Privacy & Information Security Law Blog

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

ENISA’s Report is based on surveys distributed to various stakeholders in February and March of 2010, and follow-up interviews with these stakeholders that took place until June 2010.  Among the stakeholders involved in the process were regulatory authorities (including EU data protection authorities), telecommunication service providers, legal experts and information and communications technology industry experts, primarily from the EU but also from other countries, particularly the United States.  In addition, the Report draws on research that ENISA conducted in parallel with the surveys and interviews to identify data breach notification procedures outside the EU.

The Report discusses current data breach notification procedures in the EU, noting that only a few EU countries – for example, Germany, Ireland, Spain and the United Kingdom – have introduced such procedures.  The Report also provides a regulatory outlook based on the input received from the EU regulatory authorities, and a private sector outlook based on the responses from the various telecommunication service providers.  Other issues the Report addresses include (1) the types of events that trigger notification, (2) notifying based on a risk assessment, (3) the timing and contents of notifications to regulators and data subjects, and (4) sanctions for non-compliance, such as fines and negative publicity.

Throughout the Report, ENISA provides various recommendations to both regulatory authorities and private sector actors, including that they should develop a list of potentially contentious issues and strive to resolve them before mandatory breach notification requirements are introduced in the laws of the various EU Member States.