In what can only be described as a moment of madness, a shocking
proposal to change the current breach reporting requirements for public
electronic communications service providers is making its way through
the usual channels within the European Commission.
The significance of this development is hard to
underestimate, as it could affect many more data controllers than just communication
service providers.
This is because the breach reporting rules that currently
apply to service providers are quite pragmatic and have been proposed as a much
more acceptable alternative to the over-engineered proposals that are contained
in the (much criticised) draft General Data Protection Regulation.
Unfortunately, these rules are evidently far too pragmatic
for certain EU officials. So, some bright bods in DG Connect (otherwise known
as the Directorate-General for Communications Networks, Content and Technology)
have proposed that the breach reporting process should be much more onerous.
And, as the proposals in this working document are also cast as a Regulation,
rather than a Directive, it will be much harder for local regulators to
implement them in a way that can be ignored meets local cultural
requirements.
If the current (leaked) draft Regulation is passed, the service
providers (and the regulators) face new requirements that will be overly bureaucratic
while delivering negligible improvements in terms of actually dealing with data
breaches.
A great concern is that if we are not careful, all data
controllers will be forced to adopt similar breach notification practices should these requirements
will be mirrored in the draft General Data Protection Regulation. While the
current GPDR proposals are crazy, these are hardly any better.
Any thoughts of a more sensible approach to breach reporting
should be held in check until this mess has been resolved.
Those that are sufficiently concerned will be dismayed to
learn that a the proposals contain strict requirements to harmonise breach
reporting practices across the EU, regardless of whether individual regulators
have the resources (or the inclination) or to deal with the incidents that will
have to be reported.
New rules will prescribe what constitutes a personal data
breach, the elements to be taken into consideration whilst assessing adverse
effect, and on how information notice shall be given to individuals
subject to a breach. All data breaches will have to be reported to the
regulators, no matter how insignificant. Quite why is anyone’s guess.
There will also be a change in timing. Out goes the (very sensible)
rule to notify regulators "without undue delay", and in
comes an obligation for service providers to notify them "no later than 24 hours"
after the detection of the personal data breach. And there is a further obligation
to update the regulator when the provider has a better understanding of the
breach. Just what the regulator will do between the moment of the initial
notification and the update is anyone’s guess. Not a lot, I’ll be betting.
Regulators will be obliged to provide secure electronic means
for providers to notify personal data breaches in a common format. This is
going to be fun, given the practical difficulties that everyone faces in
developing secure communications channels. I predict that the “security” of
these means will come under regular scrutiny from the hacking fraternity.
Also, the content of the notification forms will be
prescribed – which again will be fun. Anyone fancy entering a sweepstake to guess
how long the form will be?
As a friend who is much closer to the issue than me put it: “In
a nutshell, the proposals seem to entrench some of the provisions which have
attracted substantial criticism in the draft General Data Protection Regulation.”
Whether those working on this proposal have been in touch
with DG Justice, or any of the Parliamentary Committees that have submitted so
many amendments to the breach notification provisions in the draft GPDR, is
anyone’s guess. But, given the current
text of this measure, it’s hard to believe that they have taken account of any
constructive criticism these bodies might have offered.
So what can be done?
First, we need to monitor the progress of this proposal very
carefully. Then, we need to ask how draft standards like this can emerge,
despite (according to the text) the Article 29 Working Party having being
formally consulted.
Next, data controllers that are not even service providers
should consider making representations about these measures – otherwise they
might be imposed upon them as a fait accompli.
And finally, all sensible folk need to lobby to ensure that
whatever emerges from this deliberative process is a measure that is fit for
purpose, rather than just destined for the regulatory scrap heap.
Its daft proposals like this that give the European
Commission a bad name!
Source:
Draft leaked version of COCOM12-25REV2 RegCom N°: D023457/03
If it were not true, this story would have made an ideal
April Fool’s joke. However, the image is the front page of the leaked proposal
as at 9 January 2013. Presumably it won’t be long before Statewatch publishes the
rest of this working document on the internet.
.
Posts
