The European Network and Information Security Agency has recently published a report on data breach notifications in the European Union. ENISA surveyed data protection authorities, telecommunications regulatory authorities and telecom operators from different countries in the EU, but also from other non-EU countries such as the United States.
Using the various stakeholders’ responses, the report helps understand the practices and challenges of the future mandatory data breach notification regime, and aims to assist public authorities and private organizations in the EU as they implement data breach notification policies by providing a set of recommendations.
(Résumé aussi disponible en français)
Filed under Cédric Laurant, English, Europe, European Union, Farid Bouguettaya, Non-EU, Outlines, Reports & Surveys · Tagged with "Telecom Package", Article 29 Data Protection Working Party, best practices, black lists, breach mitigation measures, data breach, data breach inventory, data breach notification, data breach notification policy, data breach notification procedures, data breaches, data ombudsman, data protection, data protection officer, data security, data security breaches, deterrence measures, ENISA, EU Directive 2002/58/EC, EU Directive 2009/136/EC, EU Directive 95/46/EC, EU e-Privacy Directive, EU Regulation 460/2004/EC, European Commission, European data protection authorities, European Data Protection Supervisor, European Network and Information Security Agency, financial sector, fines, Germany, guidelines, healthcare sector, Information Commissioner Office (UK), information security, information security policy, Internet service providers, media exposure, monetary penalties, negative publicity, Norway, personal data, publicly available electronic communications services, regulatory authorities, Royal Decree (No. 1720/2007) (Spain), security document, Spain, technical implementing measures, telecommunications operators, telecommunications sector, Turkey, undue delay, United Kingdom, United States
The European Data Protection Supervisor has recently issued an opinion on the review of the EU legal framework for data protection (Directive 95/46/EC). It expresses concerns regarding the increasing difficulties for individuals to protect the privacy of their personal data, and calls for strengthening individuals’ rights over them. This can be done, the EDPS argues, by making security breach notifications mandatory for all relevant sectors, increasing transparency of processing for data subjects, and introducing new rights, such as the “right to be forgotten” and the “right to data portability”.
Filed under Cédric Laurant, English, EU Law, Europe, European Union, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with Article 29 Data Protection Working Party, behavioral advertising, cloud computing, data controller, data portability, Data Protection Authority, data security breaches, data subject, EDPS, ENISA, EU Directive 2002/58/EC, EU Directive 2009/136/EC, EU Directive 95/46/EC, EU e-Privacy Directive, European Commission, European Data Protection Supervisor, European Network and Information Security Agency, European Union, right to be forgotten, right to data portability, right to oblivion, security breach, technologically neutral rights, transparency
The Article 29 Data Protection Working Party has adopted on July 13, 2010 a report on the EU Data Retention Directive (2006/24/EC). This report is the Working Party’s contribution to the evaluation of the implementation of the Data Retention Directive by the European Commission, which is due by September 15, 2010. The report details the results of a joint inquiry made by the data protection authorities about the compliance, at the national level, with the obligations of telecom providers and Internet service providers with both the Data Retention Directive and articles 6 and 9 of the EU e-Privacy Directive (2002/58/EC).
Filed under Cédric Laurant, English, EU Law, Europe, European Union, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with access control, access request, Article 29 Data Protection Working Party, authentication, back-up, biometrics, cloud computing, cloud computing system, confidentiality, contractual clauses, Council of Europe Recommendation R(87)15, data deletion, data security, data security breaches, data security principles, digital signature, dual authentication, encryption, EU Data Retention Directive, EU Directive 95/46/EC, EU e-Privacy Directive, European Commission, European data protection authorities, external audit, handover procedures, in-house policies, integrity, law enforcement authorities, LEA-accessible systems, log integrity, log retention, logs, mutual assistance and cooperation, mutual authentication, non-repudiation, outsourcing, password, personal data, retained data, retention period, security audit, security certification, security policy, security standards, self-regulation, sensitive information, sensitive personal information, system administrator, system maintenance, technical and organizational security measures, third party certification, tracking, traffic data, warrant
