On August 25, 2013, a new European Regulation came into effect that changed and expanded upon the breach notification procedures set forth in the E-Privacy Directive (2002/58/EC). The Regulation outlines two independent notification obligations: (1) notification to the relevant national authority within 24 hours after detection of a personal breach where feasible; and (2) notification to affected individuals when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual without undue delay. Notification to subscribers or individuals is not required if the provider has encrypted the data or otherwise rendered it unintelligible. While the E-Privacy Directive and the Regulation applies only to “providers of publicly available telecommunication services,” such as telecommunication companies, ISPs, and email providers, these new requirements have generated and will continue to generate broader interest because of similar language incorporated into the draft General Data Protection Regulation 2012, which applies to all businesses that handle personal data.
We are glad to feature a summary of the new requirements of the Regulation on our blog, written by Ruth Boardman, Ariane Mole, and Gabriel Voison of Bird & Bird LLP.
The views and opinions expressed in the summary of the new requirements of the Regulation are solely those of the author(s). They are not necessarily representative of the views of Alston & Bird LLP or Bird & Bird. The materials on this blog and the summary of the new requirements of the Regulation are provided for informational purposes only and do not constitute legal advice. Please contact any member of the Alston & Bird’s Privacy & Security team if you are seeking legal advice.
Written by Kimberly Peretti, Partner, Security Incident Management & Response Team | Alston & Bird LLP
