EC consults to create single data breach disclosure system

The European Commission (EC) has launched a consultation on the best way to create a single system under which businesses subject to mandatory data breach disclosures can report this information.

The law, which came into force on 26 May as part of revisions to the ePrivacy Directive, currently applies only to telecoms operators and internet service providers, and is designed to give consumers more insight into how their information is handled.

The EC wants feedback from these companies, as well as data protection authorities and consumer organisations concerned with data privacy, to provide input on how data breaches can be disclosed in a practical and consistent manner.

Specifically, the EC wants feedback on the circumstances under which disclosures should be made, the procedures they should follow and in which format this should be done.

Neelie Kroes, EC vice president for the Digital Agenda, said that a consistent system will make it easier for businesses to meet their obligations.

"The duty to notify data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don't have to deal with a complicated range of different national schemes," she said.

"I want to provide a level playing field, with certainty for consumers and practical solutions for businesses."

Stewart Room, a partner at law firm Field Fisher Waterhouse, told V3.co.uk that, while companies affected by the new system will welcome the consultation, it raises questions over the EC's implementation of the law.

"Members of the public may be concerned that the nuts and bolts of this critical new legal regime haven't been worked out yet, almost two months after the law came into effect and nearly two years after the law was adopted by the EU," he said.

"Interestingly, the proposal for a consultation suggests that the EC isn't yet sure of the kind of breach that warrants disclosure. That is rather surprising."

Kroes announced her intention to widen the law to all businesses at an event in London in June, and the outcome of the consultation could have implications for all businesses operating in the European region.

The head of data protection at operator Everything Everywhere recently slammed the new law, arguing that it was far too broad and could lead to instances in which breach disclosure may cause more harm to those affected than keeping it private.

The Public consultation on personal data breach notifications closes on 9 September.