European Union Data Protection Supervisor Peter Hustinx writes an editorial for ZDNet UK about data breach notification laws, criticizing exemptions that allow some breaches to go unreported.
Thus, the proposal to set up a security-breach reporting mechanism put forward by the European Commission and endorsed by the European Parliament and Council, in the context of the review ofÂ the EU E-Privacy Directive, should be well received by European citizens and stakeholders in general.
Unfortunately, if the Council and Commission approach prevails, European citizens will be disappointed to learn that the only organisations obliged to disclose breaches would be providers of publicly available electronic communications services.
That restriction means European citizens would only be alerted if their internet access or telephone company suffers security breaches. If their online bank is hacked or its security systems are cracked, enabling the unauthorised access to bank account information, citizens might not be notified.
So, unless the amendments proposed by the European Parliament are adopted by the Council, online banks and other e-businesses would be off the hook.
The reasons that justify the Council and Commission policy of such a limited approach are not entirely clear. The Commission has based its position on legal considerations â€” that is, the overall scope of the E-Privacy Directive is meant to regulate telecoms and access providers only.
That rationale is undermined by the existence of other sections in the E-Privacy Directive that have a broader application. Given the magnitude of the risks involved and the possibility of reducing them by passing legislation, one would hope that these types of technical legal arguments would not stand in the way of achieving such important policy objectives.
The full editorialÂ is well worth a read.