Telcos raise concerns over EU breach notification laws

European Union data breach notification laws may still be some way from becoming a reality, after telecoms operators and data protection authorities across Europe raised numerous concerns about the plans.

Data breach notifications for e-communications providers are not yet mandatory in most EU countries, but the EU telecommunications regulation reform package and its ePrivacy Directive passed in November 2009 will require their introduction in member states.

A report by the European Network and Information Security Agency (Enisa) entitled Data breach notifications in the EU highlights several areas where operators are seeking clarification

These include assurances that notification requirements will not negatively affect their brands, and the need for greater support and guidance on procedures.

The report also reveals that data protection authorities will need greater resources, including more budget and technical experts, to help adequately enforce the breach notifications rules.

They also want to see a short deadline for reporting breaches to authorities and data subjects, and notifications which "provide the necessary information and guidance in line with the rights of the data subjects".

"As notifications are not yet mandatory in most countries, regulatory authorities have little experience in handling notifications," the report said.

"Since regulatory authorities have a number of responsibilities, there are concerns that additional duties must not interfere with pre-existing responsibilities. Notifications are not viewed as a number-one priority for most authorities."

Enisa also identified a number of areas which need attention before data breach notifications become a reality across Europe.

Key among these is deciding on a notification threshold, and guidelines for assessing the risk involved with individual breaches.

The report also calls for clearly outlined procedures so that stakeholders know how to respond in the event of a breach, along with a trial period and an automated breach notification system.

The majority of regulators surveyed for the report supported extending mandatory notifications to other sectors, although Enisa warned that this should not necessarily come from an extension of the ePrivacy Directive.