Wednesday, 3 April 2013

Data Breach Notification: Shocking proposals for daft new rules

In what can only be described as a moment of madness, a shocking proposal to change the current breach reporting requirements for public electronic communications service providers is making its way through the usual channels within the European Commission.  

The significance of this development is hard to underestimate, as it could affect many more data controllers than just communication service providers. 

This is because the breach reporting rules that currently apply to service providers are quite pragmatic and have been proposed as a much more acceptable alternative to the over-engineered proposals that are contained in the (much criticised) draft General Data Protection Regulation. 

Unfortunately, these rules are evidently far too pragmatic for certain EU officials. So, some bright bods in DG Connect (otherwise known as the Directorate-General for Communications Networks, Content and Technology) have proposed that the breach reporting process should be much more onerous. 

And, as the proposals in this working document are also cast as a Regulation, rather than a Directive, it will be much harder for local regulators to implement them in a way that can be ignored meets local cultural requirements.

If the current (leaked) draft Regulation is passed, the service providers (and the regulators) face new requirements that will be overly bureaucratic while delivering negligible improvements in terms of actually dealing with data breaches.

A great concern is that if we are not careful, all data controllers will be forced to adopt similar breach notification practices should these requirements will be mirrored in the draft General Data Protection Regulation. While the current GPDR proposals are crazy, these are hardly any better.

Any thoughts of a more sensible approach to breach reporting should be held in check until this mess has been resolved.

Those that are sufficiently concerned will be dismayed to learn that a the proposals contain strict requirements to harmonise breach reporting practices across the EU, regardless of whether individual regulators have the resources (or the inclination) or to deal with the incidents that will have to be reported. 

New rules will prescribe what constitutes a personal data breach, the elements to be taken into consideration whilst assessing adverse effect, and on how information notice shall be given to individuals subject to a breach. All data breaches will have to be reported to the regulators, no matter how insignificant. Quite why is anyone’s guess.

There will also be a change in timing. Out goes the (very sensible) rule to notify regulators "without undue delay",  and in comes an obligation for service providers to notify them "no later than 24 hours" after the detection of the personal data breach. And there is a further obligation to update the regulator when the provider has a better understanding of the breach. Just what the regulator will do between the moment of the initial notification and the update is anyone’s guess. Not a lot, I’ll be betting.

Regulators will be obliged to provide secure electronic means for providers to notify personal data breaches in a common format. This is going to be fun, given the practical difficulties that everyone faces in developing secure communications channels. I predict that the “security” of these means will come under regular scrutiny from the hacking fraternity.

Also, the content of the notification forms will be prescribed – which again will be fun. Anyone fancy entering a sweepstake to guess how long the form will be? 

As a friend who is much closer to the issue than me put it: “In a nutshell, the proposals seem to entrench some of the provisions which have attracted substantial criticism in the draft General Data Protection Regulation.” 

Whether those working on this proposal have been in touch with DG Justice, or any of the Parliamentary Committees that have submitted so many amendments to the breach notification provisions in the draft GPDR, is anyone’s guess.  But, given the current text of this measure, it’s hard to believe that they have taken account of any constructive criticism these bodies might have offered.

So what can be done?

First, we need to monitor the progress of this proposal very carefully. Then, we need to ask how draft standards like this can emerge, despite (according to the text) the Article 29 Working Party having being formally consulted. 

Next, data controllers that are not even service providers should consider making representations about these measures – otherwise they might be imposed upon them as a fait accompli. 

And finally, all sensible folk need to lobby to ensure that whatever emerges from this deliberative process is a measure that is fit for purpose, rather than just destined for the regulatory scrap heap.

Its daft proposals like this that give the European Commission a bad name!

Draft leaked version of COCOM12-25REV2 RegCom N°: D023457/03
If it were not true, this story would have made an ideal April Fool’s joke. However, the image is the front page of the leaked proposal as at 9 January 2013. Presumably it won’t be long before Statewatch publishes the rest of this working document on the internet.