EU Impose New Personal Data Rules on UK Phone and Internet Providers

The European Commission (EC) has this week implemented new rules to help telephone and broadband providers (ISP) know what to do when their customers’ personal data is either lost, stolen or otherwise compromised. But companies that encrypt your data won’t have to tell you if it’s been stolen.

Internet providers typically hold a range of personal details about their customers, such as names, addresses, bank details, website visits, phone usage and so forth. Data like this could easily be abused by criminals, if it got into the wrong hands, and as a result it’s important to keep it all secure.

Related companies already have a general obligation to inform national authorities and subscribers about breaches of personal data, although the new measures are an attempt to clarify some rules and standardise the approach.

Neelie Kroes, EC Vice-President, said:

“Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field.”

The Key Rules

• Companies must: Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.

• Companies must: Outline which pieces of information are affected and what measures have been or will be applied by the company.

• In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.

• Companies must: Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.

However the EC also wishes to “incentivise companies” to encrypt personal data and as a result any company that applies this would apparently be “exempt from the burden of having to notify the subscriber because such a breach would not actually reveal the subscriber’s personal data“. We can see why they’d take this stance but at the same time we still think that subscribers’ should be informed; nothing remains 100% secure forever.