Saturday, 5 February 2011

Your personal data had been stolen online. Wouldn't you like to be notified about that?

There is more and more talk recently about European Commission needing to take more actions to make consumers more secure in the digital world that we are living in. (e.g. read an earlier post on cloud computing: here) We can see the European Commission expresses more interest in regulation of the digital content services or in review of Package Travel Directive which would accommodate consumers buying their holidays online (e.g. read earlier post: here). Moreover, recently it seems that the European Commission would consider harmonisation of European consumer law in Consumer Rights Directive a success if it only improved the confidence of consumers in online transactions (read earlier post: here).

One of the issues that the EU is still struggling against while trying to increase consumers confidence in concluding online transactions, is a problem of data privacy. Many consumers are wary as to the leaks and abuses that might (and do) happen online or the impossibility of deletion of data that had been once entered into the world wide web. In the review of ePrivacy Directive (2002/58/EC) it has been decided that a European data breach notification requirement should be introduced for the electronic communication sector in order to appease the consumers' worries.

The ENISA (European Network and Information Security Agency - the role of that agency is to improve network and information security in EU) had recently released a report in which it reviewed the current situation in order to develop a consistent set of guidelines addressing the technical implementation measures of the data breach notification requirement. It seems that nowadays most Member States have no system that would require the data breach notification to the consumers or to any agency that might protect consumers or the privacy of their data. One can hope that this will change soon due to the new European policy established in the EU Telecoms Reform in November 2009 which is to be implemented by May 2011 (more information on these new rules may be found here). The data breach notification requirement is set for notifying mainly the data protection authorities. However, in case the data breach affects personal data, then the affected consumers should be notified, as well. The ENISA report sets out, inter alia, under what circumstances the consumers should be notified. You may find that report here.

This compliments nicely the public consultation on the privacy of personal data that had just been concluded by the European Commission - which also had been previously mentioned on this blog, see: here.