Answer given by Mr Frattini on behalf of the Commission
The Directive 95/46/EC of the Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘Data Protection Directive’)(1) does not impose an obligation to report breaches of data protection laws/principles either to the relevant national data protection authority or to consumers.
Generally speaking, Article 17 of the Data Protection Directive imposes an obligation on Member States to ensure that a controller must implement ‘appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing’. Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
On the other hand, the Commission as well as Member States nowadays lay stress on more effective enforcement practices. In practice, it is usually an individual complaint that initiates the investigation of the particular case, which is further carried out by the data protection authority.
As far as the Commission is informed, there is no system where organisations in Member States would be obliged to report breaches of data protection laws either to the respective national data protection authorities or to the consumers. Therefore, the Commission can not provide any numbers of such breaches.
The obligation of a data controller is, among other things, to process personal data in accordance with the data protection principles and laws; therefore an organisation in breach of its obligation should seek a remedy in order to comply with such obligations. Concerning an obligation to follow security guidelines, data controllers are obliged to implement appropriate technical and organisational measures to protect personal data against accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing.
In relation to electronic communications, the obligation to take technical and organisational measures is reflected in the specific Directive on privacy and electronic communications(2). These measures must ensure a level of security appropriate to the risk presented, having regard to the state of the art and the cost of their implementation. Generally speaking, most Member States currently leave the assessment of the security level to the providers of services. The directive furthermore requires the notification to subscribers of particular security risks, but not the notification of actual security breaches (Article 4).
The Commission is not aware of major security breaches which have occurred in the EU in which individuals’ sensitive personal information held by organisations has been exposed.
Reliable data on information security incidents and trends is indeed important. The Commission is in regular contact with Member States’ national data protection authorities as well as with data protection authorities in third countries. The possibility to collect data regarding security breaches for statistical purposes as well as imposing an obligation to the controllers to inform data protection authorities and/or consumers about any breaches, as is the case in the US under certain conditions, can be discussed in that context. Regarding electronic communications in particular, recent calls have been made to consider the extension of notification requirements to cover actual security breaches (e.g. in the context of the review of the Directive on Privacy and Electronic Communications(3)). The Commission is also considering mobilising the European Network and Information Security Agency (ENISA), Member States and stakeholders to ensure the availability of reliable data on network and information security incidents in Europe.
Directive 2002/58/EC of the Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201, 31.7.2002.
Most contributions to the call for input on the 2006 review, which covers the whole regulatory framework for electronic communications, including the Directive on Privacy and Electronic Communications are available at: http://europa.eu.int/information_society/policy/ecomm/tomorrow/index_en.htm