Telecommunication companies and ISPs recurrently report incidents of customers’ personal data being lost, stolen or compromised in some other way. Legislative proposals from the European Commission seek to introduce rules which define how such incidents should be handled.
Clear data protection legislation
The proposal aims to strengthen protection of customer personal data by clarifying the obligations of telecommunication companies and internet service providers. The new rules will harmonise the legislative framework on privacy infringements and ensure that international companies abide by one set of rules.
In cases of data loss or theft, companies will be obliged to inform national authorities within 24 hours, using a standard form. If it is not possible to disclose all details of an incident within 24 hours, companies will have to file a thorough report within three days, detailing the data affected, the measures adopted by the company and whether customers have been informed.
To encourage companies to encrypt personal data, the European Commission has said it will publish a list of technical measures which can be used to protect customer data.
The use of encryption does have its advantages for companies, as they would be released from the obligation to inform customers about data protection breaches. The European Commission justifies this concession with the argument that in cases of lost encrypted data, customer information is not always visible.