Demands made for a data breach notification law

News by SC Staff

The Article 29 Working Party has repeated its demand for a data breach notification law.

The Article 29 Working Party has repeated its demand for a data breach notification law.


The committee of data protection and privacy commissioners from the European Union's 27 member states has said that a proposed new clause in an EU Directive could threaten computer users' privacy and published a revised opinion on changes being planned to the Privacy and Electronic Communications Directive.


It claimed that it strongly backed Parliament's position that companies which provide services on the internet should go public only if they lose people's personal data, however it had called for a wider breach notification requirement in two previous opinions on proposed amendments to the Directive, issued in 2006 and 2008.


The Working Party said: “Breach notifications may become an important tool for Data Protection Authorities to increase focus and effectiveness when enforcing the obligation of service providers to take appropriate security measures.


“An extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services.”


It claimed that limiting the scope of the obligations to publicly available electronic communications services would only affect a very limited number of stakeholders. It would also significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm.


It said: “Affected users may only be in the position to take appropriate measures to mitigate the risks they are facing if they have been adequately informed. Therefore, the Working Party emphasises the importance of the notification format and risk assessment in determining whether individuals should be notified, regardless of the technical measures that were actually taken to protect their data."



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews