EU enacting data security breach notification laws.
The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good data protection practices within the EU, both by monitoring the EU administration’s own data processing, as well as by commenting on pending legislation.
The EDPS recently adopted an opinion on the European Commission’s proposal to amend the Directive on Privacy and Electronic Communications, commonly known as "the ePrivacy Directive." If enacted, the proposed amendment to the ePrivacy Directive (a revised Article 4) would implement the first pan-European data breach notification requirement (even if somewhat limited by U.S. standards).
The EDPS commented favorably on the idea of data breach notification, noting that such a system carries with it "positive effects…which have already been tested in the United States where breach notification legislation at the state level has been in place for several years already." Specifically, the EDPS noted that data breach notification can increase accountability and "has proven to be a factor that drives security investment at organizations that process personal data" as well as encouraging the implementation of stronger safeguards to protect personal data.
Moreover, not surprisingly, the EDPS supported the piece of legislation that explicitly requires the European Commission to consult with the EDPS before adopting implementing measures.
However, the EDPS did find fault with some aspects of the proposed data breach notification legislation. The EDPS’ main complaint was that that the proposed amendments to the ePrivacy Directive did not go far enough because the notification obligations only applied to providers of public electronic communication services in public networks. Rather, the EDPS’ position is that the obligation to notify in the event of a breach should not be limited to those entities, but should also apply to providers of "information society services" that process sensitive personal data, such as online banks and insurers, and on-line health services providers.
It remains to be seen to whether and to what extent the EU will adopt the EDPS’ suggestions on the proposed legislative amendments.