Privacy Law Blog

EU Data Protection Watchdog Supports Data Breach Notification Law

The European Data Protection Supervisor (EDPS) has come out in favor of the EU enacting data security breach notification laws.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good data protection practices within the EU, both by monitoring the EU administration’s own data processing, as well as by commenting on pending legislation.

The EDPS recently adopted an opinion on the European Commission’s proposal to amend the Directive on Privacy and Electronic Communications, commonly known as "the ePrivacy Directive." If enacted, the proposed amendment to the ePrivacy Directive (a revised Article 4) would implement the first pan-European data breach notification requirement (even if somewhat limited by U.S. standards).

The EDPS commented favorably on the idea of data breach notification, noting that such a system carries with it "positive effects…which have already been tested in the United States where breach notification legislation at the state level has been in place for several years already." Specifically, the EDPS noted that data breach notification can increase accountability and "has proven to be a factor that drives security investment at organizations that process personal data" as well as encouraging the implementation of stronger safeguards to protect personal data.

Moreover, not surprisingly, the EDPS supported the piece of legislation that explicitly requires the European Commission to consult with the EDPS before adopting implementing measures.

However, the EDPS did find fault with some aspects of the proposed data breach notification legislation. The EDPS’ main complaint was that that the proposed amendments to the ePrivacy Directive did not go far enough because the notification obligations only applied to providers of public electronic communication services in public networks. Rather, the EDPS’ position is that the obligation to notify in the event of a breach should not be limited to those entities, but should also apply to providers of "information society services" that process sensitive personal data, such as online banks and insurers, and on-line health services providers.

It remains to be seen to whether and to what extent the EU will adopt the EDPS’ suggestions on the proposed legislative amendments.

Trackbacks (0) Links to blogs that reference this article Trackback URL
Comments (0) Read through and enter the discussion with the form at the end
Proskauer Rose LLP
Beijing Suite 5102, 51/F
Beijing Yintai Centre Tower C
2 Jianguomenwai Avenue
Chaoyang District
Beijing 100022, China
Phone: 86.10.8572.1800
Boca Raton 2255 Glades Road
Suite 421 Atrium
Boca Raton, FL 33431-7360
Phone: 561.241.7400
Boston One International Place
Boston, MA 02110-2600
Phone: 617.526.9600
Chicago Three First National Plaza
70 West Madison
Suite 3800
Chicago, IL 60602-4342
Phone: 312.962.3550
Hong Kong Suites 1701-1705, 17/F
Two Exchange Square
8 Connaught Place
Central, Hong Kong
Phone: 852.3410.8000
London Ninth Floor
Ten Bishops Square
London E1 6EG
United Kingdom
Phone: 44.20.7539.0600
Los Angeles 2049 Century Park East
32nd Floor
Los Angeles, CA 90067-3206
Phone: 310.557.2900
Newark One Newark Center
Newark, NJ 07102-5211
Phone: 973.274.3200
New Orleans Poydras Center
650 Poydras Street
Suite 1800
New Orleans, LA 70130-6146
Phone: 504.310.4088
New York Eleven Times Square
New York, NY 10036-8299
Phone: 212.969.3000
Paris 374 rue Saint-Honoré
75001 Paris, France
São Paulo Rua Funchal, 418
26° andar
04551-060 São Paulo, SP, Brasil
Phone: 55.11.3045.1250
Washington, D.C. 1001 Pennsylvania Avenue, NW
Suite 400 South
Washington, DC 20004-2533
Phone: 202.416.6800