Kroes, Commissioner for Digital Agenda, proposes a new regulation specifically for consumers. Companies will be required to report possible violations to authorities within 24 hours.
What to do in the EU in case of loss or theft of personal information in telecommunications? How to protect consumers? These are questions that the European Commission is trying to answer with a proposal for regulation developed by the European Commissioner for the Digital Agenda, Neelie Kroes. It involves new provisions that indicate to the telecom operators and Internet Service Providers (ISO) how to behave in the event of a compromise of personal data of their customers. The aim of these “technical implementing measures” is to ensure that in the event of a breach of data, all customers are afforded equal treatment throughout the European Union and businesses can adopt a pan-European approach to this problem in the event that they operate in more than one country. Telecom operators and Internet Service Providers – recalls the EU executive – hold a series of information on their customers such as name, address and bank details, along with information on telephone calls made and received, and websites visited. Since 2011, these companies are required to comply with the general obligation of informing national authorities and subscribers of personal data breaches. With the regulation presented today the EU Commission ensures the companies “will fulfill these obligations relying on clarity and customers will have further assurance about the way in which we will take care of their problems.”
In particular companies must inform the competent national authority of the incident within 24 hours of its detection, so as to limit the consequences as much as possible. If you cannot provide complete information within that period, you will have to communicate a first series within 24 hours with the remainder to follow within three days. The company will also be required to disclose the compromised information and measures that the company has implemented or intends to implement. Still, when considering the need to inform subscribers (according to the criterion of the potential adverse impact of the infringement on the personal data or privacy) companies must respect the type of compromised data (in particular with regard to telecommunications, financial information, location data, internet connection files, web browsing histories, data related to electronic mail and detailed lists of calls). Finally it encourages using a standard format for notifying the national competent authority. From today, says Kroes, European citizens are buying under protection. “To protect themselves, if necessary, consumers need to know if their personal data has been compromised, and companies need simplicity: a context of fair conditions that these new measures of concrete character achieve.”