All data breaches must be made public

European legislators seem to be about to pass a directive that could make it obligatory to disclose data breaches — but not in every case. That selectivity is a mistake, says EU data tsar Peter Hustinx
Written by Peter Hustinx, Contributor

The good news is that Europe's lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions are in no-one's interest, says European privacy tsar Peter Hustinx.

Hardly a day goes by when we do not awake to press reports of security breaches resulting in the loss of thousands, sometimes even millions, of records. Hacked or malfunctioning databases can expose people to identity theft, financial loss and damaged reputation through the disclosure of sensitive information such as credit-card numbers, account details or medical records.

When these breaches occur, affected individuals ought to be notified so they can take the necessary steps. Outside Europe, laws have already been introduced requiring organisations to alert individuals affected by data breaches. These laws encourage companies to invest in security to avoid the bad publicity that could occur when breaches are made public.

Significant consequences
Because of the serious consequences of data breaches, one would hope European legislators would not shy away from adopting a mandatory consumer-notification requirement in the case of breaches that may adversely affect individuals' privacy.

Thus, the proposal to set up a security-breach reporting mechanism put forward by the European Commission and endorsed by the European Parliament and Council, in the context of the review of the EU E-Privacy Directive, should be well received by European citizens and stakeholders in general.

Unfortunately, if the Council and Commission approach prevails, European citizens will be disappointed to learn that the only organisations obliged to disclose breaches would be providers of publicly available electronic communications services.

That restriction means European citizens would only be alerted if their internet access or telephone company suffers security breaches. If their online bank is hacked or its security systems are cracked, enabling the unauthorised access to bank account information, citizens might not be notified.

So, unless the amendments proposed by the European Parliament are adopted by the Council, online banks and other e-businesses would be off the hook.

The reasons that justify the Council and Commission policy of such a limited approach are not entirely clear. The Commission has based its position on legal considerations — that is, the overall scope of the E-Privacy Directive is meant to regulate telecoms and access providers only.

That rationale is undermined by the existence of other sections in the E-Privacy Directive that have a broader application. Given the magnitude of the risks involved and the possibility of reducing them by passing legislation, one would hope that these types of technical legal arguments would not stand in the way of achieving such important policy objectives.

Sensitivity of information
Also, surely the type of information commonly held by banks, e-health and e-commerce providers is at least as sensitive as that which would normally be processed by publicly available electronic communications service providers.

Indeed, individuals are as likely to suffer harm from the undue disclosure of bank-account details as from the disclosure of, for example, their telephone records. Thus, the sensitivity of the information compromised weighs heavily in favour of including e-businesses in the obligation to notify.

Common sense and the overall benefit to European citizens clearly call for the widest possible application of laws requiring organisations that suffer a data breach to alert affected individuals. Such laws should, at a minimum, include e-commerce providers and providers of publicly available electronic communications services.

As the European Commission, Parliament and Council work together to find a compromise solution towards the final adoption of the E-Privacy Directive, I hope that the severe consequences of data breaches would help them make the appropriate choice.

Peter Hustinx is the European data-protection supervisor. His mission is to ensure the protection of people whose data is processed by the European Commission institutions and bodies, as well as to give advice on new legislation with data-protection implications.

Editorial standards