So the European Union has enacted changes to the telecommunications directive (Directive 2002/58/EC on privacy and electronic communications) that require telecommunications companies to notify data subjects about any loss of personal data. If you read EU spin on this step, this is a great deal for “data subjects”. However, as with most things, the devil is in the detail and I have found nothing new.
One modification provides for measures that shall “ensure that personal data can be accessed only by authorised personnel for legally authorised purposes”. Now pause for a second: this provision is really aimed at telcos when they provide external authorities with secure access to personal data so long as they are “legally authorised”. So ask yourself a question: “is it likely in these circumstances that a telco would provide insecure access?”.
Other recommendations also repeat the obvious. For example, telcos are “to protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and to ensure the implementation of a security policy with respect to the processing of personal data”. OK guys, tell me what is not already in the Seventh Data Protection Principle!
The provisions relating to security breach notification add up to less than a string of beans. For example, “in the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority”. However “notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach”. This is arises when the “technological protection measure” renders “the data unintelligible to any person who is not authorised to access it”.
There again – the above is current UK practice – if there is a personal data loss, contact the Commissioner who will issue advice as to whether to contact data subjects; encryption on laptops and memory sticks is now standard advice.
Other provisions also repeat UK practice. For example, the telco if it “has not already notified the subscriber or individual of the personal data breach” can be required by the Information Commissioner to notify the data subjects concerned (e.g. this can happen in the UK under the current enforcement regime).
Rather quirky is the requirement that any notification to the data subject shall “recommend measures to mitigate the possible adverse effects of the personal data breach”. Now tell me what data controller will send a notice to each data subject which effectively says “Hey guys, I have lost your personal data. You are now on your own”.
A provision states that the Commissioner can “adopt guidelines” or “where necessary, issue instructions” concerning the circumstances in which telcos are required to notify personal data breaches. Ok – so let’s have a look at the Commissioner’s “Guidance on data security breach management” issued in late spring of this year
In fact, the only new provision I have found is the power of the Commissioner to audit telcos to see whether “they have complied with their notification obligations”. Note that this audit is limited to the context of a data loss; it is an advance merely because the Government has repeatedly refused to provide the Commissioner with powers of audit with respect to the private sector data controllers.
Do you get the message? There is nothing new to get excited about. So if any Minister or MP trumpets these provisions as part of the forthcoming General Election campaign as a great advance in data protection in the UK, then please reach for that salt bowl. (I was going to say sick bucket but decided at the last minute that this would be inappropriate),
References: see page 74 of: http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf and my piece for out-law “Why we don't need a security breach notification law in the UK” (http://www.out-law.com/page-9128).