New EU rules on personal data breach notification for telecoms and ISPs came into force recently (on 25 August 2013). European Commission Regulation (EU) 611/2013 of 24 June 2013 on the measures applicable to the notification or personal data breaches under the ePrivacy Directive (2002/58/EC) aims to ensure that telecoms operators, internet service providers and other public electronic communications service providers notify personal data security breaches consistently across the EU.
The revised ePrivacy Directive (2009/136/EC) requires telcos and ISPs to keep personal data secure and confidential and to notify relevant national data protection authorities of any breach where the affected individuals’ personal data or privacy are likely to be adversely impacted, in particular where the data is stolen, lost or accessed by unauthorised persons. The Notification Regulation requires service providers to notify the relevant national DPAs within 24 hours of detection of the breach. In addition, affected individuals must be notified without undue delay and provided with detailed information about the data breach.