European Data Protection Supervisor Supports General Obligation to Report Security Breaches

The European Data Protection Supervisor (EDPS) has recently published its Opinion [alternate link] on the Communication from the European Commission entitled “A comprehensive approach on personal data protection in the European Union”, which had been adopted by the Commission in July last year.

The purpose of the Communication was to lay down the Commission’s approach for the review of the European Union legal system for the protection of personal data in all areas of the Union’s activities, while taking account of the challenges resulting from globalization and new technologies.

Indeed, the EDPS notes that

“[t]oday’s technology is not the same as when Directive 95/46 was conceived and adopted.”

Cloud computing, behavioral advertising, social networks, road toll collecting and devices allowing for easy geo-location of their users pose new challenges to data protection. (para. 14)  Data are increasingly transferred across borders and processed outside of the European Union, while the now prevalent use of Internet and cloud computing make it increasingly difficult for the data subject to know where his data is geographically located.

The EDPS’s Opinion describes the period since the adoption of the Data Protection Directive (Directive 95/46/EC) as “technologically turbulent.” (para. 37) Individuals have lost their ability to opt in to participate in the Information Society, which “can no longer be considered as a parallel environment”. One example is the development of the “Internet of Things”: a network of computers interconnected to a network of objects. The EDPS “fully supports the Communication where it proposes strengthening individuals’ rights, since existing legal instruments do not fully deliver the effective protection that is needed in an increasingly complex digitalized world” (para. 68). The current version of article 7 of the Data Protection Directive lists six legal bases for processing personal data, and unambiguous consent of the individual is one of them. Indeed, article 5(3) of the amended ePrivacy Directive states that “[m]ember States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC.” An individual must consent to having “cookies” stored on his computer. Is the option of opting out enough? The Article 29 Working Party answered by the negative in a 2010 opinion on behavioral advertising. Opting-out is “not an adequate mechanism to obtain average users informed consent.”) (p. 15 of the opinion). Similar debates on what is “consent” could arise in the context of the “Internet of Things” or geolocation services, as new techniques become a prevalent part of our life as citizens of the Information Society.

Towards a general obligation to report data breaches?

The EDPS wants to make the notification of data security breaches a general principle in the Data Protection Directive that would extend the obligation that already exists in the revised e-Privacy Directive for providers of electronic communication services (providers of telephony service and Internet access), supporting in this what is proposed in the European Commission’s Communication.

Yet, the EPDS notes that

“[t]he reasons that justify th[is] obligation fully apply to data controllers other than providers of electronic communication services.” (para. 75)

Indeed, security breach notifications serve different functions and strive for different goals. One of these goals, the Communication highlights, is to serve as an information tool to make individuals aware of the risks they face when their personal data are compromised. Such notifications may help them to take the necessary preventive measures to mitigate risks associated with data breaches, such as changing passwords or cancelling their accounts (para. 76). Mandatory data security breach notifications also provide incentives for data controllers to implement stronger security measures to prevent these breaches, and thus add to the controller’s  accountability. Such notifications also serve as a tool of enforcement for data protection authorities, as notification may lead them to investigate a data controller’s overall practices (para. 76).

"Sunlight" (Photo by Luc De Leeuw; shot on Feb. 3, 2008). Available at (Creative Commons "Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)" license.)

"Sunlight" (Photo by Luc De Leeuw, Feb. 3, 2008)

The EDPS notes that the security breach rules as laid out in the amended ePrivacy Directive were broadly discussed during the parliamentary debates that preceded the adoption of that Directive, and both the Article 29 Working Party and EDPS’s opinions were taken into consideration (para. 77). The rules eventually adopted  “represent a balance of interests”:

“while the criteria triggering the obligation to notify are, in principle, adequate to protect individuals, they do so without imposing overly cumbersome, not useful requirements.” (para. 77)

The EDPS had issued an opinion in 2008 on the Proposal for a Directive amending the e-Privacy Directive where it stated that it “particularly welcome[d] the adoption of a mandatory security breach notification system.”

In 2009, the Article 29 Working Party had adopted an opinion on the proposed amendments to the ePrivacy Directive where it fully supported the proposed amendments to Article 4 of the Directive that required service providers to notify security breaches. It recommended that, whenever there is a risk of adverse effect to individual’s privacy and data protection, the competent national regulatory authority be informed, and service providers immediately notify affected users, notwithstanding the possibility for that competent authority to disclose information about the breach to the public and force the service provider to do the same.

