By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional

On April 5th, 2011, Article 29 Data Protection Working Party adopted WP 184.  The Document is a summary of the Member States’ adoption of Directive 2009/136/EC (personal data breach provisions). 

The document has three goals:

1)      The Working Party wished to obtain a broad picture of the manner in which the directive has been transposed and the possible differences of approach by all the Member States.  This exercise may even be a way to align the laws of all the Member States;

2)      To help DPA’s to take note of the way jurisdictions have chosen to implement the Directive and possibly encourage the development of internal rules and ways in which data breaches will be notified;

3)      To advice as to future policy in the area of data breach reporting.

The Working Party finds it imperative, under the third goal, to promote the future policy developments in the area of data breaches.  The Working Party feels the development of policy should emphasize two areas

a)      Under Article 4(5), the Commission is given the power to enact technical measures for the implementation of the directive.  This is a newly created power under the authority of the Lisbon treaty.  The Working Party anticipates the Commission will exercise its power only in some well defined areas.

b)      To incorporate the e-Privacy Directive in the review of the new Privacy Directive amending Directive 95/46.

PERSONAL DATA BREACH UNDER THE E-PRIVACY DIRECTIVE

The e-Privacy Directive is the very first directive which requires the reporting of data breaches in the European Union for providers of publicly available electronic communications services.  (In this area, the EU should look at the way data breaches are handled and regulated in the USA).

The Data Breach notification requirements do not apply to data controllers, unless, they are also providers of publicly available electronic communications services.  One also may argue that data controller activities and electronic communication activities should be considered independently from each other.

The e-Privacy Directive’s core elements are simple. 

-          It includes the definition of data breach. 

-          The required legal thresholds for the reporting of breaches to users and governments,

-          Content and time for notification

-          The exemption of notification requirements when the data is protected by technological devices such as encryption.

The core elements do not seem to be a preoccupation for the Working Party.  Rather, the Working Party believes there are three areas which will be problematic.

1) The scope of the application of the obligation is the first identified problematic area.  Even though the Directive shall be applied to publicly available electronic communication services, the Directive does not require Member States to extend the requirements to all types of data and sectors of data handling industry.  The Directive rather encourages Member States to extend the application of the core principles to all types of data handling and sectors (including data controllers).

2) The issuance of guidelines is also indentified as problematic because the classification of data, the definition of thresholds and the manner in which breaches are reported are open to interpretation by the Member States.  However, this could be easily solved if the Commission issues implementation guidelines.  The Commission’s guidelines will always trump over all guidelines adopted by the Member States.

3) Technological protection measures which will exempt the report of a breach to users are again open to interpretation by all Member States.  Just like the guidelines, the problem could be solved if the Commission issues a list of appropriate technologies.

STATUS OF THE TRANSPOSITION

According to the Working Party (as of the 5th of April), none of the Member States appear to have adopted the legislation yet.  The Working Party also points out that a significant number of Member States are unlikely to meet the transposition due date of May 25th.  Those who have drafted legislation, report that the wording of proposed legislation closely resembles the Directive’s.

SUGGESTIONS

The Working Party also makes several suggestions for the future:            

A)    The scope of the obligation to report breaches should apply to data controllers under the new Privacy Directive.

B)    When creating or implementing breach notifications, under the new Privacy Directive, the core elements applied to communication providers should also be applied to data controllers.

C)    Regulations should be drafted; although, the actual enactment of the e-Privacy directive has yet to take place in all Member States.  The drafting should take into consideration six areas proposed by the Working party.  The areas mostly deal with the harmonization and exercise of regulations by the commission

Lastly, the Working party exhorts the Commission to apply the e-Privacy directive breach requirements to data controllers as well.

If you would like to contact Raul, either email raulmendez1@earthlink.net  or call 206.264.0849.