Developments in the EU: Security Breach Rules for ISPs and Telecoms and Cooperation Between FTC and Ireland Office of Data Protection Commission

Published On June 26, 2013 | By Jon Frankel | Data Security, FTC & State AG, International, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

MOBILE SECURITYThe European Commission has established new rules and regulations that require Internet Service Providers and telecommunications providers to notify authorities of a security breach within 24 hours. If the reporting entity is unable to provide a full explanation of the breach within 24 hours, it must provide “initial information” within 24 hours and a full explanation within three days following the incident.

While the revised 2011 E-Privacy Directive already requires telecom operators and ISPs to inform national authorities and subscribers about data breaches, the new rules clarify the requirement to outline the precise  measures taken to address and resolve data breaches involving compromised customer personal data, as well as provide a description of the breached information.

European Commission Vice President Neelie Kroes stated, “consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity…these new practical measures provide that level playing field.”

While these new rules create more specific obligations on telecom operators and ISPs, any company that encrypts customer data is not required to notify customers in the event of a breach.  These new requirements take effect at the end of August.

In other EU privacy news, the Federal Trade Commission has signed a memorandum of understanding (MOU) with Ireland’s Office of the Data Protection Commissioner “to promote an increased cooperation and communication between the two agencies in their efforts to protect consumer privacy.”  According to a FTC Press Release, the MOU is designed to bolster the privacy enforcement relationship between the FTC and Ireland’s Office of the Data Protection Commissioner as part of an overall goal to protect consumer information across borders and allow the respective regulators to cooperate in cross-border enforcement. According to FTC Chairwoman Edith Ramirez, “Working closely with our international partners in this area benefits both consumers and companies.”

Cooperation between the FTC and EU data protection regulators is a natural consequence of the global nature of the Internet and the fact that more and more U.S. companies and consumers do business overseas. We expect to see additional agreements between the FTC and other overseas regulators over the coming months and years.

About The Author

Jon Frankel has been advising clients on privacy, data security, e-commerce, intellectual property and litigation matters for more than 15 years. Jon provides practical advice to mitigate privacy and data security risks and helps clients navigate a myriad of complex data collection, use and sharing cases. Jon advises on health and children’s privacy; email, SMS and telemarketing; mobile applications; user generated content; contests, promotions, and sweepstakes, online gaming; and requests from law enforcement. Prior to joining ZwillGen, Jon was a partner in the Washington, D.C. office of Bingham McCutchen, LLP, where he co-chaired the Privacy and Security Group.