Telcos in Europe are being asked to consider encrypting their subscribers' personal information as Brussels confirmed new rules on Monday about the industry's obligation to notify customers about data breaches.
The European Union's unelected digital czar, “Steelie” Neelie Kroes, said that if ISPs agreed to shield the data with difficult-to-crack code then companies would not be required to tell the subscriber when a breach of their data has occurred.
More ReadingIt's official: Steelie Neelie is a triple-triple-TRIPLE win digital womanEuropean Commission plans net neutrality pushSteelie Neelie accused of killing €0.01-per-megabyte roaming fee cap in EuropeEU chucks €18m at research for stupidly fast networksPRISM leaks: WTF, you don't spy on your friends, splutters EU
Under the measures - which are separate from the European Commission's proposed rejig of the EU's data protection laws - Brussels' officials said they had clarified a general obligation for telcos to inform national watchdogs about an information breach, which has been in place since 2011.
It told telecoms outfits across the 27 members' state bloc to:
■ Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.
■ Outline which pieces of information are affected and what measures have been or will be applied by the company.
■ In assessing whether to notify subscribers (ie, by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.
■ Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.
The EC said it would be publishing "an indicative list of technological protection measures, such as encryption techniques, which would render the data unintelligible to any person not authorised to see it."
By encrypting the data, the Commission said the "burden" of companies having to inform national authorities about a breach would be lifted, because the subscriber's personal data would apparently be safeguarded.
"Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field," said Kroes.
The new rules have already winged their way through the European Parliament and the European Council, so the regulation does not need to be transposed into national legislation. The Commission added that it will come into force two months after publication in the Official Journal of the European Union.
ISPs in the UK might look on at Kroes' suggestion of encryption with interest, given the current palaver about spooks' internet surveillance in light of PRISM; not to mention the Home Secretary's torpedoed Communications Data Bill, which permitted the security services and the police to access sensitive subscriber data at will. ®