The European Network and Information Security Agency (ENISA) has just published last January a report on Data Breach Notifications in the EU, which compiles feedback from regulatory authorities, legal experts, private companies and industry experts on the subject of mandatory data breach notifications.  We will come back to it in more details in another post.

The new data protection legal framework must be technologically neutral

The new legal framework must be neutral with respect to technological changes in order to remain effective for a long period of time while allowing companies and individuals to develop new technologies without concerns that they may run afoul of an obsolete law. (para. 38)  Because technologies evolve so quickly, the rights and obligations of individuals and companies must be stated in a general and neutral way, so that they remain “valid and enforceable irrespective of the technology chosen for processing personal data.” The EDPS thus suggests the introduction of “new ‘technologically neutral’ rights on top of the existing principles of data protection” (para. 39)

It must also increase transparency…


Individuals are not always aware that their personal data are collected, used, disclosed and sold to third parties, nor do they know how to exercise control. The EDPS gives as an example behavioral advertising, where “ad network providers [monitor] individuals’ web browsing activities, using cookies or similar devices, for the purposes of targeted advertising” (para. 69). Individuals cannot exercise their rights if they do not know how their personal data are being processed.

The Communication suggests adding an explicit general principle of transparency, linked or not to the existing provision of fair processing. Therefore, it would be certain that the

“controller should under all circumstances process personal data in a transparent way, not only on request or when a specific legal provision requires him to do so” (para. 73).

The EDPS suggests also strengthening the existing provisions of the 1995 Directive by requiring that the controller provide information on data processing in an easily accessible, clear, and easy to understand manner. The information should be clear, conspicuous and prominent (para. 74).

… and promote data portability and the right to be forgotten


Data portability and the right to be forgotten (or “right to oblivion”) are two connected concepts that aim at empowering the data subject by strengthening his rights (para. 83). Data are increasingly stored automatically and kept for unspecified periods of time, while the data subject has limited control over his personal data. Indeed, the Internet has a “gigantic memory” (para. 84).

“[F]rom an economic perspective, it is more costly for a data controller to delete data than to keep them stored,” and the exercise of the rights of the individual therefore “goes against the natural economic trend” (para. 84).

In order to empower the data subject, data portability and the right to be forgotten can give her more control over her information. The right to be forgotten “would ensure that the information automatically disappears after a certain period of time, even if the data subject does not take action or is not even aware the data was ever stored.” (para. 85) This “right to be forgotten” would ensure that personal data are deleted while it would be prohibited to use them further without the data subject’s necessary action, but on condition that this data be already stored for a certain amount of time. In other words, the data would be given some sort of “expiration date” (para. 88).

This new “right to be forgotten” should be connected to data portability (para. 89), which is “the users’ ability to change preferences about the processing of their data, in connection in particular with new technology services.” (para. 86) Individuals should be allowed to easily change service provider and transfer their personal data to another one” (para. 87). This portability right would ensure that individuals are given access to their personal information and provide that the former service provider or data controller deletes the information “even if they would like to keep it for their own legitimate purposes” (para. 87).

The EDPS will pursue its work on data breach notifications

At a recent seminar that ENISA organised on January 14, 2011 to release its new report on Data Breach Notifications in the EU, the EDPS announced that it would be working in the coming months with ENISA and the Article 29 Working Party in order to adopt technical implementing measures regarding the circumstances, format and procedures applicable to the information and notification requirements of Directive 2009/36/EC in order to ensure consistency in how those measures will be implemented.  (See more details in the EDPS’s representative (Laurent Beslay)’s presentation.)

Marie-Andrée Weiss and Cédric Laurant


2 Responses to “European Data Protection Supervisor Supports General Obligation to Report Security Breaches”
Check out what others are saying...
  1. […] and electronic communications 2002/58/EC in Directive 2009/136/EC (more details in earlier posts in this blog) that applies to telecommunications companies and Internet service providers. Then, in 2012, in the […]

  2. […] and electronic communications 2002/58/EC in Directive 2009/136/EC (more details in earlier posts in this blog) that applies to telecommunications companies and Internet service providers. Then, in 2012, in the […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

  • Blog authors

  • Copyright notice

    © Copyright 2010-2014 "Information Security Breaches & The Law".
    All rights reserved, unless noted otherwise under each author's post, page or other material.
    If you would like to discuss licensing terms, contact us at: info [at] security-breaches [dot] com.

  • Enter your e-mail address here to follow this blog and receive notifications of new posts by e-mail.

  • The “Global Information Security Breach Professionals” Group on Linkedin

  • Wordpress Blog Stats

    • 46,882 hits
%d bloggers like this: