The European Commission is introducing new rules that define what fixed-line telecom operators, mobile telecom operators and Internet Service Providers should do if their customers’ personal data is lost, stolen or compromised in any way. These rules, described as ‘technical implementing measures’, are designed to ensure consumers are treated similarly across the EU and to make sure businesses can take a pan-European approach to any problems.

Although rules about data breaches have been place as part of the EU’s ‘Digital Agenda’ since 2011, this new Commission Regulation provides companies with extra clarity and gives customers extra assurances.

Neelie Kroes, Vice President of the European Commission, said “Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field.”

The new regulations require companies that suffer a data breach to:

• Inform the appropriate national authority of the incident within 24 hours using a standardised form. If full disclosure isn’t possible, an initial set of information must be provided followed by full disclosure within three days.
• Outline what information is affected and what measures have been or will be applied by the company.
• Assess whether or not to notify subscribers by ascertaining whether the breach is likely to adversely affect personal data or privacy. For example, companies with encrypted data would not need to notify customers if the data could not be read.

The rules are expected to come into force by the end of the summer. A separate reform of laws protecting personal data has also been proposed by the European Commission.